A list of useful payloads and bypass for Web Application Security and Pentest/CTF

Everything about Web Application Firewalls (WAFs) from Security Standpoint! 🔥

"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.

💀 Generate a bunch of malicious pdf files with phone-home functionality. Can be used with Burp Collaborator or Interact.sh

针对SpringBoot的开源渗透框架，以及Spring相关高危漏洞利用工具

Autoswagger by Intruder - detect API auth weaknesses

Secrets Patterns DB: The largest open-source Database for detecting secrets, API keys, passwords, tokens, and more.

REcollapse is a helper tool for black-box regex fuzzing to bypass validations and discover normalizations in web applications

专为CTF设计的Jinja2 SSTI全自动绕WAF脚本 | A Jinja2 SSTI cracker for bypassing WAF, designed for CTF

A collection of AWS penetration testing junk

60k+ WordPress Nuclei templates, updated daily from Wordfence intel—filter by severity/tags/CVE and scan in one line. 🚀🔒

Latest CVEs with their Proof of Concept exploits.

HackerOne "in scope" domains

HackerOne资产更新 | 每日更新HackerOne资产，对HackerOne的资产进行爬行和整理，SRC资产更新仅会增加，不会进行删除，每天更新的可以进行差异化对比来获取到新的项目资产范围

BurnWP Advanced Exploiter System instead Scanner & Custom Plugin for Pentester

A security research tool designed to intercept and analyze OAuth requests.

Generate HTML/SVG payloads for testing Server-Side Request Forgery vulnerabilities