appsec.fyi

Weekly Changelog

230 new resources added across 22 topics this week.

Mar 30 — Apr 06, 2026

XSS+17 AuthZ+15 SSRF+13 CSRF+11 Mobile+11 AI+10 Fuzzing+10 Recon+10 Talks+10 Bug Bounty+10 RCE+10 Python+10 OSINT+10 SQLi+10 IDOR+10 Secrets+10 Supply Chain+10 Burp Suite+9 XXE+9 GraphQL+9 Deserialization+8 API Security+8

XSS +17

DateResourceSummary
2026-04-03Awesome Bug Bounty Writeups - Curated List by Bug TypeAwesome Bug Bounty Writeups - Curated List by Bug Type
2026-04-03XSS Exploit Payloads - DOM, Reflected, Stored, and WAF BypassXSS Exploit Payloads - DOM, Reflected, Stored, and WAF Bypass
2026-04-03Stored XSS Vulnerability WAF Bypass WriteupStored XSS Vulnerability WAF Bypass Writeup
2026-04-03Reflected XSS with WAF Bypass — A Creative Payload That WorkedReflected XSS with WAF Bypass — A Creative Payload That Worked
2026-04-03Learn about Cross Site Scripting (XSS) | BugBountyHunter.comLearn about Cross Site Scripting (XSS) | BugBountyHunter.com
2026-04-03DOM-Based XSS in Single Page Applications (SPAs): A Complete GuideDOM-Based XSS in Single Page Applications (SPAs): A Complete Guide
2026-04-03The Ultimate Guide to Finding and Escalating XSS Bugs | BugcrowdThe Ultimate Guide to Finding and Escalating XSS Bugs | Bugcrowd
2026-04-03How a Cross-Site Scripting Vulnerability Led to Account Takeover | HackerOneHow a Cross-Site Scripting Vulnerability Led to Account Takeover | HackerOne
2026-04-03XSS Attacks & Exploitation: The Ultimate Guide | YesWeHackXSS Attacks & Exploitation: The Ultimate Guide | YesWeHack
2026-04-03Cross-Site Scripting (XSS) Cheat Sheet - 2026 Edition | PortSwiggerCross-Site Scripting (XSS) Cheat Sheet - 2026 Edition | PortSwigger
2026-04-03CISA Warns of Zimbra SharePoint Flaw Exploits; Cisco Zero-Day Hit in Ransomware AttacksCISA Warns of Zimbra, SharePoint Flaw Exploits; Cisco Zero-Day Hit in Ransomware Attacks https://ift.tt/vwg96OZ
2026-04-01ShadowPrompt: Zero-Click Prompt Injection Chain in Anthropics Claude Chrome ExtensionShadowPrompt: Zero-Click Prompt Injection Chain in Anthropic’s Claude Chrome Extension https://ift.tt/LQkpR3n
2026-04-01Jira Account TakeoverJira Account Takeover https://ift.tt/wtHJ6Lm
2026-03-31Vulnerabilities in Bludit softwareVulnerabilities in Bludit software https://ift.tt/xf0FONS
2026-03-30Stored XSS Bug in Jira Work Management Could Lead to Full Organization TakeoverStored XSS Bug in Jira Work Management Could Lead to Full Organization Takeover https://ift.tt/chvJTgR
2026-03-30Stored XSS Flaw in Jira Work Management Could Enable Full Org CompromiseStored XSS Flaw in Jira Work Management Could Enable Full Org Compromise https://ift.tt/tBU50wa
2026-03-30Stored XSS Vulnerability in Jira Work Management Could Enable Full Organization TakeoverStored XSS Vulnerability in Jira Work Management Could Enable Full Organization Takeover https://ift.tt/NBDfQXj

AuthZ +15

DateResourceSummary
2026-04-03Broken Authentication and IDOR – A Big but Solvable Problem | InspectivBroken Authentication and IDOR – A Big but Solvable Problem | Inspectiv
2026-04-03Exploiting Broken Access Control Vulnerability for BountyExploiting Broken Access Control Vulnerability for Bounty
2026-04-03Broken Access Control Testing Software for Web Apps | Penti AIBroken Access Control Testing Software for Web Apps | Penti AI
2026-04-03WSTG Methodology: Web Penetration Testing | HaxorisWSTG Methodology: Web Penetration Testing | Haxoris
2026-04-03OWASP Top 10 #1: Broken Access Control and Security TipsOWASP Top 10 #1: Broken Access Control and Security Tips
2026-04-03Primer on Broken Access Control Vulnerabilities and How to Find ThemPrimer on Broken Access Control Vulnerabilities and How to Find Them
2026-04-03Horizontal and Vertical Privilege Escalation Explained | Blue Goat CyberHorizontal and Vertical Privilege Escalation Explained | Blue Goat Cyber
2026-04-03Broken Access Control - Vertical Privilege Escalation WriteupBroken Access Control - Vertical Privilege Escalation Writeup
2026-04-03Testing for Privilege Escalation | OWASP WSTGTesting for Privilege Escalation | OWASP WSTG
2026-04-03Testing for Insecure Direct Object References | OWASP WSTGTesting for Insecure Direct Object References | OWASP WSTG
2026-04-03Top HackerOne Reports - Authorization BypassTop HackerOne Reports - Authorization Bypass
2026-04-03Broken Authentication: Advanced Exploitation Guide | IntigritiBroken Authentication: Advanced Exploitation Guide | Intigriti
2026-04-03How To Find Broken Access Control Vulnerabilities in the Wild | HackerOneHow To Find Broken Access Control Vulnerabilities in the Wild | HackerOne
2026-04-03BugQuest 2026: 31 Days of Broken Access Control | IntigritiBugQuest 2026: 31 Days of Broken Access Control | Intigriti
2026-04-03Authn vs. authz: How are they different?Authentication (authn) refers to identity, while authorization (authz) has to do with permissions. Learn about the difference between authn vs. authz in more detail.

