This is your work, valued
Offensive Security, Research & Engineering
nodejsscan. nodejsscan is a static security code scanner for Node.js applications.
2.6kCMSScan. CMS Scanner: Scan Wordpress, Drupal, Joomla, vBulletin websites for Security issues
1.1kOWASP-Xenotix-XSS-Exploit-Framework. OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework.
547Xenotix-Python-Keylogger. Xenotix Python Keylogger for Windows.
461njsscan. njsscan is a semantic aware SAST tool that can find insecure code patterns in your Node.js applications.
434Node.Js-Security-Course. Contents for Node.Js Security Course
346Droid-Application-Fuzz-Framework. Android application fuzzing framework with fuzzers and crash monitor.
295libsast. Generic SAST Library
138WebAppSec. Web Application Security
133Static-DOM-XSS-Scanner. Static DOM XSS Scanner is a Static Analysis tool written in python that will iterate through all the JavaScript and HTML files under the given directory and will list out all the possible sources and sinks that may cause DOM XSS. At the end of the scan, the tool will generate an HTML report.
119Xenotix-APK-Reverser. Xenotix APK Reverser is an OpenSource Android Application Package (APK) decompiler and disassembler powered by dex2jar, baksmali and jd-core.
80aws_security_tools. Scripts and tools for AWS Pentest
54Mobile-Security-Framework-MobSF. Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
47PoC. Proof of Concepts, Exploits
29njsscan-action. nodejsscan Github Action
28Xenotix-xBOT. Xenotix xBOT is a Cross Platform PoC Bot that abuse certain Google Services to implement it's C&C
28WhatsApp-AutoClean. WhatsApp AutoClean is an android app that removes all WhatsApp media (images, videos, sound etc) and hide them from being shown in Gallery
16tizen-security. Tools made for Tizen Security Analysis
15Exploit-Research-Ported. Exploit Research & Development - Ported Exploits
11package_scan. PoC: Python package static and dynamic analysis to detect environment variable stealing
11bugbounty-cheatsheet. A list of interesting payloads, tips and tricks for bug bounty hunters.
10MobileApp-Pentest-Cheatsheet. The Mobile App Pentest cheat sheet was created to provide concise collection of high value information on specific mobile application penetration testing topics.
9node.js-simple-https-server. A simple HTTPS server that uses self signed certificate. Useful for PoC purposes
8OAuth-Request-Crafter. OAuth Request Crafter
8Android-SSL-Certificate-Pinning. A sample android application implementing Moxie's Certificate Pinning Library
8bad_python_extract. A vulnerable web application written in Python Flask to demonstrate insecure file extraction
8JSComm-API-Hooker. Tool to hook all communication APIs including XHR/XHR2, WebSockets, Web Workers, PostMessage and Server Sent Events
8awesome-web-security. 🐶 A curated list of Web Security materials and resources.
7OpSec-Firefox-Addon-Exploit-Suite. OpSec Firefox Addon Exploit Suite is a POC application that demonstrate various flaws in the Firefox Add-on Security Model.
7Vulnerable_Tornado_App. An intentionally vulnerable web application written in Python using Tornado
7PayloadsAllTheThings. A list of useful payloads and bypass for Web Application Security and Pentest/CTF
7API-Security-Checklist. Checklist of the most important security countermeasures when designing, testing, and releasing your API
6AutomatingWindowsPrivilegeEscalation. Python
5WindowsExploits. Windows exploits, mostly precompiled.
5AuditDroid. AduitDroid
4CSS-Keylogging. Chrome extension and Express server that exploits keylogging abilities of CSS.
4iSpy. A reverse engineering framework for iOS
4usbkill. usbkill waits for a change on your usb ports, then immediately kills your computer. Anti forensic, usb -> kill
4proxy2. HTTP/HTTPS proxy in a single python script
3python-hash-calculator. Python Hash Calculator
3airgeddon. This is a multi-use bash script for Linux systems to audit wireless networks.
3poc-rogue. Python
3android-unpacker. Android Unpacker presented at Defcon 22: Android Hacker Protection Level 0
3play-scraper. A web scraper to retrieve application data from the Google Play Store.
2dvna. Damn Vulnerable NodeJS Application
2injectAllTheThings. Seven different DLL injection techniques in one single project.
2lobotomy. Android Reverse Engineering Framework & Toolkit
2iloot. OpenSource tool for iCloud backup extraction
2ActiveScanPlusPlus. ActiveScan++ Burp Suite Plugin
2InsecureProgramming. mirror of gera's insecure programming examples | http://community.coresecurity.com/~gera/InsecureProgramming/
1CodeMirror. In-browser code editor
1how2heap. A repository for learning various heap exploitation techniques.
1nimbostratus. Tools for fingerprinting and exploiting Amazon cloud infrastructures
1apache-struts2-CVE-2017-5638. Demo Application and Exploit
1