whatisgithub

What is awesome-web-security?

qazbnm456/awesome-web-security — explained in plain English

Analysis updated 2026-06-24

13,362PythonAudience · developerComplexity · 1/5Setup · easy

In one sentence

A curated reference list of articles, tools, and write-ups covering web security vulnerabilities like XSS, SQL injection, SSRF, and CSRF, organized for security researchers and penetration testers.

Mindmap

mindmap
  root((web-security))
    Vulnerability types
      XSS
      SQL injection
      SSRF
      CSRF
    Resources
      Articles
      Write-ups
      Cheat sheets
    Tools
      Scanners
      Fuzzers
      Recon tools
    Learning
      Practice apps
      Blogs
      Researchers
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Look up targeted resources for a specific vulnerability type like XSS, SSRF, or JWT attacks when studying or researching

USE CASE 2

Find penetration testing tools organized by task: fuzzing, reconnaissance, scanning, and exploitation

USE CASE 3

Discover intentionally vulnerable practice apps to safely test attack techniques in a legal environment

USE CASE 4

Follow curated security blogs and researchers to stay current on new web vulnerability techniques

What is it built with?

Python

How does it compare?

qazbnm456/awesome-web-securityapache/tvmlightning-ai/litgpt
Stars13,36213,36013,352
LanguagePythonPythonPython
Setup difficultyeasyhardmoderate
Complexity1/55/54/5
Audiencedeveloperresearcherresearcher

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

So what is it?

This repository is a curated collection of links, articles, tools, and resources focused on web security and penetration testing. It does not contain runnable code of its own, instead it acts as an organized reference library for people learning how to find and understand vulnerabilities in websites and web applications. The list is organized into broad sections. The introductory section covers specific vulnerability types: cross-site scripting (XSS, where an attacker injects malicious scripts into a page), SQL injection (manipulating database queries through user input), server-side request forgery (SSRF, tricking a server into making unauthorized requests), cross-site request forgery (CSRF), XML external entity attacks (XXE), clickjacking, open redirects, and many others. Each section links to articles, guides, and write-ups that explain how those attacks work. Beyond the introductory material, the list covers evasion techniques (getting past web application firewalls and content security policies), practical tricks for each vulnerability type, browser exploitation, proof-of-concept demonstrations, cheat sheets, and a large tools section. The tools section is organized by task: auditing, reconnaissance, subdomain enumeration, fuzzing, scanning, offensive tools for specific attack types, and tools for detecting or preventing vulnerabilities. Additional sections list security blogs, researchers worth following, practice environments (intentionally vulnerable applications where you can safely test attack techniques), and community resources. The collection is aimed at security researchers, penetration testers, and developers who want to understand how web attacks work so they can build better defenses. The repository also includes a Claude Code skill, meaning AI assistants can query the list at runtime to answer questions about specific vulnerability types like XSS, SQLi, JWT attacks, OAuth issues, and more. The full README is longer than what was shown.

Copy-paste prompts

Prompt 1
I am learning XSS exploitation from scratch. Which resources and practice environments from the awesome-web-security list should I start with?
Prompt 2
List the SSRF-specific tools from the awesome-web-security collection and explain the main use case of each
Prompt 3
Which intentionally vulnerable web applications from the awesome-web-security list are best for practicing SQL injection, and how do I set them up?
Prompt 4
What JWT attack resources are covered in the awesome-web-security list, and what are the most common JWT vulnerabilities to test for?
Prompt 5
Summarize the WAF bypass and content security policy evasion techniques listed in the awesome-web-security collection

Frequently asked questions

What is awesome-web-security?

A curated reference list of articles, tools, and write-ups covering web security vulnerabilities like XSS, SQL injection, SSRF, and CSRF, organized for security researchers and penetration testers.

What language is awesome-web-security written in?

Mainly Python. The stack also includes Python.

How hard is awesome-web-security to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is awesome-web-security for?

Mainly developer.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.