This is your work, valued
smugglefuzz. A rapid HTTP downgrade smuggling scanner written in Go.
★ 313CLZero. A project for fuzzing HTTP/1.1 CL.0 Request Smuggling Attack Vectors
★ 91crlf-detection-script. CRLF Detection based on @BlackFan 's work See link below
★ 17headerbonk. A python script I use for fast detection of cache poisoning via HTTP headers
★ 5URLScanScripts. Useful scripts for URLScan
★ 4wordlists. Any custom wordlists i have will end up here.
★ 4KubeArmor. Runtime Security Enforcement System. Workload hardening/sandboxing and implementing least-permissive policies made easy leveraging LSMs (LSM-BPF, AppArmor).
★ 2.6kh3spacex. Library of Exploiting Last Frame Synchronization (also know as Single Packet Attack) on HTTP/3 - Manipulated version of quic-go lib
★ 20PenScope. Passive recon & attack surface mapper — zero requests sent
★ 32LearningToSee. Jupyter Notebook
★ 201DeepZero. Find zero-days while you sleep. DeepZero is an automated vulnerability research framework that parses, decompiles, and analyzes thousands of Windows kernel drivers for exploitable IOCTLs natively using AI agents.
★ 574HTTP2-CONNECT-Tunnel. A HTTP2 CONNECT Tunnel
★ 14milvus. Milvus is a high-performance, cloud-native vector database built for scalable vector ANN search
★ 45kbetterleaks. Scan the world (for secrets)
★ 1.4kyj_nearbyglasses. attempting to detect smart glasses nearby and warn you
★ 1.9kCVE-2026-2441-PoC. HTML
★ 129AdNauseam. AdNauseam: Fight back against advertising surveillance
★ 6.6kAshwesker-CVE-2026-20045. CVE-2026-20045
★ 6Research_Successful_Errors. Clear and obvious name of the exploitation technique can create a false sense of familiarity, even if its true potential was never researched, the technique itself is never mentioned and payloads are limited to a couple of specific examples. This research focuses on two such techniques for Code Injection and SSTI.
★ 116mongobleed. JavaScript
★ 946compiler-explorer. Run compilers interactively from your web browser and interact with the assembly
★ 19kawesome-tuis. List of projects that provide terminal user interfaces
★ 20kTermiSand. A falling sand simulator in your terminal!
★ 23tcell. Tcell is an alternate terminal package, similar in some ways to termbox, but better in others.
★ 5.2kpoc_salesforce_lightning. Academic purposes only. Attack against Salesforce lightning with guest privilege.
★ 184CTFd. CTFs as you need them
★ 6.7kladybird. Truly independent web browser
★ 65kevilginx3-phishlets. Phishlets for evilginx
★ 7smugchunks. A black-box scanner for HTTP request smuggling vulnerabilities caused by chunk parsing discrepancies.
★ 35bbot. The recursive internet scanner for hackers. 🧡
★ 10kAI-Red-Teaming-Playground-Labs. AI Red Teaming playground labs to run AI Red Teaming trainings including infrastructure.
★ 2kllama2.c64. Inference Llama 2 in several files of pure C but on a C64
★ 83ctf-katana. This repository aims to hold suggestions (and hopefully/eventually code) for CTF challenges. The "project" is nicknamed Katana.
★ 2.9kCefSharp. .NET (WPF and Windows Forms) bindings for the Chromium Embedded Framework
★ 10kcef. Chromium Embedded Framework (CEF). A simple framework for embedding Chromium-based browsers in other applications.
★ 4.7kPHP_INCLUDE_TO_SHELL_CHAR_DICT. PHP
★ 349php_filter_chain_generator. Python
★ 1.1kneural-networks-from-scratch. Neural Networks from Scratch in Python crafted for utilization as teaching resources in graduate courses (Deep Learning, Deep Learning for Computer Vision) delivered by Minh-Chien Trinh at Jeonbuk National University.
★ 66supertokens-core. Open source alternative to Auth0 / Firebase Auth / AWS Cognito
★ 15kysoserial. A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
★ 9kBFScan. Tool for finding URLs, paths, secrets and generating raw HTTP requests and OpenApi specifications from config files and annotations used in JAR / WAR / APK applications.
★ 256wrapwrap. Generates a `php://filter` chain that adds a prefix and a suffix to the contents of a file.
★ 242gopl.io. Example programs from "The Go Programming Language"
★ 8kagentic-radar. A security scanner for your LLM agentic workflows
★ 997spotube. 🎧 Open source music streaming app! Available for both desktop & mobile!
★ 47kbencode-go. A Go language binding for encodeing and decoding data in the bencode format that is used by the BitTorrent peer-to-peer file sharing protocol.
★ 293fly-to-podman. Migrate from Docker to Podman.
★ 385twilio-security-scanner. Python
★ 24hotline. A modern remake of Hotline for macOS, iOS, and iPadOS.
★ 752noTunes. A simple macOS application that will prevent iTunes or Apple Music from launching.
★ 5.9khttptap. View HTTP/HTTPS requests made by any Linux program
★ 4.2kBruteShark. Network Analysis Tool
★ 3.4kserverless-toolkit. CLI tool to develop, debug and deploy Twilio Functions
★ 127100-languages. Solving the first 100 Project Euler problems using 100 different programming languages!
