hahwul/webhackersweapons — explained in plain English
Analysis updated 2026-06-26
Find the right fuzzer or scanner for a specific web vulnerability type like SQL injection, SSRF, or XSS.
Discover Burp Suite and OWASP ZAP add-ons recommended by the security community for proxy-based web testing.
Build a personal web pentesting toolkit by browsing the categorized list and selecting tools that match your workflow.
Look up tools for a specific technique such as subdomain takeover enumeration or JavaScript secret scanning.
| hahwul/webhackersweapons | activemerchant/active_merchant | sferik/twitter-ruby | |
|---|---|---|---|
| Stars | 4,598 | 4,595 | 4,576 |
| Language | Ruby | Ruby | Ruby |
| Setup difficulty | easy | moderate | moderate |
| Complexity | 1/5 | 3/5 | 2/5 |
| Audience | developer | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
WebHackersWeapons is a curated list of tools used by web security researchers, penetration testers, and bug bounty hunters. It is not a single application but a reference collection: a structured directory of hundreds of external tools, browser add-ons, bookmarklets, and plugins that security professionals use when testing web applications for vulnerabilities. The list is organized into categories by what the tool does. The types include general-purpose Swiss-army tools, proxies that sit between a browser and a server to inspect traffic, reconnaissance tools for mapping targets, fuzzers that send unusual input to find crashes or unexpected behavior, scanners that check for known weaknesses, and exploit tools. There is also a section for utilities and miscellaneous entries. Each tool in the list is tagged with the specific vulnerability types or techniques it relates to, covering a wide range of web security concerns: cross-site scripting, SQL injection, server-side template injection, request smuggling, subdomain takeover, DNS reconnaissance, JavaScript analysis, secret scanning, authentication testing, and many others. Tools are also tagged by the programming language they are written in, spanning Java, Python, Go, Rust, Ruby, JavaScript, and more. In addition to standalone command-line and GUI tools, the list includes addons and extensions for Burp Suite, Caido, and OWASP ZAP, which are popular proxy tools used to intercept and manipulate web traffic during security assessments. Bookmarklets and browser extensions for in-browser testing are listed as well. The project is community-maintained and contributions are welcome via a contributing guide in the repository. A companion project, MobileHackersWeapons, covers the same concept for mobile application testing. The full README is longer than what was shown.
A curated, community-maintained directory of hundreds of tools, browser extensions, and Burp Suite plugins used by web security researchers and bug bounty hunters, organized by category and vulnerability type.
Mainly Ruby. The stack also includes Ruby.
No license information was provided in the explanation, check the repository directly.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.