#Appsec
Showing 60 of 148 repositories tagged #appsec, ranked by stars
Automatic SQL injection and database takeover tool
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
SafeLine is a self-hosted WAF(Web Application Firewall) / reverse proxy to protect your web apps from attacks and exploits.
The ZAP by Checkmarx Core project
Web path scanner
OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.
A list of web application security
Next generation web scanner
8 Lessons, Kick-start Your Cybersecurity Learning.
Open Source Vulnerability Management Platform
Golang Secure Coding Practices guide
Complete Practical Study Plan to become a successful cybersecurity engineer based on roles like Pentest, AppSec, Cloud Security, DevSecOps and so on...
w3af: web application attack and audit framework, the open source web vulnerability scanner.
Open-Source Unified Vulnerability Management, DevSecOps & ASPM
An OOB interaction gathering server and client library
The parent project for OpenZiti. Here you will find the executables for a fully zero-trust, programmable network @OpenZiti
Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
Git All the Payloads! A collection of web attack payloads.
Code security scanning tool (SAST) to discover, filter and prioritize security and privacy risks.
Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
CTF challenge (mostly pwn) files, scripts etc
A deliberately vulnerable CI/CD environment. Learn CI/CD security through multiple challenges.
Complete Solution for VAPT/AppSec and Pentesting Guide: Web | Mobile | API | Thick Client | Source Code Review | DevSecOps | Wireless | Network Pentesting | SAST | DAST etc...
safely install npm packages by auditing them pre-install stage
TCP/UDP Non-HTTP Proxy Extension (NoPE) for Burp Suite.
open-appsec is a machine learning security engine that preemptively and automatically prevents threats against Web Application & APIs. This repo include the main code and logic.
OWASP Mutillidae II is a free, open-source, deliberately vulnerable web application providing a target for web-security training. This is an easy-to-use web hacking environment designed for labs, security enthusiasts, classrooms, CTF, and vulnerability assessment tool targets.
vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.
Burp Suite extension that adds built-in MCP tooling, AI-assisted analysis, privacy controls, passive and active scanning and more
OWASP Top 10 for Large Language Model Apps (Part of the GenAI Security Project)
A collection of special paths linked to common sensitive APIs, devops internals, frameworks conf, known misconfigurations, juicy APIs ..etc. It could be used as a part of web content discovery, to scan passively for high-quality endpoints and quick-wins.
AI-powered offensive security agent with 7,300+ actionable security skills. Autonomous pentesting powered by MITRE ATT&CK (2,000+ Atomic tests), CIS Benchmarks (1,500+ controls), OWASP, NIST. Lazy-loading, zero context pollution. Your AI red team.
Lonkero - Wraps around your attack surface. Professional-grade scanner for real penetration testing. Fast. Modular. Rust.
ZAP Add-ons
An open source, git-ops, zero-trust secret encryption and decryption solution for Kubernetes applications
A vulnerable version of Rails that follows the OWASP Top 10
A curated list of tools officially presented at Black Hat events
Security automation with n8n ideas: 100+ Red/Blue/AppSec workflows, integrations, and ready-to-run playbooks.
Live validation proxy tool for testing web app vulnerabilities
Some of my security stuff and vulnerabilities. Nothing advanced. More to come.
Datadog Go Library including APM tracing, profiling, and security monitoring.
A library for detecting known secrets across many web frameworks
MCP server for AI-driven security pipelines
mobsfscan is a static analysis tool that can find insecure code patterns in your Android and iOS source code. Supports Java, Kotlin, Swift, and Objective C Code. mobsfscan uses MobSF static analysis rules and is powered by semgrep and libsast pattern matcher.
Spoofy is a program that checks if a list of domains can be spoofed based on SPF and DMARC records.
Integrates Dependency-Check reports into SonarQube
Resources for Application Security including Web, API, Android, iOS and Thick Client
Tests for race conditions in web applications. Includes a RESTful API to integrate into a continuous integration pipeline.
Fast, developer-friendly JS/TS dependency vulnerability scanner with local lockfile scanning, OSV matching, direct vs transitive visibility, --fix, JSON output, and practical remediation guidance.
DianXing - AI-Driven End-to-End Code Security Auditing
Practical resources for offensive CI/CD security research. Curated the best resources I've seen since 2021.
High-performance secrets scanner. CLI, Go library, Burp Suite extension, and Chrome extension. 487 detection rules with live credential validation.
jshunter is a command-line tool designed for analyzing JavaScript files and extracting endpoints. This tool specializes in identifying sensitive data, such as API endpoints and potential security vulnerabilities, making it an essential resource for and bug bounty hunters and security researchers.
njsscan is a semantic aware SAST tool that can find insecure code patterns in your Node.js applications.
The AI Agent for Cyber Security.
A Burp Suite extension for identifying injection flaws (LFI, RCE, SQLi), authentication/authorization issues, and HTTP 403 access violations. It supports dynamic payload generation, including BCheck syntax, and can automatically generate Bambdas scripts. Additionally, it offers "Copy as JavaScript" to convert HTTP requests for enhanced XSS testing.
Collect crash (or UndefinedBehaviorSanitizer error) reports, triage, and estimate severity.
SecHub provides a central API to test software with different security tools.