Topics
Access Control
Insecure Direct Object Reference (IDOR)
16 resources
Occurs when an application exposes a reference to an internal implementation object, revealing the real identifier and format/pattern used of the element in the storage backend side.
via OWASPInjection
Cross-Site Scripting (XSS)
319 resources
Attacks in which malicious scripts are injected into otherwise benign and trusted websites. Occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
via OWASPEmerging
AI Security
2 resources
Protecting AI systems from threats such as data poisoning, model inversion, and adversarial attacks. Also covers using AI to enhance cybersecurity by identifying malicious patterns and automating responses.
Injection
XML External Entity Processing (XXE)
37 resources
An attack against applications that parse XML input. When XML containing an external entity reference is processed by a weakly configured parser, it can lead to data disclosure, SSRF, DoS, and more.
via OWASPInjection
Server-Side Request Forgery (SSRF)
1033 resources
An attacker abuses server functionality to read or update internal resources by supplying or modifying URLs, potentially accessing AWS metadata, internal services, or databases not meant to be exposed.
via OWASPInjection
SQL Injection (SQLi)
29 resources
Insertion or "injection" of a SQL query via client-supplied input. A successful exploit can read sensitive data, modify database data, execute admin operations, or in some cases issue OS commands.
via OWASPClient-Side
Cross-Site Request Forgery (CSRF)
25 resources
Forces an authenticated end user to execute unwanted actions on a web application. Targets state-changing requests rather than data theft, typically executed via social engineering.
via OWASPReconnaissance
Open-Source Intelligence (OSINT)
13 resources
Data collected from publicly available sources for use in an intelligence context. "Open" refers to overt, publicly available sources — not open-source software or collective intelligence.
via WikipediaLanguage
Python Security
375 resources
Security-focused Python resources covering common vulnerabilities, secure coding patterns, dangerous modules, deserialization risks, and tooling for building security automation.
via Python.orgTooling
Burp Suite
71 resources
The industry-standard web proxy and vulnerability scanner from PortSwigger. Essential for manual web application testing, with an extensive extension ecosystem for custom workflows.
via PortSwiggerExploitation
Remote Code Execution (RCE)
23 resources
An attacker's ability to execute arbitrary commands or code on a target machine or in a target process. Often the end goal of chained vulnerability exploits in web applications.
via WikipediaPrograms
Bug Bounty Programs
90 resources
Programs offered by organizations by which individuals receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities.
via WikipediaLearning
Security Talks & Presentations
8 resources
Curated conference talks and presentations from DEF CON, Black Hat, OWASP AppSec, BSides events, and other security conferences worth watching.
Reconnaissance
Reconnaissance (Recon)
3 resources
Techniques and tools for security reconnaissance — asset discovery, subdomain enumeration, port scanning, fingerprinting, and building a comprehensive attack surface map.
Testing
Fuzzing
4 resources
An automated software testing technique that injects invalid, malformed, or unexpected inputs into a system to reveal software defects and vulnerabilities not caught by conventional testing.
API Security
GraphQL Security
20 resources
GraphQL's flexible query model introduces unique attack surface — introspection abuse, batching attacks, deep query DoS, and authorization bypass via nested resolvers.
via graphql.orgAccess Control
Authorization / Broken Access Control
21 resources
Missing or flawed authorization checks that allow users to escalate privileges, access other accounts, or perform restricted actions through parameter tampering, forced browsing, or JWT manipulation.
via OWASPAPI Security
API Security
11 resources
Securing REST, GraphQL, gRPC, and WebSocket APIs against BOLA, mass assignment, excessive data exposure, and the OWASP API Security Top 10 risks that plague modern API-first architectures.
via OWASPMobile
Mobile Security
11 resources
iOS and Android application security — insecure data storage, certificate pinning bypass, binary reverse engineering, dynamic instrumentation with Frida, and the OWASP Mobile Top 10.
via OWASPSupply Chain
Supply Chain Security
11 resources
Threats targeting dependencies, build systems, and distribution channels — dependency confusion, typosquatting, compromised packages, and defenses like SBOMs, SLSA, and dependency scanning.
Credential Security
Secrets & Credential Leaks
10 resources
Detecting and preventing exposed API keys, database passwords, and cloud credentials in source code, CI/CD configs, and container images using TruffleHog, GitLeaks, and vault solutions.
Exploitation
Insecure Deserialization
1 resources
Exploiting unsafe object deserialization in Java, PHP, Python, .NET, and Ruby — gadget chains, ysoserial payloads, and the path from serialized data to remote code execution.
via OWASP