Our main goal is to share tips from some well-known bughunters. Using recon methodology, we are able to find subdomains, apis, and tokens that are already exploitable, so we can report them. We wis…

A curated collection of awesome things related to status badges

The CLI for working with JSON Schema. Covers formatting, linting, testing, bundling, and more for both local development and CI/CD pipelines

A web browser with dynamic data-flow tracking enabled in the Javascript engine and DOM, based on Mozilla Firefox (https://github.com/mozilla-firefox/firefox). It can be used to identify insecure da…

Hide secret messages in plain sight using invisible Unicode variation selectors!

The official repository of Mozilla's Firefox web browser.

BBT - Bug Bounty Tools (examples💡)

A curated list of VULNERABLE APPS and SYSTEMS which can be used as PENETRATION TESTING PRACTICE LAB.

Damn Vulnerable Restaurant is an intentionally vulnerable Web API game for learning and training purposes dedicated to developers, ethical hackers and security engineers.

BChecks collection for Burp Suite Professional and Burp Suite DAST

CSPBypass.com, a tool designed to help ethical hackers bypass restrictive Content Security Policies (CSP) and exploit XSS (Cross-Site Scripting) vulnerabilities on sites where injections are blocke…

A high performance go implementation of Wappalyzer Technology Detection Library

HTTP Archive fork of Wappalyzer

ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting.

Unicode characters that will translate a single character to multiple characters in domain names or TLD's

Using django to simulate SQL injection and HTTP Parameter Pollution

A python script that finds endpoints in JavaScript files

Awesome Vulnerable Applications

Chapar is a simple and easy to use api testing tools aims to help developers to test their api endpoints. it support http and grpc protocols.

A fast tool to scan CRLF vulnerability written in Go

The OWASP OFFAT tool autonomously assesses your API for prevalent vulnerabilities, though full compatibility with OAS v3 is pending. The project remains a work in progress, continuously evolving to…

Sasori is a dynamic web crawler powered by Puppeteer, designed for lightning-fast endpoint discovery.

BugBountyTips

CORS Misconfiguration Scanner

A collection of HAR files for developing against the HAR spec

Complex payload encoder

Automagically reverse-engineer REST APIs via capturing traffic