SSRF +13

DateResourceSummary
2026-04-05@RX149427 No details. Lisieux was a vital transport hub for the German military and a waypoint for Allied escape lines. Graham Hayes MC a commando in SOE's Small Scale Raiding Force spent several weeks in Lisieux. #GrahamHayes #SSRF #62Commando #SOE #WW2 en.wikipedia.org/wiki/Graham_Hafr@RX149427 No details. Lisieux was a vital transport hub for the German military and a waypoint for Allied escape lines. Graham Hayes MC, a commando in SOE's Small Scale Raiding Force, spent several we...
2026-04-04curl_cffi is impacted by CVE-2026-33752 a redirect-based SSRF vulnerability allowing internal network access with TLS impersonation bypass. Review applications using curl_cffi for URL input validation. #SSRF #Python #Infosec pulsepatch.io/posts/cve-2026`curl_cffi` is impacted by CVE-2026-33752, a redirect-based SSRF vulnerability allowing internal network access with TLS impersonation bypass. Review applications using `curl_cffi` for URL input valid...
2026-04-04A critical SSRF vulnerability (CVE-2026-31818) affects Budibase via its REST Connector allowing unauthorized access to internal resources. Review configurations. #SSRF #Budibase #AppSecurity pulsepatch.io/posts/cve-2026A critical SSRF vulnerability (CVE-2026-31818) affects `Budibase` via its REST Connector, allowing unauthorized access to internal resources. Review configurations. #SSRF #Budibase #AppSecurity pulsep...
2026-04-04A critical SSRF filter bypass (CVE-2026-35459) affects pyLoad enabling access to internal network resources. This is an incomplete fix for CVE-2026-33992. #SSRF #pyLoad #infosec pulsepatch.io/posts/cve-2026A critical SSRF filter bypass (CVE-2026-35459) affects `pyLoad`, enabling access to internal network resources. This is an incomplete fix for CVE-2026-33992. #SSRF #pyLoad #infosec pulsepatch.io/posts...
2026-04-03SSRF Vulnerability Explained: Attack Types & Real-World Examples (2025)SSRF Vulnerability Explained: Attack Types & Real-World Examples (2025)
2026-04-03Server-Side Request Forgery (SSRF) | InvictiServer-Side Request Forgery (SSRF) | Invicti
2026-04-03The Phantom Pivot: Advanced Red Teaming through SSRF & DNS RebindingThe Phantom Pivot: Advanced Red Teaming through SSRF & DNS Rebinding
2026-04-03Mastering SSRF Exploitation in 2025Mastering SSRF Exploitation in 2025
2026-04-03The newly disclosed CVE-2026-33060 (CKAN MCP Server SSRF) shows a recurring pattern: AI agents granted excessive network access without runtime validation. Fetching metadata/internal IPs shouldn't be default. Control execution not just the prompt. #MCPSecurity #SSRF #AIAgentsThe newly disclosed CVE-2026-33060 (CKAN MCP Server SSRF) shows a recurring pattern: AI agents granted excessive network access without runtime validation. Fetching metadata/internal IPs shouldn't be ...
2026-04-02Chained SSRF Indirect Prompt Injection in an AI assistant. Server fetching arbitrary URLs Timing oracle revealing internal services Prompt injection hijacking the AI to recon internal infrastructure Marked N/A. #BugBounty #SSRF #AISecurity #PromptInjectionpic.x.com/1w1wCKOlpJJChained SSRF + Indirect Prompt Injection in an AI assistant. → Server fetching arbitrary URLs → Timing oracle revealing internal services → Prompt injection hijacking the AI to recon internal infrastr...
2026-03-31Critical SSRF flaw in HAPI FHIR validation package CVE-2026-34361 could expose healthcare apps to credential theft and potential data breaches. vulert.com/vuln-db/CVE-20Zp #CyberSecurity #SSRpic.x.com/ulvNeLbE3Y3Y🚨 Critical SSRF flaw in HAPI FHIR validation package CVE-2026-34361 could expose healthcare apps to credential theft and potential data breaches. �vulert.com/vuln-db/CVE-20…Zp #CyberSecurity #SSRpic.x...
2026-03-31TL;DR: IMDSv1 SSRF = credenziali IAM gratis. Capital One 2019: 106M record $80M di multa. Tre HTTP request. Zero exploit. Paolo ha scritto come funziona e come si ferma paolocostanzo.github.io/ssrf-imds-ec2-c (post AI paolo studiava AWS cert) #AWS #SSRF #CloudSecurity #PenTestTL;DR: IMDSv1 + SSRF = credenziali IAM gratis. Capital One, 2019: 106M record, $80M di multa. Tre HTTP request. Zero exploit. Paolo ha scritto come funziona e come si ferma 👇paolocostanzo.github.io/ss...
2026-03-30Warning: High #SSRF & Injection vulnerabilities in #SpringAI. CVE-2026-22742 CVE-2026-22743 CVE-2026-22744 CVSS: 8.6. These CVEs can lead to unintended server requests and database access. #Patch #Patch #PatchWarning: High #SSRF & Injection vulnerabilities in #SpringAI. CVE-2026-22742, CVE-2026-22743, CVE-2026-22744 CVSS: 8.6. These CVEs can lead to unintended server requests and database access. #Patch #P...

