├── LICENSE
├── README.md
├── tools.md
└── training.md


/LICENSE:
--------------------------------------------------------------------------------
1 | This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
2 | 
3 | See here for full details: https://creativecommons.org/licenses/by-nc-sa/4.0/
4 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # AppSec Resources for Developers & Security Engineers
 2 | 
 3 | ## Introduction
 4 | 
 5 | This repo contains lists of resources that should be helpful to anyone trying to
 6 | learn more about application security, whether you're a developer looking to
 7 | write secure code, or a security engineer trying to test others' code.
 8 | 
 9 | ## Table of Contents
10 | 
11 | 0. [Training materials](./training.md)
12 | 0. [Tools of the trade](./tools.md)
13 | 
14 | ## License
15 | 
16 | [![License: CC BY-NC-SA 4.0](https://i.creativecommons.org/l/by-nc-sa/4.0/88x31.png)](http://creativecommons.org/licenses/by-nc-sa/4.0/)
17 | 


--------------------------------------------------------------------------------
/tools.md:
--------------------------------------------------------------------------------
 1 | # CLI Security Tools
 2 | 
 3 | ## !!WARNING!!
 4 | 
 5 | You should not run these tools against any systems you don't own, or don't have
 6 | permission to test. These tools are for legitimate security testing only. Using
 7 | them against unauthorized systems could result in criminal penalties.
 8 | 
 9 | -----
10 | 
11 | ## Infrastructure
12 | 
13 | ### SSL
14 | 
15 | - [**testssl.sh**](https://testssl.sh/) - SSL configuration testing (bash)
16 | - [**sslyze**](https://github.com/nabla-c0d3/sslyze) - SSL configuration testing (python)
17 | - [**TLSlayer**](https://github.com/thanasisk/TLSlayer) - Get ciphers/etc used by an SSL/TLS endpoint (golang)
18 | 
19 | ### SSH
20 | 
21 | - [**ssh-audit**](https://github.com/arthepsy/ssh-audit) - SSH server auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)
22 | 
23 | ### General
24 | 
25 | - [**nmap**](http://nmap.org) - Port scanning
26 | - [**enumXFF**](https://github.com/infosec-au/enumXFF) - Enumerate 'X-Forwarded-Headers' to bypass restrictions
27 | 
28 | ## Security Misconfiguration / "Oopsies"
29 | 
30 | - [**Lynis**](https://cisofy.com/lynis/) - Test VMs/servers/etc. for CIS best practices
31 | - [**Docker-Bench**](https://github.com/docker/docker-bench-security) - Test for Docker containers for CIS best practices
32 | - [**gitrob**](https://github.com/michenriksen/gitrob) - Search git repositories for juicy info
33 | - [**nsec3map**](https://github.com/anonion0/nsec3map) - Tool to enumerate resource records of a DNS zone using DNSSEC NSEC/NSEC3 chain
34 | - [**trufflehog**](https://github.com/dxa4481/truffleHog) - Searches through git repositories for secrets, digging deep into commit history and branches
35 | 
36 | ## Static Analysis
37 | 
38 | ### Dependencies
39 | 
40 | - [**DependencyCheck**](https://github.com/jeremylong/DependencyCheck) - Look for out-of-date dependencies
41 | - [**retire.js**](https://github.com/RetireJS/retire.js) - Look for out-of-date JavaScript dependencies
42 | - [**npm audit**](https://docs.npmjs.com/getting-started/running-a-security-audit) - Look for out-of-date Node.JS modules
43 | 
44 | ### Bash
45 | 
46 | - [**ShellCheck**](https://github.com/koalaman/shellcheck) - Gives warnings and suggestions for bash/sh shell scripts; more of a general-purpose linter, but will find things like unquoted variables that may have security consequences
47 | 
48 | ### Go
49 | 
50 | - [**gosec**](https://github.com/securego/gosec) - Find various Go security defects
51 | 
52 | ### PHP
53 | 
54 | - [**RIPS**](http://rips-scanner.sourceforge.net/) - PHP security static analyzer (paid version offered with community version available but no longer supported)
55 | 
56 | ### Python
57 | 
58 | - [**Bandit**](https://github.com/PyCQA/bandit) - Python security static analyzer
59 | 
60 | ### Ruby / Rails
61 | 
62 | - [**Brakeman**](http://brakemanscanner.org/) - Rails security static analyzer
