A list of useful payloads and bypass for Web Application Security and Pentest/CTF

The Python programming language

The Big List of Naughty Strings is a list of strings which have a high probability of causing issues when used as user-input data.

Portable file server with accelerated resumable uploads, dedup, WebDAV, FTP, TFTP, zeroconf, media indexer, thumbnails++ all in one file, no deps

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.

A Lightweight Face Recognition and Facial Attribute Analysis (Age, Gender, Emotion and Race) Library for Python

SpiderFoot automates OSINT for threat intelligence and mapping your attack surface.

Impacket is a collection of Python classes for working with network protocols.

E-mails, subdomains and names Harvester - OSINT

The Rogue Access Point Framework

Web path scanner

The OWASP Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes technical processes for verifying the OWA…

Prowler is the Open Cloud Security for AWS, Azure, GCP, Kubernetes, M365 and more. As agent-less, it helps for continuous monitoring, security assessments & audits, incident response, compliance, h…

Universal Radio Hacker: Investigate Wireless Protocols Like A Boss

MVT (Mobile Verification Toolkit) helps with conducting forensics of mobile devices in order to find signs of a potential compromise.

Fast subdomains enumeration tool for penetration testers

Credentials recovery project

The recursive internet scanner for hackers. 🧡

A GPT-empowered penetration testing tool

A swiss army knife for pentesting networks

Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) C2 and post-exploitation framework written in python and C

📱 objection - runtime mobile exploration

Multi-Cloud Security Auditing Tool

Infection Monkey - An open-source adversary emulation platform

Automated Adversary Emulation Platform

WAFW00F allows one to identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Cowrie SSH/Telnet Honeypot https://docs.cowrie.org/

The FLARE team's open-source tool to identify capabilities in executable files.

EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.

"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.