Awesome List Updates on Feb 23, 2018

10 awesome lists updated today.

🏠 Home · 🔍 Search · 🔥 Feed · 📮 Subscribe · ❤️ Sponsor

1. Awesome Geek Podcasts

In English

• Web of Tomorrow - Podcast about JavaScript and front-end web development.

In French

• Les Cast Codeurs - Podcast provided from and for developers. Latest news on Java ecosystem and development in general. Hosted by Emmanuel Bernard (JBoss, Hibernate), Arnaud Héritier (CloudBees, Jenkins), Guillaume Laforge (Google, Groovy), Antonio Goncalves (freelance, auteur), Vincent Massol (XWiki, Maven), Audrey Neveu (Saagie, Devoxx4Kids).

2. Awesome Python

Machine Learning

• Metrics (⭐1.6k) - Machine learning evaluation metrics.

3. Awesome D3

Charts

• oecd-simple-charts (⭐20) - Simple charting library [box plot, stacked bar, pearl chart]

4. Free for Dev

IDE and Code Editing

• fakejson.com — FakeJSON helps you quickly generate fake data using its API. Make an API request describing what you want and how you want it. The API returns it all in JSON. Speed up the go-to-market process for ideas and fake it till you make it.

5. Awesome Dotnet Core

Frameworks, Libraries and Tools / CMS

• Cofoundry (⭐815) - Open source .NET Core CMS and modular application framework. Code-first, unobtrusive and extensible.

6. Awesome Swift

Third party Guides

• SwiftTips (⭐4k) - A collection of useful tips by John Sundell.

Maps / Barcode

• FlyoverKit (⭐705) - FlyoverKit enables you to present stunning 360° flyover views on your MKMapView with zero effort while maintaining full configuration possibilities.

Menu / Barcode

• Parchment (⭐3.3k) - A paging view controller with a highly customizable menu, built on UICollectionView.

7. Awesome Algorithms Education

Interviews / Advanced

• Interview Cake

• Top 10 Algorithms for Coding Interview

Books / Advanced

• Algorithm Design

• Algorithms

• Introduction to Algorithms

• Grokking Algorithms

Miscellaneous / Advanced

• OEDb(Open Education Databases): Algorithm

8. Awesome Saltstack

Tutorials

• The Simplest Way to Learn SaltStack - Start to learn the basics of SaltStack by setting it up in Docker.

Blogposts and opinions

• Using Salt like Ansible - How to use Salt in a way similar to Ansible.

9. Awesome Web Security

Forums

• Phrack Magazine - Ezine written by and for hackers.

• The Hacker News - Security in a serious way.

• Security Weekly - The security podcast network.

• The Register - Biting the hand that feeds IT.

• Dark Reading - Connecting The Information Security Community.

• HackDig - Dig high-quality web security articles for hacker.

CSV Injection

• CSV Injection -> Meterpreter on Pornhub - Written by Andy.

• The Absurdly Underestimated Dangers of CSV Injection - Written by George Mauer.

SQL Injection

• SQL Injection Cheat Sheet - Written by @netsparker.

• SQL Injection Wiki - Written by NETSPI.

• SQL Injection Pocket Reference - Written by @LightOS.

• SQL injection in an UPDATE query - a bug bounty story! - Written by Zombiehelp54.

• GitHub Enterprise SQL Injection - Written by Orange.

Command Injection

• Potential command injection in resolv.rb (⭐20k) - Written by @drigg3r.

ORM Injection

• HQL for pentesters - Written by @h3xstream.

• HQL : Hyperinsane Query Language (or how to access the whole SQL API within a HQL injection ?) - Written by @_m0bius.

• ORM2Pwn: Exploiting injections in Hibernate ORM - Written by Mikhail Egorov.

• ORM Injection - Written by Simone Onofri.

FTP Injection

• Advisory: Java/Python FTP Injections Allow for Firewall Bypass - Written by Timothy Morgan.

• SMTP over XXE − how to send emails using Java's XML parser - Written by Alexander Klink.

• XXE OOB exploitation at Java 1.7+ - Written by Ivan Novikov.

XXE - XML eXternal Entity

• XXE - Written by @phonexicum.

CSRF - Cross-Site Request Forgery

• Wiping Out CSRF - Written by @jrozner.

Rails

• Rails Security - First part - Written by @qazbnm456.

AngularJS

• XSS without HTML: Client-Side Template Injection with AngularJS - Written by Gareth Heyes.

• DOM based Angular sandbox escapes - Written by @garethheyes

SSL/TLS

• SSL & TLS Penetration Testing - Written by APTIVE.

NFS

• NFS | PENETRATION TESTING ACADEMY - Written by PENETRATION ACADEMY.