63 | - [**Bundler Audit**](https://github.com/rubysec/bundler-audit) - Find vulnerable Bundler dependencies
64 | 
65 | ### System Configuration
66 | 
67 | - [**cve-check-tool**](https://github.com/ikeydoherty/cve-check-tool) - Look for CVEs affecting your package list
68 | - [**clair**](https://github.com/coreos/clair) - Vulnerability static analysis for containers
69 | - [**docker-bench-security**](https://github.com/docker/docker-bench-security) - Script that checks for dozens of common best-practices around deploying Docker containers in production
70 | 
71 | ## Blackbox Application Testing
72 | 
73 | #### Fuzzers
74 | 
75 | - [**OWASP ZAP**](https://github.com/zaproxy/zaproxy) - All-around fuzzing proxy; comparable to Burp Suite
76 | - [**commix**](https://github.com/stasinopoulos/commix/) - Try to find command injection bugs
77 | - [**sqlmap**](https://github.com/sqlmapproject/sqlmap) - Try to find SQL injection bugs
78 | - [**NoSQLMap**](https://github.com/tcstool/NoSQLMap) - Automated Mongo/NoSQL exploitation tool
79 | - [**CSRFT**](https://github.com/PaulSec/CSRFT) - CSRF toolkit
80 | - [**syntribos**](https://github.com/openstack/syntribos) - A framework for fuzz-testing REST APIs for security defects
81 | - [**arachni**](https://github.com/Arachni/arachni) - Web Application Security Scanner Framework
82 | 
83 | #### Brute Force
84 | 
85 | - [**nmap scripting engine**](http://nmap.org/book/nse.html) - Scripts for nmap to add bruteforce functionality
86 | 
87 | ## Specific Platforms / Vulnerabilities
88 | 
89 | - [**WPScan**](https://github.com/wpscanteam/wpscan) - Scanner for WordPress vulnerabilities
90 | - [**JDWP**](https://github.com/IOActive/jdwp-shellifier) - Scanner for Java Debug Wire Protocol vulnerabilities
91 | - [**Jetty - Jetleak**](https://github.com/GDSSecurity/Jetleak-Testing-Script) - Scanner for the Jetleak vulnerability in the Jetty webserver
92 | - [**MySQL - mysslstrip/BACKRONYM**](https://github.com/duo-labs/mysslstrip) - Tool for performing man-in-the-middle attacks on MySQL
93 | - [**OpenSSL - Heartbleed**](https://github.com/FiloSottile/Heartbleed) - Tool to test for Heartbleed, a vulnerability in OpenSSL
94 | - [**OpenSSL - DROWN**](https://github.com/nimia/public_drown_scanner) - Scanner for the DROWN vulnerability in SSL/TLS that affects multiple products
95 | 


--------------------------------------------------------------------------------
/training.md:
--------------------------------------------------------------------------------
  1 | # Learning Application Security 
  2 | 
  3 | ## Introduction
  4 | 
  5 | Some of the oldest known application security issues continue to affect projects
  6 | today. Being aware of these issues, as well as techniques for exploiting and
  7 | mitigating them, will aid in your testing efforts and help you to avoid
  8 | vulnerabilities in your own code. The resources below should help you learn more
  9 | about common security issues, and how to prevent these issues from surfacing in
 10 | new products/product features.
 11 | 
 12 | Some links and sections have :star:s next to them to denote what I consider to
 13 | be *essential* knowledge for understanding application security.
 14 | 
 15 | ## Table of Contents
 16 | 
 17 | 0. [The Basics](#star-the-basics)
 18 | 0. [OWASP Top 10](#star-owasp-top-10)
 19 | 0. [Security guides and overviews](#security-guides-and-overviews)
 20 | 0. [Defending Applications **(defense)**](#defending-applications)
 21 | 0. [Application Testing **(offense)**](#attacking-applications)
 22 | 0. [AppSec presentations](#appsec-presentations)
 23 | 0. [Interesting case studies](#interesting-case-studies)
 24 | 0. [Test your skills](#test-your-skills)
 25 | 0. [Stay up to date](#stay-up-to-date)
 26 | 0. [Useful references](#useful-references)
 27 | 
 28 | 
 29 | ## :star: The Basics
 30 | 
 31 | These short lists provide a background in security knowledge essential to understanding the broader goals of security (strategic, not tactical).