CSRF +11

DateResourceSummary
2026-04-04Diamond award for Bexhill and Hastings community group for retireesDiamond award for Bexhill and Hastings community group for retirees https://ift.tt/eER5YBr
2026-04-03CSRF Exploitation Techniques — Flaws, Bypasses & SameSite Cookie MechanicsCSRF Exploitation Techniques — Flaws, Bypasses & SameSite Cookie Mechanics
2026-04-03Lab: SameSite Lax Bypass via Cookie Refresh | PortSwiggerLab: SameSite Lax Bypass via Cookie Refresh | PortSwigger
2026-04-03Lab: SameSite Lax Bypass via Method Override | PortSwiggerLab: SameSite Lax Bypass via Method Override | PortSwigger
2026-04-03Advanced Techniques to Bypass CSRF DefensesAdvanced Techniques to Bypass CSRF Defenses
2026-04-03Cross-Site Request Forgery (CSRF) Attack Guide | HackviserCross-Site Request Forgery (CSRF) Attack Guide | Hackviser
2026-04-03CSRF (Cross Site Request Forgery) | HackTricksCSRF (Cross Site Request Forgery) | HackTricks
2026-04-03Bypassing SameSite Cookie Restrictions - CSRF | PortSwiggerBypassing SameSite Cookie Restrictions - CSRF | PortSwigger
2026-04-03CSRF & Bypasses | CobaltCSRF & Bypasses | Cobalt
2026-04-03Cross-Site Request Forgery Prevention Cheat Sheet | OWASPCross-Site Request Forgery Prevention Cheat Sheet | OWASP
2026-04-02Diamond award for Bexhill and Hastings community group for retireesDiamond award for Bexhill and Hastings community group for retirees https://ift.tt/GT76kYD

Mobile +11

DateResourceSummary
2026-04-03OWASP Mobile Top 10 2024: A Security GuideOWASP Mobile Top 10 2024: A Security Guide
2026-04-03OWASP Mobile Top 10 and MobSFOWASP Mobile Top 10 and MobSF
2026-04-03Bypassing Certificate Pinning Using Frida: A Step-by-Step GuideBypassing Certificate Pinning Using Frida: A Step-by-Step Guide
2026-04-03Hail Frida!! The Universal SSL Pinning Bypass for AndroidHail Frida!! The Universal SSL Pinning Bypass for Android
2026-04-03OWASP Mobile Top 10 (2024) — Bug Bounty Hunter's GuideOWASP Mobile Top 10 (2024) — Bug Bounty Hunter's Guide
2026-04-03Four Ways to Bypass Android SSL Verification and Certificate Pinning | NetSPIFour Ways to Bypass Android SSL Verification and Certificate Pinning | NetSPI
2026-04-03Bypassing Certificate Pinning | OWASP MASTGBypassing Certificate Pinning | OWASP MASTG
2026-04-03Defeating Android Certificate Pinning with FridaDefeating Android Certificate Pinning with Frida
2026-04-03OWASP Mobile Top 10OWASP Mobile Top 10
2026-04-03OWASP Mobile Application Security (MAS)OWASP Mobile Application Security (MAS)
2026-04-03What is Mobile Security? | IBMMobile device security refers to being free from danger or risk of an asset loss or data loss by using mobile computers and communication hardware.