AWS

• PENETRATION TESTING AWS STORAGE: KICKING THE S3 BUCKET - Written by Dwight Hohnstein from Rhino Security Labs.

Sub Domain Enumeration

• A penetration tester’s guide to sub-domain enumeration - Written by Bharath.

• The Art of Subdomain Enumeration - Written by Patrik Hudak.

Web Shell

• Hunting for Web Shells - Written by Jacob Baines.

• Hacking with JSP Shells - Written by @_nullbind.

OSINT

• Hacking Cryptocurrency Miners with OSINT Techniques - Written by @s3yfullah.

• OSINT x UCCU Workshop on Open Source Intelligence - Written by Philippe Lin.

CSP

• CSP: bypassing form-action with reflected XSS - Written by Detectify Labs.

• TWITTER XSS + CSP BYPASS - Written by Paulos Yibelo.

WAF

• Web Application Firewall (WAF) Evasion Techniques - Written by @secjuice.

• Web Application Firewall (WAF) Evasion Techniques #2 - Written by @secjuice.

• Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities - Written by @Brett Buerhaus.

• How to bypass libinjection in many WAF/NGWAF - Written by @d0znpp.

JSMVC

• JavaScript MVC and Templating Frameworks - Written by Mario Heiderich.

Authentication

• Trend Micro Threat Discovery Appliance - Session Generation Authentication Bypass (CVE-2016-8584) - Written by @malerisch and @steventseeley.

CSRF

• Neat tricks to bypass CSRF-protection - Written by Twosecurity.

• Exploiting CSRF on JSON endpoints with Flash and redirects - Written by @riyazwalikar.

• Stealing CSRF tokens with CSS injection (without iFrames) (⭐305) - Written by @dxa4481.

Remote Code Execution

• Exploiting Node.js deserialization bug for Remote Code Execution - Written by OpSecX.

• DRUPAL 7.X SERVICES MODULE UNSERIALIZE() TO RCE - Written by Ambionics Security.

• How we exploited a remote code execution vulnerability in math.js - Written by @capacitorset.

• GitHub Enterprise Remote Code Execution - Written by @iblue.

• How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! - Written by Orange.

XSS

• Query parameter reordering causes redirect page to render unsafe URL - Written by kenziy.

• ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes, and everything else - Written by Mario Heiderich.

• How I found a $5,000 Google Maps XSS (by fiddling with Protobuf) - Written by @marin_m.

• DON'T TRUST THE DOM: BYPASSING XSS MITIGATIONS VIA SCRIPT GADGETS - Written by Sebastian Lekies, Krzysztof Kotowicz, and Eduardo Vela.

• Uber XSS via Cookie - Written by zhchbin.

SSRF

• SSRF in https://imgur.com/vidgif/url - Written by aesteral.

• A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! - Written by Orange.

• SSRF Tips - Written by xl7dev.

Header Injection

• Java/Python FTP Injections Allow for Firewall Bypass - Written by Timothy Morgan.

URL

• Some Problems Of URLs - Written by Chris Palmer.

• Phishing with Unicode Domains - Written by Xudong Zheng.

• Unicode Domains are bad and you should feel bad for supporting them - Written by VRGSEC.

• [dev.twitter.com] XSS - Written by Sergey Bobrov.

Others

• Inducing DNS Leaks in Onion Web Services (⭐39) - Written by @epidemics-scepticism.

Frontend (like SOP bypass, URL spoofing, and something like that)

• JSON hijacking for the modern web - Written by portswigger.

• IE11 Information disclosure - local file detection - Written by James Lee.

• SOP bypass / UXSS – Stealing Credentials Pretty Fast (Edge) - Written by Manuel.

• Особенности Safari в client-side атаках - Written by Bo0oM.

Backend (core of Browser implementation, and often refers to C or C++ part)

• Attacking JavaScript Engines - A case study of JavaScriptCore and CVE-2016-4622 - Written by [email protected].

• Exploiting a V8 OOB write. - Written by @halbecaf.

• SSD Advisory – Chrome Turbofan Remote Code Execution - Written by SecuriTeam Secure Disclosure (SSD).

Database

• js-vuln-db (⭐2.2k) - Collection of JavaScript engine CVEs with PoCs by @tunz.

• awesome-cve-poc (⭐3k) - Curated list of CVE PoCs by @qazbnm456.

• Some-PoC-oR-ExP (⭐1.9k) - 各种漏洞poc、Exp的收集或编写 by @coffeehb.

Auditing

• prowler (⭐6.8k) - Tool for AWS security assessment, auditing and hardening by @Alfresco.

• A2SV (⭐576) - Auto Scanning to SSL Vulnerability by @hahwul.

Reconnaissance / OSINT - Open-Source Intelligence

• Shodan - Shodan is the world's first search engine for Internet-connected devices by @shodanhq.