 32 | 
 33 | - [Thirteen principles to ensure enterprise system security](http://searchsecurity.techtarget.com/opinion/Thirteen-principles-to-ensure-enterprise-system-security) - Good high-level overview of security concepts, explained with simple examples
 34 | - [Ten Immutable Laws of Security](https://blogs.technet.microsoft.com/rhalbheer/2011/06/16/ten-immutable-laws-of-security-version-2-0/) - High-level security principles to keep in mind when designing systems or defending them
 35 | - [The principles of data security design](https://cryptome.org/2015/03/principles-data-security.htm) - High-level principles related data security
 36 | - [4 Tips for a Strong Executive Summary of a Security Assessment Report](https://zeltser.com/executive-summary-for-security-assessment-report-tips/) - Tips for writing security report summaries for non-developers/security people
 37 | 
 38 | ## :star: OWASP Top 10
 39 | 
 40 | The [OWASP Top 10](https://www.owasp.org/index.php/Top_10_2013-Top_10) is a list
 41 | of common vulnerabilities, as assessed by [OWASP, the Open Web Application Security Project.](https://www.owasp.org/index.php/Main_Page)
 42 | It is re-evaluated periodically based on the findings that they see in the wild.
 43 | OWASP's wiki has some very helpful articles about testing for and fixing many
 44 | common security issues.
 45 | 
 46 | Understanding the basics of each of these is essential to any security engineer.
 47 | 
 48 | The top 10 issues for 2013 are:
 49 | 
 50 | 1. **[Injection (such as SQL or LDAP injection)](https://www.owasp.org/index.php/Top_10_2013-A1-Injection)**
 51 | 2. **[Broken authentication and session management](https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management)**
 52 | 3. **[Cross-site scripting](https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29)**
 53 | 4. **[Insecure direct object references](https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References)**
 54 | 5. **[Security misconfiguration](https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration)**
 55 | 6. **[Sensitive data exposure](https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure)**
 56 | 7. **[Missing function level access control](https://www.owasp.org/index.php/Top_10_2013-A7-Missing_Function_Level_Access_Control)**
 57 | 8. **[Cross-site request forgery](https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_%28CSRF%29)**
 58 | 9. **[Using components with known vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities)**
 59 | 10. **[Unvalidated redirects and forwards](https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards)**
 60 | 
 61 | #### Cheat Sheets
 62 | 
 63 | - [Cross Site Scripting Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet) -
 64 |     Describes methods for detecting and preventing [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting) in webapps.
 65 | - [SQL Injection Prevention Cheat Sheet](https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet) - Describes methods for detecting and preventing [SQL injection](http://en.wikipedia.org/wiki/SQL_injection) in webapps.
 66 | - [HTML5 Security Cheat Sheet](https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet) - Security considerations for HTML5 apps
 67 | - [REST Security Cheat Sheet](https://www.owasp.org/index.php/REST_Security_Cheat_Sheet) - Security considerations for REST APIs
 68 | - [Authentication Cheat Sheet](https://www.owasp.org/index.php/Authentication_Cheat_Sheet) - Tips on handling authentication in web applications
 69 | - [Google Application Security - Cross-Site Scripting](https://www.google.com/about/appsecurity/learning/xss/) - Guide explaining how to test for and prevent XSS, from Google
 70 | - :star: [LtR 101: WebApp Testing - Method to the Madness](http://blog.zsec.uk/ltr101-method-to-madness/) - This checklist has helpful questions to ask yourself as you're auditing a web application for security issues.
 71 |  
 72 | 
 73 | ## Security Guides and Overviews
 74 | 
 75 | - [The Basics of Web Application Security](http://martinfowler.com/articles/web-security-basics.html) - Blog post describing some of the more common issues in web application security (e.g. XSS, SQL injection...)
 76 | - [2016 Guide to User Data Security](https://www.inversoft.com/guides/2016-guide-to-user-data-security) - This is an in-depth guide to setting up cloud-based apps in a secure way. It covers how to securely configure cloud services/users/etc., set up infrastructure, and avoid introducing vulnerabilities through programming errors, at a high level.