AI +10

DateResourceSummary
2026-04-03Prompt Injection Attacks in LLMs: Vulnerabilities, Exploitation & DefensePrompt Injection Attacks in LLMs: Vulnerabilities, Exploitation & Defense
2026-04-03How AI Red Teaming Fixes Vulnerabilities in Your AI SystemsHow AI Red Teaming Fixes Vulnerabilities in Your AI Systems
2026-04-03What Is Prompt Injection in AI? Examples & Prevention | EC-CouncilWhat Is Prompt Injection in AI? Examples & Prevention | EC-Council
2026-04-03Prompt Injection Attacks in 2025: Risks, Defenses & TestingPrompt Injection Attacks in 2025: Risks, Defenses & Testing
2026-04-03Red Teaming the Mind of the Machine: Evaluation of Prompt Injection and Jailbreak VulnerabilitiesRed Teaming the Mind of the Machine: Evaluation of Prompt Injection and Jailbreak Vulnerabilities
2026-04-03Practical LLM Security Advice from the NVIDIA AI Red TeamPractical LLM Security Advice from the NVIDIA AI Red Team
2026-04-03OWASP Top 10 for LLMs 2025 | DeepTeam Red Teaming FrameworkOWASP Top 10 for LLMs 2025 | DeepTeam Red Teaming Framework
2026-04-03Continuously Hardening ChatGPT Against Prompt Injection | OpenAIContinuously Hardening ChatGPT Against Prompt Injection | OpenAI
2026-04-03Red Teaming LLMs Exposes a Harsh Truth About the AI Security Arms RaceRed Teaming LLMs Exposes a Harsh Truth About the AI Security Arms Race
2026-04-03LLM01:2025 Prompt Injection | OWASP Gen AI SecurityLLM01:2025 Prompt Injection | OWASP Gen AI Security

Fuzzing +10

DateResourceSummary
2026-04-03MALF: A Multi-Agent LLM Framework for Intelligent FuzzingMALF: A Multi-Agent LLM Framework for Intelligent Fuzzing
2026-04-03Automating App Security with Advanced Fuzz Testing TechniquesAutomating App Security with Advanced Fuzz Testing Techniques
2026-04-03Coverage Guided vs Blackbox Fuzzing | ClusterFuzzCoverage Guided vs Blackbox Fuzzing | ClusterFuzz
2026-04-03Make Fuzzing First-Class in CI/CD: Coverage-Guided Testing in 2025Make Fuzzing First-Class in CI/CD: Coverage-Guided Testing in 2025
2026-04-03How to Use Fuzzing in Security Research | KeysightHow to Use Fuzzing in Security Research | Keysight
2026-04-03Fuzz Testing: A Beginner's Guide | Better StackFuzz Testing: A Beginner's Guide | Better Stack
2026-04-03libFuzzer and AFL++ | ClusterFuzzlibFuzzer and AFL++ | ClusterFuzz
2026-04-03libFuzzer - A Library for Coverage-Guided Fuzz Testing | LLVMlibFuzzer - A Library for Coverage-Guided Fuzz Testing | LLVM
2026-04-03AFL - American Fuzzy Lop: A Security-Oriented FuzzerAFL - American Fuzzy Lop: A Security-Oriented Fuzzer
2026-04-03Coverage Guided Fuzzing - Extending Instrumentation to Hunt Down Bugs FasterCoverage Guided Fuzzing - Extending Instrumentation to Hunt Down Bugs Faster

Recon +10

DateResourceSummary
2026-04-03A Comprehensive Guide to Android Penetration Testing | Redfox SecurityA Comprehensive Guide to Android Penetration Testing | Redfox Security
2026-04-03A Step-by-Step Android Penetration Testing Guide | Hack The BoxA Step-by-Step Android Penetration Testing Guide | Hack The Box
2026-04-03Mobile App Pentest CheatsheetMobile App Pentest Cheatsheet
2026-04-03GarudRecon - Automated Domain Recon with XSS, SQLi, LFI, RCE DetectionGarudRecon - Automated Domain Recon with XSS, SQLi, LFI, RCE Detection
2026-04-03Automating Subdomain Enumeration to Discover Critical VulnerabilitiesAutomating Subdomain Enumeration to Discover Critical Vulnerabilities
2026-04-03SubdomainX: All-in-One Subdomain Enumeration and Reconnaissance ToolSubdomainX: All-in-One Subdomain Enumeration and Reconnaissance Tool
2026-04-03How to Use Amass for Subdomain Enumeration and Recon Like a ProHow to Use Amass for Subdomain Enumeration and Recon Like a Pro
2026-04-03Subfinder Complete Guide 2025: Subdomain Enumeration MasterySubfinder Complete Guide 2025: Subdomain Enumeration Mastery
2026-04-03Automate Recon and Detect Subdomain Takeovers with Amass, Subfinder, NucleiAutomate Recon and Detect Subdomain Takeovers with Amass, Subfinder, Nuclei
2026-04-03Reconnaissance 102: Subdomain Enumeration | ProjectDiscoveryReconnaissance 102: Subdomain Enumeration | ProjectDiscovery

