Tips and Tutorials for Bug Bounty and also Penetration Tests.

Tools and methods that I personally use for Recon and Exploitations

💀 Generate a bunch of malicious pdf files with phone-home functionality. Can be used with Burp Collaborator or Interact.sh

An Automated Subdomain Enumeration Tool

A security research tool designed to intercept and analyze OAuth requests.

Reflected XSS Payload List for Vue.js (2 & 3)

Repositories, Links, Payloads, Blogs, Tools, etc.. which I think might be useful for pentesting and bug bounty

jsleak is a tool to find secret , paths or links in the source code during the recon.

60k+ WordPress Nuclei templates, updated daily from Wordfence intel—filter by severity/tags/CVE and scan in one line. 🚀🔒

A list of interesting payloads, tips and tricks for bug bounty hunters.

Pentesting and Bug Bounty Notes, Cheetsheets and Guide for Ethical Hacker, Whitehat Pentesters and CTF Players.

HackerOne资产更新 | 每日更新HackerOne资产，对HackerOne的资产进行爬行和整理，SRC资产更新仅会增加，不会进行删除，每天更新的可以进行差异化对比来获取到新的项目资产范围

List of XSS Vectors/Payloads

Our main goal is to share tips from some well-known bughunters. Using recon methodology, we are able to find subdomains, apis, and tokens that are already exploitable, so we can report them. We wis…

Nuclei POC，每2小时更新 | 自动整合全网Nuclei的漏洞POC，实时同步更新最新POC，保存已被删除的POC。通过批量克隆Github项目，获取Nuclei POC，并将POC按类别分类存放，使用Github Action实现。已有41w+POC，其中3.5w+高质量POC

HackerOne "in scope" domains

Secrets Patterns DB: The largest open-source Database for detecting secrets, API keys, passwords, tokens, and more.

This repo contains hourly-updated data dumps of bug bounty platform scopes (like Hackerone/Bugcrowd/Intigriti/etc) that are eligible for reports

Everything about Web Application Firewalls (WAFs) from Security Standpoint! 🔥

A command-line scanner for batch detection of Next.js application versions and determining if they are affected by CVE-2025-66478 vulnerability.

Generate HTML/SVG payloads for testing Server-Side Request Forgery vulnerabilities

JNDI注入测试工具（A tool which generates JNDI links can start several servers to exploit JNDI Injection vulnerability,like Jackson,Fastjson,etc）

A small collection of File converter vulnerability

Webshell && Backdoor Collection

A collaborative hub for Nuclei templates. Contribute, share, and explore powerful vulnerability detection tools!

针对SpringBoot的开源渗透框架，以及Spring相关高危漏洞利用工具

SpringBoot 相关漏洞学习资料，利用方法和技巧合集，黑盒安全评估 check list