 77 | - [Security Guide for Developers](https://github.com/FallibleInc/security-guide-for-developers) - A work-in-progress project to document security best practices for a developer audience. Includes a very handy [security checklist](https://github.com/FallibleInc/security-guide-for-developers/blob/master/security-checklist.md) for secure applications.
 78 | - [Introduction to Microsoft Secure Development Lifecycle](http://download.microsoft.com/download/9/3/5/935520EC-D9E2-413E-BEA7-0B865A79B18C/Introduction%20to%20the%20Microsoft%20Security%20Development%20Lifecycle%20%28SDL%29.ppsx) - A great introductory slideshow describing Microsoft's method of doing secure software development. We borrow heavily from this model on the Rackspace Security Engineering team, conducting threat modeling sessions with all new products to understand the system-level interactions and the "trust boundaries" that exist between systems, for example.
 79 | - [Security Guide: How to Protect Your Infrastructure Against the Basic Attacker](http://blog.mailgun.com/security-guide-basic-infrastructure-security/) - Guide outlining how to set up basic infrastructure security for your systems
 80 | 
 81 | ## Defending Applications
 82 | 
 83 | This section is dedicated to building secure applications
 84 | 
 85 | ### HTTP Headers
 86 | 
 87 | - [Exotic HTTP Headers](https://peteris.rocks/blog/exotic-http-headers/) - This lists most of the common HTTP headers that are used by web applications to ensure security from the browser perspective.
 88 | 
 89 | 
 90 | ### Handling User Passwords
 91 | 
 92 | - [Password Hashing: Why and How](http://ithare.com/password-hashing-why-and-how/) - This is a high-level overview of how and why to use well-tested approaches to password storage. More of a philosophical than technical talk. Read this one, then the one below.
 93 | - [How to Safely Store Your Users' Passwords in 2016](https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016) - Solid implementation of current best-practice password hashing in several languages. Very specific (i.e. mostly "how", not much "why")
 94 | 
 95 | ### Operations
 96 | 
 97 | - [Choosing Secure Passwords](https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html) - Guide on how to think about choosing secure passwords from Bruce Schneier.
 98 | - [HowTo: Privacy & Security Conscious Browsing](https://gist.github.com/atcuno/3425484ac5cce5298932) - Tips for how to safely configure your browser to avoid unnecessary exposure to security issues.
 99 | - [A Week with a Rails Security Strategy](http://bauland42.com/articles/a-week-with-a-rails-security-strategy/) - A short guide to creating a daily practice of maintaining your application security posture.
100 | - [Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html) - A guide to tightening security in OpenSSH
101 | 
102 | ### Cryptography
103 | 
104 | - :star: [The Cryptographic Doom Principle](https://moxie.org/blog/the-cryptographic-doom-principle/) - A short must-read for anyone implementing or auditing crypto systems
105 | - [crypto101.io](https://www.crypto101.io/) - Overview of the building blocks of cryptography - cryptographic hash/MAC algorithms, popular ciphers, SSL/TLS, and much more.
106 | - [The First Few Milliseconds of an HTTPS Connection](http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html) - In-depth details about how TLS works as a protocol
107 | 
108 | ## Attacking Applications
109 | 
110 | This section lists resources for testing the security of applications. The [list of tools](./tools.md) in this guide may be useful here.
111 | 
112 | ### Cheatsheets
113 | - [OWASP Testing Guide v4](https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents) - This guide to web application security testing from OWASP contains explanations of many granular testing concepts (e.g. ["Testing for Weak lock out mechanism"](https://www.owasp.org/index.php/Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)), broken down by general topics (e.g. [Authentication Testing](https://www.owasp.org/index.php/Testing_for_authentication), [Business Logic Testing](https://www.owasp.org/index.php/Testing_for_business_logic))
114 | - [MySQL SQL Injection Cheat Sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet) - Cheat sheet for SQL injection specific to MySQL
115 | - [SQL injection cheatsheet (ha.ckers.org)](https://web.archive.org/web/20150420183409/http://ha.ckers.org/sqlinjection/) - Cheat sheet for evading filters with SQL injection
116 | - [XSS Filter Evasion Cheat Sheet](https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet) - Cheat sheet for constructing interesting XSS vectors to evade filters
117 | 
118 | ## AppSec Presentations
119 | 
120 | ### Slide Deck Presentations
121 | 
122 | - [**(ADVANCED)** Giant bags of mostly water](http://slides.com/mricon/giant-bags-of-mostly-water) - This presentation hits on a lot of high-level changes that security organizations need to invest in to make user-error less likely in their organizations. More of a philosophical presentation than a technical one.