Talks +10

DateResourceSummary
2026-04-03DEF CON 32 Registration via Black Hat USA 2024DEF CON 32 Registration via Black Hat USA 2024
2026-04-03Black Hat Briefings - WikipediaBlack Hat Briefings - Wikipedia
2026-04-03Security Summer Camp: Black Hat 2025, DEF CON, and OthersSecurity Summer Camp: Black Hat 2025, DEF CON, and Others
2026-04-03Black Hat USA 2024, BSidesLV and DEF CON 32: Hacker Summer Camp GuideBlack Hat USA 2024, BSidesLV and DEF CON 32: Hacker Summer Camp Guide
2026-04-03Black Hat Conference: Cutting-Edge Cybersecurity InsightsBlack Hat Conference: Cutting-Edge Cybersecurity Insights
2026-04-03Black Hat 2025: Latest News and Insights | CSO OnlineBlack Hat 2025: Latest News and Insights | CSO Online
2026-04-03Black Hat 2025 & DEF CON 33: The Attendees' Guide | SplunkBlack Hat 2025 & DEF CON 33: The Attendees' Guide | Splunk
2026-04-03Black Hat USA 2025 & DEF CON 33Black Hat USA 2025 & DEF CON 33
2026-04-03Black Hat USA 2024Black Hat USA 2024
2026-04-03DEF CON Hacking ConferenceDEF CON Hacking Conference

Bug Bounty +10

DateResourceSummary
2026-04-03API Penetration Testing: Combined Checklist + Scenario ListAPI Penetration Testing: Combined Checklist + Scenario List
2026-04-03The Tools I Use for Bug Bounty HuntingThe Tools I Use for Bug Bounty Hunting
2026-04-03Bug Bounty Hunting in 2025: A Real World GuideBug Bounty Hunting in 2025: A Real World Guide
2026-04-03Full Bug Bounty Hunting Methodology - Recon (DEF CON 32 Workshop)Full Bug Bounty Hunting Methodology - Recon (DEF CON 32 Workshop)
2026-04-03The Best Bug Bounty Recon Methodology (2024) | Hive FiveThe Best Bug Bounty Recon Methodology (2024) | Hive Five
2026-04-032025 Bug Bounty Methodology, Toolsets and Persistent Recon2025 Bug Bounty Methodology, Toolsets and Persistent Recon
2026-04-03Comprehensive Bug Bounty Hunting Methodology (2024 Edition)Comprehensive Bug Bounty Hunting Methodology (2024 Edition)
2026-04-03From Recon to Report: Complete Bug Bounty Workflow for 2025From Recon to Report: Complete Bug Bounty Workflow for 2025
2026-04-03Recon for Bug Bounty: 8 Essential Tools | IntigritiRecon for Bug Bounty: 8 Essential Tools | Intigriti
2026-04-03Bug Bounty Hunting Methodology 2025Bug Bounty Hunting Methodology 2025

RCE +10

DateResourceSummary
2026-04-03SSTI (Server-Side Template Injection) to RCE WalkthroughSSTI (Server-Side Template Injection) to RCE Walkthrough
2026-04-03SSTI Leading to Remote Code Execution (RCE)SSTI Leading to Remote Code Execution (RCE)
2026-04-03OpenOlat Velocity Template Injection Leads to RCEOpenOlat Velocity Template Injection Leads to RCE
2026-04-03A Pentester's Guide to SSTI | CobaltA Pentester's Guide to SSTI | Cobalt
2026-04-03RCE with Server-Side Template InjectionRCE with Server-Side Template Injection
2026-04-03Rejetto HTTP File Server SSTI RCE (CVE-2024-23692) | InvictiRejetto HTTP File Server SSTI RCE (CVE-2024-23692) | Invicti
2026-04-03WPML Plugin RCE via Twig SSTI (CVE-2024-6386)WPML Plugin RCE via Twig SSTI (CVE-2024-6386)
2026-04-03PayloadsAllTheThings - Server Side Template InjectionPayloadsAllTheThings - Server Side Template Injection
2026-04-03SSTI: Advanced Exploitation Guide | IntigritiSSTI: Advanced Exploitation Guide | Intigriti
2026-04-03SSTI Exploitation with RCE Everywhere | YesWeHackSSTI Exploitation with RCE Everywhere | YesWeHack

