Web Security Blog

Wfuzz is an outstanding web fuzzer if you don’t have PRO version of Burp.

A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries.

SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. The goal is to enable a security tester to pull this repository onto a new testing box and have access to every type of list that may be needed.

Web applications testing guide for penetration testers.

Tplmap assists the exploitation of Code Injection and Server-Side Template Injection vulnerabilities with a number of sandbox escape techniques to get access to the underlying operating system. More information about Server-Side Template Injection vulnerability you can find in the Portswigger blog post https://portswigger.net/blog/server-side-template-injection

Arjun tool is useful for identifying hidden parameters in WEB applications.

XSStrike is a Cross Site Scripting detection suite equipped with four hand written parsers, an intelligent payload generator, a powerful fuzzing engine and an incredibly fast crawler.