★ 240oauth-in-action-code. Source code for OAuth 2 in Action
★ 762xss-payload-list. xss-payload-list
★ 138oauth-labs. oauth-labs: an intentionally vulnerable set of OAuth 2.0 labs for security training and learning
★ 75IIS_shortname_Scanner. an IIS shortname Scanner
★ 593IIS-ShortName-Scanner. latest version of scanners for IIS short filename (8.3) disclosure vulnerability
★ 1.7kfuzzotron. A TCP/UDP based network daemon fuzzer
★ 535ffufwebparser. Parse FFUF results in GUI with option to sort based by response code , size , keyword
★ 102splitting-the-email-atom. HTML
★ 99h2spacex. HTTP/2 Last Frame Synchronization (also known as Single Packet Attack) low Level Library / Tool based on Scapy + Exploit Timing Attacks
★ 224fuzz.txt. Potentially dangerous files
★ 3.3khate_crack. A tool for automating cracking methodologies through Hashcat from the TrustedSec team.
★ 1.8kjollyexec. The Jolly Executioner - a simple command execution proxy
★ 16ballast. Keep your audio balance from drifting! OSX Status Bar App
★ 469gungnir. CT Log Scanner
★ 562bbscope. Scope aggregation tool for HackerOne, Bugcrowd, Intigriti, YesWeHack, and Immunefi!
★ 1.4kPlasmaPup. PlasmaPup is designed to help central and departmental IT personnel understand their exposures in Active Directory by showing which accounts have permissions to make changes within their OU(s) or modify group policy applying to thier OU(s).
★ 29jan. Jan is an open source alternative to ChatGPT that runs 100% offline on your computer.
★ 43knetscout. OSINT tool that finds domains, subdomains, directories, endpoints and files for a given seed URL.
★ 182gourlex. Gourlex is a simple tool that can be used to extract URLs and paths from web pages.
★ 256Empire. Empire is a post-exploitation and adversary emulation framework that is used to aid Red Teams and Penetration Testers.
★ 5.2kMythic. A collaborative, multi-platform, red teaming framework
★ 4.6kjsmug. A PoC code for JSON Smuggling technique to smuggle arbitrary files through JSON
★ 116http-request-smuggler. Java
★ 1.2kclient-side-prototype-pollution. Prototype Pollution and useful Script Gadgets
★ 1.6kmallet. Mallet is an intercepting proxy for arbitrary protocols
★ 292hostapd-mana. SensePost's modified hostapd for wifi attacks.
★ 613ruler. A tool to abuse Exchange services
★ 2.3kreGeorg. The successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.
★ 3.2kCVE-2024-27198. Exploit for CVE-2024-27198 - TeamCity Server
★ 37audiostream. HTML
★ 6nomore403. 🚫 Advanced tool for security researchers to bypass 403/40X restrictions through smart techniques and adaptive request manipulation. Fast. Precise. Effective.
★ 1.8khugo. The world’s fastest framework for building websites.
★ 89kgoreleaser. Release engineering, simplified
★ 16khttp-garden. Differential testing framework for HTTP implementations
★ 938bubbletea. A powerful little TUI framework 🏗
★ 44kbadssl.com. :lock: Memorable site for testing clients against bad SSL configs.
★ 3khttp2smugl. Go
★ 561cobra. A Commander for modern Go CLI interactions
★ 44kh2csmuggler. HTTP Request Smuggling over HTTP/2 Cleartext (h2c)
★ 803nghttp2. nghttp2 - HTTP/2 C Library and tools
★ 5kSSH-Snake. SSH-Snake is a self-propagating, self-replicating, file-less script that automates the post-exploitation task of SSH private key and host discovery.
★ 2.3kgalah. Galah: An LLM-powered web honeypot.
★ 656100-go-mistakes. 📖 100 Go Mistakes and How to Avoid Them
★ 7.9kcurl-to-go. Convert curl commands to Go code in your browser
★ 1.8kHTTP3ONSTEROIDS. HTTP3ONSTEROIDS - A research on CVE-2023-25950 where HAProxy's HTTP/3 implementation fails to block a malformed HTTP header field name.
★ 10crab. A community fork of a language named after a plant fungus. All of the memory-safe features you love, now with 100% less bureaucracy!
★ 5.1kwebsocket-smuggle. Issues with WebSocket reverse proxying allowing to smuggle HTTP requests
★ 396t-reqs. Grammar-based HTTP/1 fuzzer with mutation ability
★ 263Marble. The CIA's Marble Framework is designed to allow for flexible and easy-to-use obfuscation when developing tools.
★ 319gowitness. 🔍 gowitness - a golang, web screenshot utility using Chrome Headless
★ 4.4kqoraal-engine. Embedded state machine language with a just-in-time compiler for unparalleled speed and efficiency.
★ 16manifesto. The OpenTF Manifesto expresses concern over HashiCorp's switch of the Terraform license from open-source to the Business Source License (BSL) and calls for the tool's return to a truly open-source license.
★ 36kaws-enumerator. The AWS Enumerator was created for service enumeration and info dumping for investigations of penetration testers during Black-Box testing. The tool is intended to speed up the process of Cloud review in case the security researcher compromised AWS Account Credentials.
★ 256tiscripts. Turbo Intruder Scripts
★ 231smuggler. Smuggler - An HTTP Request Smuggling / Desync testing tool written in Python 3
★ 2.1kpwnhub. How GitHub Actions workflows can be hacked
★ 186