Python +10

DateResourceSummary
2026-04-03A Large-Scale Security-Oriented Static Analysis of Python Packages in PyPIA Large-Scale Security-Oriented Static Analysis of Python Packages in PyPI
2026-04-03Exposing 4 Critical Vulnerabilities in Python PickleScan | SonatypeExposing 4 Critical Vulnerabilities in Python PickleScan | Sonatype
2026-04-03Python SAST Tools: Free & Paid Solutions for Secure Code AnalysisPython SAST Tools: Free & Paid Solutions for Secure Code Analysis
2026-04-0310 Common Security Gotchas in Python and How to Avoid Them10 Common Security Gotchas in Python and How to Avoid Them
2026-04-03Insecure Deserialization in Python | SemgrepInsecure Deserialization in Python | Semgrep
2026-04-03PyTorch Users at Risk: 3 Zero-Day PickleScan Vulnerabilities | JFrogPyTorch Users at Risk: 3 Zero-Day PickleScan Vulnerabilities | JFrog
2026-04-03PickleScan - Security Scanner Detecting Suspicious Python Pickle FilesPickleScan - Security Scanner Detecting Suspicious Python Pickle Files
2026-04-03Python Secure Coding GuidelinesPython Secure Coding Guidelines
2026-04-03Bandit: Python Static Application Security Testing GuideBandit: Python Static Application Security Testing Guide
2026-04-03Python Security Vulnerabilities | Top Issues | AikidoPython Security Vulnerabilities | Top Issues | Aikido

OSINT +10

DateResourceSummary
2026-04-03Bug Bounty 101: Top 10 Reconnaissance Tools | NetlasBug Bounty 101: Top 10 Reconnaissance Tools | Netlas
2026-04-03Top 7 OSINT Tools Every Cybersecurity Professional Should KnowTop 7 OSINT Tools Every Cybersecurity Professional Should Know
2026-04-03Top 10 OSINT Tools Everyone Should Know | SMIIT CyberAITop 10 OSINT Tools Everyone Should Know | SMIIT CyberAI
2026-04-03Top 10 OSINT Tools in 2025 Cyber Analysts TrustTop 10 OSINT Tools in 2025 Cyber Analysts Trust
2026-04-0310 Best Open Source Intelligence (OSINT) Tools Of 202510 Best Open Source Intelligence (OSINT) Tools Of 2025
2026-04-03What is OSINT? Tools, Techniques and Framework ExplainedWhat is OSINT? Tools, Techniques and Framework Explained
2026-04-0315 Best OSINT Tools in 2026 | Lampyre15 Best OSINT Tools in 2026 | Lampyre
2026-04-03Open Source Intelligence Tools and Resources CollectionOpen Source Intelligence Tools and Resources Collection
2026-04-03OSINT for Threat Enrichment: Deep Dive with Maltego, SpiderFoot, IntelX, Recon-ngOSINT for Threat Enrichment: Deep Dive with Maltego, SpiderFoot, IntelX, Recon-ng
2026-04-03Top 15 Free OSINT Tools To Collect Data From Open SourcesTop 15 Free OSINT Tools To Collect Data From Open Sources

SQLi +10

DateResourceSummary
2026-04-0312 Questions and Answers About Insecure Deserialization12 Questions and Answers About Insecure Deserialization
2026-04-03How to Perform SQL Injection in Web AppsHow to Perform SQL Injection in Web Apps
2026-04-03What is SQL Injection? How to Prevent SQL Injection | FortinetWhat is SQL Injection? How to Prevent SQL Injection | Fortinet
2026-04-03Bypassing WAFs in 2025: New Techniques and Evasion TacticsBypassing WAFs in 2025: New Techniques and Evasion Tactics
2026-04-037 Types of SQL Injection Attacks & How to Prevent Them7 Types of SQL Injection Attacks & How to Prevent Them
2026-04-03SQLi Payloads - Classic, Blind, Error-Based, Time-Based, WAF BypassSQLi Payloads - Classic, Blind, Error-Based, Time-Based, WAF Bypass
2026-04-03SQL Injection for Bug Bounty Hunters | YesWeHackSQL Injection for Bug Bounty Hunters | YesWeHack
2026-04-03Exploiting an SQL Injection with WAF BypassExploiting an SQL Injection with WAF Bypass
2026-04-03SQL Injection Bypassing WAF | OWASPSQL Injection Bypassing WAF | OWASP
2026-04-03PayloadsAllTheThings - SQL InjectionPayloadsAllTheThings - SQL Injection

IDOR +10

DateResourceSummary
2026-04-03IDOR | HackTricksIDOR | HackTricks
2026-04-03IDOR Attack Guide | HackviserIDOR Attack Guide | Hackviser
2026-04-03Real Bug Bounty Report: IDOR Used to Exploit a Banking ApplicationReal Bug Bounty Report: IDOR Used to Exploit a Banking Application
2026-04-03Reddit Bug Bounty: Exploiting an IDOR Vulnerability in Dubsmash's APIReddit Bug Bounty: Exploiting an IDOR Vulnerability in Dubsmash's API
2026-04-03IDOR: The $1 Billion Authorization BugIDOR: The $1 Billion Authorization Bug
2026-04-03IDOR Vulnerability: Analysis, Impact, Mitigation | HuntressIDOR Vulnerability: Analysis, Impact, Mitigation | Huntress
2026-04-03How to Find IDOR Vulnerabilities: The Bug Bounty Hunter's Practical GuideHow to Find IDOR Vulnerabilities: The Bug Bounty Hunter's Practical Guide
2026-04-03Insecure Direct Object References (IDOR) | Intigriti HackademyInsecure Direct Object References (IDOR) | Intigriti Hackademy
2026-04-03IDOR in 2025: Why Broken Access Control Still Rules the Vulnerability ChartsIDOR in 2025: Why Broken Access Control Still Rules the Vulnerability Charts
2026-04-03IDOR: A Complete Guide to Exploiting Advanced IDOR Vulnerabilities | IntigritiIDOR: A Complete Guide to Exploiting Advanced IDOR Vulnerabilities | Intigriti

