appsec.fyi

Application Security Resources

2,600+ curated resources covering XSS, SQLi, SSRF, IDOR, RCE, XXE, OSINT, and more.

Access Control

Insecure Direct Object Reference (IDOR)

Occurs when an application exposes a reference to an internal implementation object, revealing the real identifier and format/pattern used of the element in the storage backend side.

via OWASP

Injection

Cross-Site Scripting (XSS)

Attacks in which malicious scripts are injected into otherwise benign and trusted websites. Occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

via OWASP

Emerging

AI Security

Protecting AI systems from threats such as data poisoning, model inversion, and adversarial attacks. Also covers using AI to enhance cybersecurity by identifying malicious patterns and automating responses.

Injection

XML External Entity Processing (XXE)

An attack against applications that parse XML input. When XML containing an external entity reference is processed by a weakly configured parser, it can lead to data disclosure, SSRF, DoS, and more.

via OWASP

Injection

Server-Side Request Forgery (SSRF)

An attacker abuses server functionality to read or update internal resources by supplying or modifying URLs, potentially accessing AWS metadata, internal services, or databases not meant to be exposed.

via OWASP

Injection

SQL Injection (SQLi)

Insertion or "injection" of a SQL query via client-supplied input. A successful exploit can read sensitive data, modify database data, execute admin operations, or in some cases issue OS commands.

via OWASP

Client-Side

Cross-Site Request Forgery (CSRF)

Forces an authenticated end user to execute unwanted actions on a web application. Targets state-changing requests rather than data theft, typically executed via social engineering.

via OWASP

Reconnaissance

Open-Source Intelligence (OSINT)

Data collected from publicly available sources for use in an intelligence context. "Open" refers to overt, publicly available sources — not open-source software or collective intelligence.

via Wikipedia

Language

Python Security

Security-focused Python resources covering common vulnerabilities, secure coding patterns, dangerous modules, deserialization risks, and tooling for building security automation.

via Python.org

Tooling

Burp Suite

The industry-standard web proxy and vulnerability scanner from PortSwigger. Essential for manual web application testing, with an extensive extension ecosystem for custom workflows.

via PortSwigger

Exploitation

Remote Code Execution (RCE)

An attacker's ability to execute arbitrary commands or code on a target machine or in a target process. Often the end goal of chained vulnerability exploits in web applications.

via Wikipedia

Programs

Bug Bounty Programs

Programs offered by organizations by which individuals receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities.

via Wikipedia

Learning

Security Talks & Presentations

Curated conference talks and presentations from DEF CON, Black Hat, OWASP AppSec, BSides events, and other security conferences worth watching.

Reconnaissance

Reconnaissance (Recon)

Techniques and tools for security reconnaissance — asset discovery, subdomain enumeration, port scanning, fingerprinting, and building a comprehensive attack surface map.

Testing

Fuzzing

An automated software testing technique that injects invalid, malformed, or unexpected inputs into a system to reveal software defects and vulnerabilities not caught by conventional testing.

API Security

GraphQL Security

GraphQL's flexible query model introduces unique attack surface — introspection abuse, batching attacks, deep query DoS, and authorization bypass via nested resolvers.

via graphql.org

Access Control

Authorization / Broken Access Control

Missing or flawed authorization checks that allow users to escalate privileges, access other accounts, or perform restricted actions through parameter tampering, forced browsing, or JWT manipulation.

via OWASP

API Security

API Security

Securing REST, GraphQL, gRPC, and WebSocket APIs against BOLA, mass assignment, excessive data exposure, and the OWASP API Security Top 10 risks that plague modern API-first architectures.

via OWASP

Mobile

Mobile Security

iOS and Android application security — insecure data storage, certificate pinning bypass, binary reverse engineering, dynamic instrumentation with Frida, and the OWASP Mobile Top 10.

via OWASP

Supply Chain

Supply Chain Security

Threats targeting dependencies, build systems, and distribution channels — dependency confusion, typosquatting, compromised packages, and defenses like SBOMs, SLSA, and dependency scanning.

Credential Security

Secrets & Credential Leaks

Detecting and preventing exposed API keys, database passwords, and cloud credentials in source code, CI/CD configs, and container images using TruffleHog, GitLeaks, and vault solutions.

Exploitation

Insecure Deserialization

Exploiting unsafe object deserialization in Java, PHP, Python, .NET, and Ruby — gadget chains, ysoserial payloads, and the path from serialized data to remote code execution.

via OWASP