• Censys - Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet by University of Michigan.

• urlscan.io - Service which analyses websites and the resources they request by @heipei.

• ZoomEye - Cyberspace Search Engine by @zoomeye_team.

• FOFA - Cyberspace Search Engine by BAIMAOHUI.

• NSFOCUS - THREAT INTELLIGENCE PORTAL by NSFOCUS GLOBAL.

• FOCA (⭐2.1k) - FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents its scans by ElevenPaths.

• SpiderFoot - Open source footprinting and intelligence-gathering tool by @binarypool.

• xray (⭐1.8k) - XRay is a tool for recon, mapping and OSINT gathering from public networks by @evilsocket.

• gitrob (⭐5.5k) - Reconnaissance tool for GitHub organizations by @michenriksen.

• GSIL (⭐1.9k) - Github Sensitive Information Leakage（Github敏感信息泄露）by @FeeiCN.

• raven (⭐752) - raven is a Linkedin information gathering tool that can be used by pentesters to gather information about an organization employees using Linkedin by @0x09AL.

Reconnaissance / Sub Domain Enumeration

• EyeWitness (⭐3.8k) - EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible by @ChrisTruncer.

• subDomainsBrute (⭐2.9k) - A simple and fast sub domain brute tool for pentesters by @lijiejie.

• AQUATONE (⭐4.9k) - Tool for Domain Flyovers by @michenriksen.

• domain_analyzer (⭐1.7k) - Analyze the security of any domain by finding all the information possible by @eldraco.

• VirusTotal domain information - Searching for domain information by VirusTotal.

• Certificate Transparency (⭐827) - Google's Certificate Transparency project fixes several structural flaws in the SSL certificate system by @google.

• Certificate Search - Enter an Identity (Domain Name, Organization Name, etc), a Certificate Fingerprint (SHA-1 or SHA-256) or a crt.sh ID to search certificate(s) by @crtsh.

• GSDF (⭐170) - Domain searcher named GoogleSSLdomainFinder by @We5ter.

Code Generating / Sub Domain Enumeration

• VWGen (⭐79) - Vulnerable Web applications Generator by @qazbnm456.

Fuzzing / Sub Domain Enumeration

• wfuzz (⭐4.7k) - Web application bruteforcer by @xmendez.

• charsetinspect (⭐26) - Script that inspects multi-byte character sets looking for characters with specific user-defined properties by @hack-all-the-things.

• IPObfuscator (⭐123) - Simple tool to convert the IP to a DWORD IP by @OsandaMalith.

Penetration Testing / Sub Domain Enumeration

• Burp Suite - Burp Suite is an integrated platform for performing security testing of web applications by portswigger.

Offensive / XSS - Cross-Site Scripting

• xssor2 (⭐2k) - XSS'OR - Hack with JavaScript by @evilcos.

Offensive / SQL Injection

• sqlmap (⭐25k) - Automatic SQL injection and database takeover tool.

Leaking / Server-Side Request Forgery

• HTTPLeaks (⭐1.7k) - All possible ways, a website can leak HTTP requests by @cure53.

• dvcs-ripper (⭐1.5k) - Rip web accessible (distributed) version control systems: SVN/GIT/HG... by @kost.

• DVCS-Pillage (⭐297) - Pillage web accessible GIT, HG and BZR repositories by @evilpacket.

• GitMiner (⭐1.9k) - Tool for advanced mining for content on Github by @UnkL4b.

• gitleaks (⭐11k) - Searches full repo history for secrets and keys by @zricethezav.

• CSS-Keylogging (⭐3.1k) - Chrome extension and Express server that exploits keylogging abilities of CSS by @maxchehab.

Detecting / Server-Side Request Forgery

• sqlchop - SQL injection detection engine by chaitin.

• xsschop - XSS detection engine by chaitin.

• retire.js (⭐3.1k) - Scanner detecting the use of JavaScript libraries with known vulnerabilities by @RetireJS.

• malware-jail (⭐408) - Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction by @HynekPetrak.

• repo-supervisor (⭐580) - Scan your code for security misconfiguration, search for passwords and secrets.

• bXSS (⭐393) - bXSS is a simple Blind XSS application adapted from cure53.de/m by @LewisArdern.

Preventing / Server-Side Request Forgery

• js-xss (⭐4.7k) - Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist by @leizongmin.

Proxy / Server-Side Request Forgery

• Charles - HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.

• mitmproxy (⭐29k) - Interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers by @mitmproxy.

Webshell / Server-Side Request Forgery

• webshell (⭐8.5k) - This is a webshell open source project by @tennc.

• Weevely (⭐2.6k) - Weaponized web shell by @epinna.

