awesome-web-security

This repository is a curated collection of links, articles, tools, and resources focused on web security and penetration testing. It does not contain runnable code of its own; instead it acts as an organized reference library for people learning how to find and understand vulnerabilities in websites and web applications.

The list is organized into broad sections. The introductory section covers specific vulnerability types: cross-site scripting (XSS, where an attacker injects malicious scripts into a page), SQL injection (manipulating database queries through user input), server-side request forgery (SSRF, tricking a server into making unauthorized requests), cross-site request forgery (CSRF), XML external entity attacks (XXE), clickjacking, open redirects, and many others. Each section links to articles, guides, and write-ups that explain how those attacks work.

Beyond the introductory material, the list covers evasion techniques (getting past web application firewalls and content security policies), practical tricks for each vulnerability type, browser exploitation, proof-of-concept demonstrations, cheat sheets, and a large tools section. The tools section is organized by task: auditing, reconnaissance, subdomain enumeration, fuzzing, scanning, offensive tools for specific attack types, and tools for detecting or preventing vulnerabilities.

Additional sections list security blogs, researchers worth following, practice environments (intentionally vulnerable applications where you can safely test attack techniques), and community resources. The collection is aimed at security researchers, penetration testers, and developers who want to understand how web attacks work so they can build better defenses.

The repository also includes a Claude Code skill, meaning AI assistants can query the list at runtime to answer questions about specific vulnerability types like XSS, SQLi, JWT attacks, OAuth issues, and more. The full README is longer than what was shown.