Awesome-Security-Repos

Here's a list of github repos and tools that I believe are awesome and should be promoted and used.

Source Code Analysis

1. Semgrep - Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
2. RegexPassive - Collection of regexp pattern for security passive scanning
3. Secure Codebox - secureCodeBox (SCB) - continuous secure delivery out of the box
4. wireghoul/Graudit - grep rough audit - source code auditing tool
5. DependencyTrack/dependency-track - Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

Wordlist and Payloads

1. PayloadAllTheThings - A list of useful payloads and bypass for Web Application Security and Pentest/CTF
2. OneListForAll - Rockyou for web fuzzing by six2dez

Cloud Security

1. Prowler - Prowler is an Open Source security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains more than 240 controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.
2. PurplePanda - Identify privilege escalation paths within and across different clouds
3. S3Scanner - Scan for open S3 buckets and dump the contents
4. nccgroup/ScoutSuite - Multi-Cloud Security Auditing Tool

Hacking Tools

1. Tornado - Anonymously Reverse Shell over Tor Network using Hidden services without Portforwarding.
2. Hakoriginfinder - Tool for discovering the origin host behind a reverse proxy. Useful for bypassing cloud WAFs!
3. Nemesis - URL scanner for recon, vulnerabilities, secrets and more!
4. ticarpi/JWT Tool - A toolkit for testing, tweaking and cracking JSON Web Tokens
5. fullhunt/log4j-scan - A fully automated, accurate, and extensive scanner for finding log4j RCE CVE-2021-44228
6. epinna/tplmap - Server-Side Template Injection and Code Injection Detection and Exploitation Tool

Recon Frameworks

1. reconFTW - reconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities
2. rengine - reNgine is an automated reconnaissance framework for web applications with a focus on highly configurable streamlined recon process via Engines, recon data correlation and organization, continuous monitoring, backed by a database, and simple yet intuitive User Interface.

Misc - Bug Bounty Hunting | Penetration Testing

1. Inventory - Asset inventory on public bug bounty programs.
2. HowToHunt - Tutorials and Things to Do while Hunting Vulnerability.
3. Keyhacks - Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.
4. TruffleHog - Find credentials all over the place on Github Repos
5. Awesome Grep - List of GREP modifications and alternatives for a variety of purposes
6. streaak/keyhacks - Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.
7. lobuhi/byp4xx - Python script for HTTP 40X responses bypassing. Features: Verb tampering, headers, #bugbountytips, User-Agents, extensions, default credentials and fuzzing.

Checklists

1. Web Application Pentest Checklist
2. OWASP/ASVS - Application Security Verification Standard

CheatSheets

1. Android CheatSheet & Mindmap - six2dez
2. Mobile Application Penetration Testing Cheatsheet - tanprathan - The Mobile App Pentest cheat sheet was created to provide concise collection of high value information on specific mobile application penetration testing topics.

Vulnerable Labs

1. Buggyapp - Android - Buggyapp is an vulnerable android application. This app can be used by pentesters, security researchers to practice Android application pentesting. This is build for beginners to learn basics about Android application pentesting

Active Directory

1. AD Pentesting Notes
2. Bad Blood - BadBlood by Secframe fills a Microsoft Active Directory Domain with a structure and thousands of objects. The output of the tool is a domain similar to a domain in the real world.

Similar Projects

1. Awesome Pentest - A collection of awesome penetration testing resources, tools and other shiny things
2. Awesome Android Security - A curated list of Android Security materials and resources For Pentesters and Bug Hunters
3. dn0m1n8tor/AndroidPentest101 - The motive to build this repo is to help beginner to start learn Android Pentesting by providing a roadmap.
4. tylerha97/awesome-reversing - A curated list of awesome reversing resources
5. vavkamil/awesome-bugbounty-tools - A curated list of various bug bounty tools