• Webshell-Sniper (⭐407) - Manage your website via terminal by @WangYihang.

• Reverse-Shell-Manager (⭐204) - Reverse Shell Manager via Terminal @WangYihang.

• reverse-shell (⭐1.6k) - Reverse Shell as a Service by @lukechilds.

Disassembler / Server-Side Request Forgery

• plasma (⭐3k) - Plasma is an interactive disassembler for x86/ARM/MIPS by @plasma-disassembler.

• radare2 (⭐17k) - Unix-like reverse engineering framework and commandline tools by @radare.

• Iaitō (⭐1.5k) - Qt and C++ GUI for radare2 reverse engineering framework by @hteso.

Others / Server-Side Request Forgery

• Dnslogger - DNS Logger by @iagox86.

• CyberChef (⭐19k) - The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis - by @GCHQ.

Social Engineering Database / Server-Side Request Forgery

• haveibeenpwned - Check if you have an account that has been compromised in a data breach by Troy Hunt.

Blogs / Server-Side Request Forgery

• Orange - Taiwan's talented web penetrator.

• leavesongs - China's talented web penetrator.

• James Kettle - Head of Research at PortSwigger Web Security.

• Broken Browser - Fun with Browser Vulnerabilities.

• Scrutiny - Internet Security through Web Browsers by Dhiraj Mishra.

• BRETT BUERHAUS - Vulnerability disclosures and rambles on application security.

• n0tr00t - ~# n0tr00t Security Team.

• OpnSec - Open Mind Security!

Twitter Users / Server-Side Request Forgery

• @HackwithGitHub - Initiative to showcase open source hacking tools for hackers and pentesters

• @filedescriptor - Active penetrator often tweets and writes useful articles

• @cure53berlin - Cure53 is a German cybersecurity firm.

• @XssPayloads - The wonderland of JavaScript unexpected usages, and more.

• @kinugawamasato - Japanese web penetrator.

• @h3xstream - Security Researcher, interested in web security, crypto, pentest, static analysis but most of all, samy is my hero.

• @garethheyes - English web penetrator.

• @hasegawayosuke - Japanese javascript security researcher.

Application / Server-Side Request Forgery

• SELinux Game - Learn SELinux by doing. Solve Puzzles, show skillz - Written by @selinuxgame.

AWS / Server-Side Request Forgery

• FLAWS - Amazon AWS CTF challenge - Written by @0xdabbad00.

XSS / Server-Side Request Forgery

• XSS game - Google XSS Challenge - Written by Google.

• prompt(1) to win - Complex 16-Level XSS Challenge held in summer 2014 (+4 Hidden Levels) - Written by @cure53.

• alert(1) to win - Series of XSS challenges - Written by @steike.

• XSS Challenges - Series of XSS challenges - Written by yamagata21.

ModSecurity / OWASP ModSecurity Core Rule Set / Server-Side Request Forgery

• ModSecurity / OWASP ModSecurity Core Rule Set - Series of tutorials to install, configure and tune ModSecurity and the Core Rule Set - Written by @ChrFolini.

Community / Server-Side Request Forgery

• Reddit

• Stack Overflow

Miscellaneous / Server-Side Request Forgery

• awesome-bug-bounty (⭐3.5k) - Comprehensive curated list of available Bug Bounty & Disclosure Programs and write-ups by @djadmin.

• bug-bounty-reference (⭐3.1k) - List of bug bounty write-up that is categorized by the bug nature by @ngalongc.

• Google VRP and Unicorns - Written by Daniel Stelter-Gliese.

• Brute Forcing Your Facebook Email and Phone Number - Written by PwnDizzle.

• Pentest + Exploit dev Cheatsheet wallpaper - Penetration Testing and Exploit Dev CheatSheet.

• The Definitive Security Data Science and Machine Learning Guide - Written by JASON TROS.

• EQGRP (⭐3.9k) - Decrypted content of eqgrp-auction-file.tar.xz by @x0rz.

• notes (⭐1.3k) - Some public notes by @ChALkeR.

• A glimpse into GitHub's Bug Bounty workflow - Written by @gregose.

• Cybersecurity Campaign Playbook - Written by Belfer Center for Science and International Affairs.

• Infosec_Reference (⭐4.6k) - Information Security Reference That Doesn't Suck by @rmusser01.

• Internet of Things Scanner - Check if your internet-connected devices at home are public on Shodan by BullGuard.

10. Awesome Courses

Courses / Introduction to CS

• CS 107 Programming Paradigms Stanford University
  • Topics: Advanced memory management features of C and C++; the differences between imperative and object-oriented paradigms. The functional paradigm (using LISP) and concurrent programming (using C and C++)
  • Lectures
  • Assignments

• Prev: Feb 24, 2018
• Next: Feb 22, 2018