Secrets +10

DateResourceSummary
2026-04-03AWS Secrets Manager vs HashiCorp Vault [2026]AWS Secrets Manager vs HashiCorp Vault [2026]
2026-04-03AWS Secrets Engine | HashiCorp VaultAWS Secrets Engine | HashiCorp Vault
2026-04-03Researcher Unearths Thousands of Leaked Secrets in GitHub's "Oops Commits"Researcher Unearths Thousands of Leaked Secrets in GitHub's "Oops Commits"
2026-04-03How to Detect and Clean Up Leaked Secrets in Your Git RepositoriesHow to Detect and Clean Up Leaked Secrets in Your Git Repositories
2026-04-03Secret Scanning Tools 2026: Protect Code and Prevent Credential LeaksSecret Scanning Tools 2026: Protect Code and Prevent Credential Leaks
2026-04-03TruffleHog vs. Gitleaks: A Detailed ComparisonTruffleHog vs. Gitleaks: A Detailed Comparison
2026-04-03Why 28 Million Credentials Leaked on GitHub in 2025 | SnykWhy 28 Million Credentials Leaked on GitHub in 2025 | Snyk
2026-04-03Gitleaks - Find Secrets with GitleaksGitleaks - Find Secrets with Gitleaks
2026-04-03TruffleHog - Find, Verify, and Analyze Leaked CredentialsTruffleHog - Find, Verify, and Analyze Leaked Credentials
2026-04-03Secrets Management - OWASP Cheat Sheet SeriesWebsite with the collection of all the cheat sheets of the project.

Supply Chain +10

DateResourceSummary
2026-04-0312 Months That Changed Supply Chain Security - 2025 Month by Month12 Months That Changed Supply Chain Security - 2025 Month by Month
2026-04-03Securing the Software Supply Chain: OpenSSF, SLSA, SBOM, and SigstoreSecuring the Software Supply Chain: OpenSSF, SLSA, SBOM, and Sigstore
2026-04-03OWASP Top 10 2025: A03 Software Supply Chain Failures (Beginner's Guide)OWASP Top 10 2025: A03 Software Supply Chain Failures (Beginner's Guide)
2026-04-03SLSA Framework: The Definitive Guide for Securing Your Software Supply ChainSLSA Framework: The Definitive Guide for Securing Your Software Supply Chain
2026-04-03Five Key Flaws Exploited in 2025's Software Supply Chain IncidentsFive Key Flaws Exploited in 2025's Software Supply Chain Incidents
2026-04-03Predictions for Open Source Security in 2025 | OpenSSFPredictions for Open Source Security in 2025 | OpenSSF
2026-04-03Supply Chain Attacks in Q4 2025: From Isolated Incidents to Systemic Failure ModesSupply Chain Attacks in Q4 2025: From Isolated Incidents to Systemic Failure Modes
2026-04-03Supply Chain Security in CI: SBOMs, SLSA, and SigstoreSupply Chain Security in CI: SBOMs, SLSA, and Sigstore
2026-04-03SLSA - Supply-chain Levels for Software ArtifactsSLSA - Supply-chain Levels for Software Artifacts
2026-04-03A03 Software Supply Chain Failures - OWASP Top 10:2025A03 Software Supply Chain Failures - OWASP Top 10:2025

Burp Suite +9

DateResourceSummary
2026-04-03Installing Extensions from BApp Store | PortSwiggerInstalling Extensions from BApp Store | PortSwigger
2026-04-033 Powerful Burp Suite Extensions Every Pentester Should Use3 Powerful Burp Suite Extensions Every Pentester Should Use
2026-04-03BApp Store | PortSwiggerBApp Store | PortSwigger
2026-04-03Burp Suite Professional BApps: Maximizing Pentester ProductivityBurp Suite Professional BApps: Maximizing Pentester Productivity
2026-04-03Burp Bounty - Scan Check Builder ExtensionBurp Bounty - Scan Check Builder Extension
2026-04-03Burp Suite - Top Extensions | KSEC ARK Pentesting Knowledge BaseBurp Suite - Top Extensions | KSEC ARK Pentesting Knowledge Base
2026-04-03Top 10 Must-Have Burp Suite Extensions for Web Application Security (2024)Top 10 Must-Have Burp Suite Extensions for Web Application Security (2024)
2026-04-03Top 10 Pentesting Tools and Extensions in Burp Suite | PortSwiggerTop 10 Pentesting Tools and Extensions in Burp Suite | PortSwigger
2026-04-03Top 20 Useful Burp Suite Extensions for Web Application PentestingTop 20 Useful Burp Suite Extensions for Web Application Pentesting

