appsec.fyi

Application Security Resources

A curated resource library covering XSS, SQLi, SSRF, IDOR, RCE, XXE, OSINT, and more.

Access Control

Insecure Direct Object Reference (IDOR)

Occurs when an application exposes a reference to an internal implementation object, revealing the real identifier and format/pattern used of the element in the storage backend side.

via OWASP

Injection

Cross-Site Scripting (XSS)

Attacks in which malicious scripts are injected into otherwise benign and trusted websites. Occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

via OWASP

Emerging

AI Security

Protecting AI systems from threats such as data poisoning, model inversion, and adversarial attacks. Also covers using AI to enhance cybersecurity by identifying malicious patterns and automating responses.

Injection

XML External Entity Processing (XXE)

An attack against applications that parse XML input. When XML containing an external entity reference is processed by a weakly configured parser, it can lead to data disclosure, SSRF, DoS, and more.

via OWASP

Injection

Server-Side Request Forgery (SSRF)

An attacker abuses server functionality to read or update internal resources by supplying or modifying URLs, potentially accessing AWS metadata, internal services, or databases not meant to be exposed.

via OWASP

Injection

SQL Injection (SQLi)

Insertion or "injection" of a SQL query via client-supplied input. A successful exploit can read sensitive data, modify database data, execute admin operations, or in some cases issue OS commands.

via OWASP

Client-Side

Cross-Site Request Forgery (CSRF)

Forces an authenticated end user to execute unwanted actions on a web application. Targets state-changing requests rather than data theft, typically executed via social engineering.

via OWASP

Reconnaissance

Open-Source Intelligence (OSINT)

Data collected from publicly available sources for use in an intelligence context. "Open" refers to overt, publicly available sources — not open-source software or collective intelligence.

via Wikipedia

Language

Python Security

Security-focused Python resources covering common vulnerabilities, secure coding patterns, dangerous modules, deserialization risks, and tooling for building security automation.

via Python.org

Tooling

Burp Suite

The industry-standard web proxy and vulnerability scanner from PortSwigger. Essential for manual web application testing, with an extensive extension ecosystem for custom workflows.

via PortSwigger

Exploitation

Remote Code Execution (RCE)

An attacker's ability to execute arbitrary commands or code on a target machine or in a target process. Often the end goal of chained vulnerability exploits in web applications.

via Wikipedia

Programs

Bug Bounty Programs

Programs offered by organizations by which individuals receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities.

via Wikipedia

Learning

Security Talks & Presentations

Curated conference talks and presentations from DEF CON, Black Hat, OWASP AppSec, BSides events, and other security conferences worth watching.

Reconnaissance

Reconnaissance (Recon)

Techniques and tools for security reconnaissance — asset discovery, subdomain enumeration, port scanning, fingerprinting, and building a comprehensive attack surface map.

Testing

Fuzzing

An automated software testing technique that injects invalid, malformed, or unexpected inputs into a system to reveal software defects and vulnerabilities not caught by conventional testing.

API Security

GraphQL Security

GraphQL's flexible query model introduces unique attack surface — introspection abuse, batching attacks, deep query DoS, and authorization bypass via nested resolvers.

via graphql.org