Web-Application Security Resources

Got stuck?? Want to learn web hacking…Don’t know where to start from?

Awesome!! We have the list of the resources where we can learn web application hacking in a guided manner ranging from theory concepts to practical knowledge.

Online Hacking Demonstration Sites

• http://testasp.vulnweb.com/ — Acunetix ASP test and demonstration site
• http://testaspnet.vulnweb.com/ — Acunetix ASP.Net test and demonstration site
• http://testphp.vulnweb.com/ — Acunetix PHP test and demonstration site
• http://crackme.cenzic.com/kelev/view/home.php — Crack Me Bank
• http://zero.webappsecurity.com/ — Zero Bank
• http://demo.testfire.net/ — Altoro Mutual

Labs

• https://portswigger.net/web-security — Web Security Academy: Free Online Training from PortSwigger
• http://www.cis.syr.edu/~wedu/seed/all_labs.html — Developing Instructional Laboratories for Computer SEcurity EDucation
• https://www.vulnhub.com/ — Virtual Machines for Localhost Penetration Testing.
• https://pentesterlab.com/ — PentesterLab is an easy and great way to learn penetration testing.
• https://github.com/jerryhoff/WebGoat.NET — This web application is a learning platform about common web security flaws.
• http://www.dvwa.co.uk/ — Damn Vulnerable Web Application (DVWA)
• http://sourceforge.net/projects/lampsecurity/ — LAMPSecurity Training
• https://github.com/Audi-1/sqli-labs — SQLI labs to test error based, Blind boolean based, Time based.
• https://github.com/paralax/lfi-labs — small set of PHP scripts to practice exploiting LFI, RFI and CMD injection vulns
• https://hack.me/ — Build, host and share vulnerable web apps in a sandboxed environment for free
• http://azcwr.org/az-cyber-warfare-ranges — Free live fire Capture the Flag, blue team, red team Cyber Warfare Range for beginners through advanced users. Must use a cell phone to send a text message requesting access to the range.
• https://github.com/adamdoupe/WackoPicko — WackoPicko is a vulnerable web application used to test web application vulnerability scanners.
• https://github.com/rapid7/hackazon — Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications.
• https://github.com/RhinoSecurityLabs/cloudgoat — Rhino Security Labs’ “Vulnerable by Design” AWS infrastructure setup tool
• https://www.hackthebox.eu/ — Hack The Box is an online platform allowing you to test and advance your skills in cyber security.
• https://github.com/tegal1337/0l4bs — 0l4bs is a Cross-site scripting labs for web application security enthusiasts.

Cheat Sheets

• http://n0p.net/penguicon/php_app_sec/mirror/xss.html — XSS cheatsheet
• https://highon.coffee/blog/lfi-cheat-sheet/ — LFI Cheat Sheet
• https://highon.coffee/blog/reverse-shell-cheat-sheet/ — Reverse Shell Cheat Sheet
• https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/ — SQL Injection Cheat Sheet
• https://www.gracefulsecurity.com/path-traversal-cheat-sheet-windows/ — Path Traversal Cheat Sheet: Windows

Books

• http://www.amazon.com/The-Web-Application-Hackers-Handbook/dp/8126533404/ The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws
• http://www.amazon.com/Hacking-Web-Apps-Preventing-Application/dp/159749951X/ Hacking Web Apps: Detecting and Preventing Web Application Security Problems
• http://www.amazon.com/Hacking-Exposed-Web-Applications-Third/dp/0071740643/ Hacking Exposed Web Applications
• http://www.amazon.com/SQL-Injection-Attacks-Defense-Second/dp/1597499633/ SQL Injection Attacks and Defense
• http://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886/ The Tangled WEB: A Guide to Securing Modern Web Applications
• http://www.amazon.com/Web-Application-Obfuscation-Evasion-Filters/dp/1597496049/ Web Application Obfuscation: ‘-/WAFs..Evasion..Filters//alert(/Obfuscation/)-’
• http://www.amazon.com/XSS-Attacks-Scripting-Exploits-Defense/dp/1597491543/ XSS Attacks: Cross Site Scripting Exploits and Defense
• http://www.amazon.com/Browser-Hackers-Handbook-Wade-Alcorn/dp/1118662091/ The Browser Hacker’s Handbook
• http://www.amazon.com/Basics-Web-Hacking-Techniques-Attack/dp/0124166008/ The Basics of Web Hacking: Tools and Techniques to Attack the Web
• http://www.amazon.com/Web-Penetration-Testing-Kali-Linux/dp/1782163166/ Web Penetration Testing with Kali Linux
• http://www.amazon.com/Web-Application-Security-Beginners-Guide/dp/0071776168/ Web Application Security, A Beginner’s Guide
• https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441/ Hacking: The Art of Exploitation
• https://www.crypto101.io/ — Crypto 101 is an introductory course on cryptography
• http://www.offensive-security.com/metasploit-unleashed/ — Metasploit Unleashed
• http://www.cl.cam.ac.uk/~rja14/book.html — Security Engineering
• https://www.feistyduck.com/library/openssl-cookbook/ — OpenSSL Cookbook
• https://www.manning.com/books/real-world-cryptography — Learn and apply cryptographic techniques.