XXE +9

DateResourceSummary
2026-04-03Advanced XXE Exploitation: File Disclosure, Blind OOB, and RCEAdvanced XXE Exploitation: File Disclosure, Blind OOB, and RCE
2026-04-03What is XXE (XML External Entity) | Examples & Prevention | ImpervaWhat is XXE (XML External Entity) | Examples & Prevention | Imperva
2026-04-03XML External Entities (XXE) | Pentesting NotesXML External Entities (XXE) | Pentesting Notes
2026-04-03XML External Entity (XXE) Processing | OWASPXML External Entity (XXE) Processing | OWASP
2026-04-03Blind XXE: Exfiltrating Data Out-of-Band in 2025Blind XXE: Exfiltrating Data Out-of-Band in 2025
2026-04-03Comprehensive Guide to XXE Exploitation: Advanced Data Exfiltration and RCEComprehensive Guide to XXE Exploitation: Advanced Data Exfiltration and RCE
2026-04-03XML External Entity: The Ultimate Bug Bounty Guide to XXE | YesWeHackXML External Entity: The Ultimate Bug Bounty Guide to XXE | YesWeHack
2026-04-03XML External Entity (XXE) Attack Guide | HackviserXML External Entity (XXE) Attack Guide | Hackviser
2026-04-03What is a Blind XXE Attack? | PortSwiggerWhat is a Blind XXE Attack? | PortSwigger

GraphQL +9

DateResourceSummary
2026-04-03GraphQL Security Testing Guide (2026)GraphQL Security Testing Guide (2026)
2026-04-03GraphQL Security Complete Guide | Payload PlaygroundGraphQL Security Complete Guide | Payload Playground
2026-04-03GraphQL Vulnerabilities and Common Attacks Seen in the Wild | ImpervaGraphQL Vulnerabilities and Common Attacks Seen in the Wild | Imperva
2026-04-03GraphQL API Vulnerabilities, Common Attacks & Security TipsGraphQL API Vulnerabilities, Common Attacks & Security Tips
2026-04-03Hacking GraphQL Endpoints in Bug Bounty Programs | YesWeHackHacking GraphQL Endpoints in Bug Bounty Programs | YesWeHack
2026-04-03PayloadsAllTheThings - GraphQL InjectionPayloadsAllTheThings - GraphQL Injection
2026-04-03GraphQL | HackTricksGraphQL | HackTricks
2026-04-03GraphQL Cheat Sheet | OWASPGraphQL Cheat Sheet | OWASP
2026-04-03GraphQL Security from a Pentester's Perspective | AFINEGraphQL Security from a Pentester's Perspective | AFINE

Deserialization +8

DateResourceSummary
2026-04-03Unsafe Deserialization in Ruby | SecureFlagUnsafe Deserialization in Ruby | SecureFlag
2026-04-03Analyzing Prerequisites of Known Deserialization Vulnerabilities on Java ApplicationsAnalyzing Prerequisites of Known Deserialization Vulnerabilities on Java Applications
2026-04-03Insecure Deserialization: The Vulnerability That Gives Attackers RCEInsecure Deserialization: The Vulnerability That Gives Attackers RCE
2026-04-03Ruby 2.x Universal RCE Deserialization Gadget Chain | elttamRuby 2.x Universal RCE Deserialization Gadget Chain | elttam
2026-04-03Insecure Deserialization Explained with ExamplesInsecure Deserialization Explained with Examples
2026-04-03Now You Serial, Now You Don't — Systematically Hunting for Deserialization Exploits | Google CloudNow You Serial, Now You Don't — Systematically Hunting for Deserialization Exploits | Google Cloud
2026-04-03PayloadsAllTheThings - Java Deserialization PayloadsPayloadsAllTheThings - Java Deserialization Payloads
2026-04-03Insecure Deserialization | OWASPInsecure Deserialization | OWASP

API Security +8

DateResourceSummary
2026-04-03OWASP API Security Top 10 Explained | Salt SecurityOWASP API Security Top 10 Explained | Salt Security
2026-04-03How To Prepare For An API Penetration TestHow To Prepare For An API Penetration Test
2026-04-03Awesome GraphQL Security - Curated List of ResourcesAwesome GraphQL Security - Curated List of Resources
2026-04-03API Testing with Burp Suite: A Practical GuideAPI Testing with Burp Suite: A Practical Guide
2026-04-03Top 6 API Pentesting Tools | CobaltTop 6 API Pentesting Tools | Cobalt
2026-04-03API Attack Awareness: BOLA - Why It Tops the OWASP API Top 10API Attack Awareness: BOLA - Why It Tops the OWASP API Top 10
2026-04-03OWASP API Security Top 10OWASP API Security Top 10
2026-04-03OWASP API Security Project | OWASP FoundationThe API Security project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs)