A comprehensive collection of web security tools, scripts, and resources for CTF competitions and penetration testing.
- Online Web Resources
- Reconnaissance Tools
- Exploitation Scripts
- Analysis Tools
- Bug Hunting Resources
- Hash & Crypto Tools
- MD5 Hash Collision Examples
- Usage Examples
| Purpose | Resource Link |
|---|---|
| Crack the Hashes from hashes stored in DB | crackstation |
| JWT Decoding etc. | jwt.io |
| JWK To PEM Convertor | 8gwifi |
| JWK Generator | mkjwk |
| JS Deobfuscator | Deobfuscate.io |
- File:
Github Recon Words - Purpose: Comprehensive list of keywords and patterns for GitHub reconnaissance
- Usage: Use these patterns with GitHub search to find sensitive information, API keys, passwords, and secrets
- Example: Search for
API_KEY=orpassword=in public repositories
- File:
Google Dorks For Finding RDP - Purpose: Google dorking queries to find RDP (Remote Desktop Protocol) services
- Usage: Use these queries in Google search to discover exposed RDP services
- Example:
intext:"we will work with you to resolve the issue promptly."
- File:
requesturl.py - Purpose: Tests multiple URL combinations for availability
- Usage:
python3 requesturl.py
- Description: Checks if various URL combinations are accessible (currently configured for imgur.com)
- File:
robots.sh - Purpose: Downloads robots.txt file from CTFTime
- Usage:
chmod +x robots.sh ./robots.sh
- Description: Downloads robots.txt to analyze disallowed directories and files
- File:
magicSha1 - Purpose: Contains magic SHA1 hashes for hash collision attacks
- Usage: Use these hashes to bypass authentication systems vulnerable to hash collision attacks
- File:
phpMagicHashes - Purpose: Collection of magic hashes specific to PHP applications
- Usage: Useful for bypassing PHP-based authentication systems
- File:
No Rate Limit Bug Finding - Purpose: Techniques for finding and exploiting rate limiting vulnerabilities
- Usage: Use these techniques to identify applications without proper rate limiting
- File:
OTP Bypass - Purpose: Methods to bypass One-Time Password (OTP) systems
- Usage: Apply these techniques when testing OTP implementations
- File:
get free subscribers - Purpose: Exploit technique for manipulating subscriber counts
- Usage:
- Subscribe to channel using username and capture the request
- Send it to intruder and remove auth_token param
- Start attack for desired number of subscribers
- Verify the subscriber count change
- File:
magicSha1 - Purpose: Pre-computed SHA1 hashes that collide with common passwords
- Usage: Use these hashes to bypass authentication systems that use SHA1
These two strings produce the same MD5 hash, demonstrating MD5 collision vulnerability:
String 1: TEXTCOLLBYfGiJUETHQ4hEcKSMd5zYpgqf1YRDhkmxHkhPWptrkoyz28wnI9V0aHeAuaKnak
String 2: TEXTCOLLBYfGiJUETHQ4hAcKSMd5zYpgqf1YRDhkmxHkhPWptrkoyz28wnI9V0aHeAuaKnak
MD5 Hash: Both strings produce the same MD5 hash value
- Use these strings to test MD5 collision detection in applications
- Demonstrate MD5 vulnerability in CTF challenges
- Educational purposes for understanding hash collision attacks
- MD5 is cryptographically broken and should not be used for security purposes
- These collisions can be exploited to bypass authentication systems
- Always use stronger hash functions like SHA-256 or SHA-3
# Search for API keys in GitHub
site:github.com "API_KEY=" language:python
# Find configuration files with secrets
site:github.com "password=" extension:env
# Look for database credentials
site:github.com "mysql://" OR "postgresql://"# Find exposed admin panels
site:target.com inurl:admin
# Find login pages
site:target.com inurl:login
# Find configuration files
site:target.com ext:conf OR ext:config# Test for rate limiting
for i in {1..100}; do
curl -X POST "https://target.com/api/login" \
-d "username=test&password=test" \
-H "Content-Type: application/x-www-form-urlencoded"
doneIMPORTANT: These tools are for educational purposes only. Only use them on systems you own or have explicit permission to test. Unauthorized access to computer systems is illegal and unethical.
Found a new web security tool or technique? Feel free to contribute:
- Add your tool/script to the appropriate category
- Include clear usage instructions
- Add examples where applicable
- Update this README with your contribution
Happy Hacking! 🚀
Remember: With great power comes great responsibility