Resources

Toolkit

  • Attack platform (Kali, ParrotOS, etc)
  • Automated tools (Burp Scanner, Dirbuster, Nikto, etc)
  • Browser (Add-ons)
  • Interception proxies (Burp or ZAP)

Metasploit

There are >150 entries that can be used against web server scanning, crawling, and querying:
  • auxiliary/scanner/http/
  • Basic Spiders: auxiliary/crawler/msfcrawler and auxiliary/scanner/http/crawler
  • wmap (Web Scanning not updated since 2012)
  • sqlmap

Guides

OWASP WSTG - Web Security Testing Guide: https://owasp.org/www-project-web-security-testing-guide/v41/
PortSwigger - Service-Side template Injection: https://portswigger.net/web-security/server-side-template-injection

Training Resources

KONTRA - OWASP Top 10, free appsec training https://application.security/free-application-security-training
For Self Hosted Vulnerable Web Apps or Sites see: https://notes.defendergb.org/other-resources

Scripts

Haksecuritytxt https://github.com/hakluke/haksecuritytxt Takes a list of domains as the input, checks if they have a security.txt, outputs the results.

Wordlist

Other Resources