123 | 
124 | ### Video Presentations
125 | 
126 | - [PaulSec & TunnelsUp "awesome-sec-talks" list](https://github.com/PaulSec/awesome-sec-talks) - This is a mega-list of security talks from many conferences, dating back to 2013. Great if you're trying to find a talk from a conference you attended or heard about; probably too many to casually browse through.
127 | 
128 | #### DEFCON
129 | - [DEFCON 26 Presentations](https://www.youtube.com/playlist?list=PL9fPq3eQfaaD0cf5c7wkzMoj2kifzGO4U) (2018)
130 | - [DEFCON 25 Presentations](https://www.youtube.com/playlist?list=PL9fPq3eQfaaDOo8mTBHhEHMfuG2LNUSTC) (2017)
131 | - [DEFCON 24 Presentations](https://www.youtube.com/playlist?list=PL9fPq3eQfaaAvXV3hJc4yHuNxoviVckoE) (2016)
132 | - [DEFCON 23 Presentations](https://www.youtube.com/playlist?list=PL9fPq3eQfaaBuHqVvDzPoWxznYYmyx5UX) (2015)
133 | - [DEFCON 22 Presentations](https://www.youtube.com/playlist?list=PL9fPq3eQfaaBCdjbKFYjosh1s1EkaYdsQ) (2014)
134 | 
135 | #### Black Hat
136 | - [Black Hat USA 2018 Videos](https://www.youtube.com/playlist?list=PLH15HpR5qRsVAXGmSVfjWrGtGLJjIJuGe)
137 | - [Black Hat USA 2017 Videos](https://www.youtube.com/playlist?list=PLH15HpR5qRsUyGhBVRDKGrHyQC5G4jQyd)
138 | - [Black Hat USA 2016 Videos](https://www.youtube.com/playlist?list=PLH15HpR5qRsXm0-rMacuWBxWcB2fmsmEw)
139 | - [Black Hat USA 2015 Videos](https://www.youtube.com/playlist?list=PLH15HpR5qRsXF78lrpWP2JKpPJs_AFnD7)
140 | - [Black Hat USA 2014 Videos](https://www.youtube.com/playlist?list=PLH15HpR5qRsUBgeytB_T4xnKzr4Iv3upj)
141 | 
142 | #### AppSec USA
143 | - [AppSec USA 2018 Presentations](https://www.youtube.com/playlist?list=PLpr-xdpM8wG-ma2GOBmdpGGfnVPVwFFQd)
144 | - [AppSec USA 2017 Presentations](https://www.youtube.com/playlist?list=PLpr-xdpM8wG9emx73fEjX0Cn6VHruJ4-l)
145 | - [AppSec USA 2016 Presentations](https://www.youtube.com/playlist?list=PLpr-xdpM8wG8DPozMmcbwBjFn15RtC75N)
146 | - [AppSec USA 2015 Presentations](https://www.youtube.com/playlist?list=PLpr-xdpM8wG93dG_L9QKs0W1cD-esQEzU)
147 | - [AppSec USA 2014 Presentations](https://www.youtube.com/playlist?list=PLpr-xdpM8wG8jz9QpzQeLeB0914Ysq-Cl)
148 | 
149 | ## Interesting Case Studies
150 | 
151 | - [**(XSS)** OX (Guard): Stored Cross-Site Scripting via Email Attachment](https://hackerone.com/reports/165275) - An interesting XSS and CSP bypass vulnerability in an encrypted email service.
152 | - [**(XSS)** AddToAny Share Buttons WordPress Plugin DOM-Based XSS](https://inventropy.us/blog/addtoany-share-buttons-wordpress-plugin-dom-based-xss) - A walk-through (by yours truly) about tracing down a DOM-based cross-site scripting issue in a WordPress plugin.
153 | - [**(CRLF)** blog.trello.com CRLF Injection](https://hackerone.com/reports/45514) - Example of header injection by adding a CRLF to the `Location` header
154 | - [**(SSRF)** Blind SSRF on synthetics.newrelic.com](https://hackerone.com/reports/141304) - This shows how server-side request forgery can be used to retrieve e.g. AWS instance metadata
155 | - [**(AuthN/AuthZ)** How to steal $2,999.99 in less than 2 minutes with Venmo and Siri](http://www.martinvigo.com/steal-2999-99-minute-venmo-siri/) - An example of a vulnerability resulting from several features interacting that weren't intended (or known) to interact, because they were in components made by two different companies (Apple's iOS and Venmo, a money-charging service that uses SMS)
156 | - [**(Sessions/Crypto)** Anatomy of a Crypto Vulnerability](https://alexgaynor.net/2016/mar/14/anatomy-of-a-crypto-vulnerability/) - A walk-through describing cryptographic weaknesses in a Python session-management framework.
157 | - [**(Sessions/Crypto/Mobile/IDOR/AuthN)** The Bank Job](https://boris.in/blog/2016/the-bank-job/) - A walk-through of multiple security issues in a bank's online banking services, including insecure SSL/TLS, insecure session management, and indirect object reference.
158 | - [**(Crypto)** A Tale of Lost Entropy](https://inventropy.us/blog/a-tale-of-lost-entropy) - A walk-through (by yours truly) discussing a weak Node.JS cryptography implementation
159 | 
160 | ## Test Your Skills
161 | 
162 | - [**(XSS)** Google XSS Game](https://xss-game.appspot.com/) - An introduction to finding XSS vulnerabilities
163 | - [**(XSS)** Escape](http://escape.alf.nu/) - Much more in-depth examples than above, organized like a game where the objective is finding the shortest "exploit" that pops up an alert box
164 | - [**(ALL)** Google Gruyere](https://google-gruyere.appspot.com/) - A "lab" to test your skills finding a number of different vulnerabilities. Get started [here](https://google-gruyere.appspot.com/part1).
165 | - [**(ALL)** Hack This Site](https://www.hackthissite.org/) - Site with all kinds of "wargames" for testing your hacking skills, and tutorials about security concepts
166 | - [**(ALL)** Over The Wire Wargames](http://overthewire.org/wargames/) - Very in-depth "wargames" for learning different aspects of security and testing your skills
167 | - [**(ALL)** OWASP WebGoat](https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project) - This is a Java/.NET web app that has been deliberately implemented with multiple security vulnerabilities. Can you find/patch them all?
168 | - [**(SQLi)** CodeBashing SQL Injection Demo](https://www.codebashing.com/sql_demo)
169 | - [**(PROGRAMMING)** Stockfighter.io](https://www.stockfighter.io/) - Programming challenges related to security and stock trading.
170 | 
171 | ## Stay up-to-date
172 | 
173 | ### News Sites & Blogs
174 | - [/r/netsec](https://www.reddit.com/r/netsec/) - Subreddit with news relevant to network security, application security, etc.
175 | - [Hacker News](https://news.ycombinator.com/) - News relevant to startups, technology, programming, and sometimes security
176 | - [Sustainable Application Security](https://blog.secodis.com/) - Blog covering the intersection of security and ops/devops.
177 | 
178 | ### Mailing Lists
179 | - [OSS-Sec](http://seclists.org/oss-sec/) - Open-source Software Security list with vulnerability announcements, CVE requests, and new research (more popular than FD these days)
180 | - [Full Disclosure](http://seclists.org/fulldisclosure/) - Vulnerability announcements, CVE requests, new research
181 | - [Websec Weekly](https://websecweekly.org/) - Roundup of interesting vulnerability reports from HackerOne and popular discussions on /r/netsec
182 | - [Apple Product Security](https://lists.apple.com/mailman/listinfo/security-announce/) - Apple's list for announcing security vulnerabilities/updates
183 | 
184 | ## Useful References
185 | 
186 | ### Lists-of-lists
187 | 
188 | - [Troy Hunt's ultimate list of security links](https://www.troyhunt.com/troys-ultimate-list-of-security-links/?m=1) - List of relevant security links from a well-known security researcher at Microsoft.
189 | - [j.haddix's Pentesting bookmarks](https://github.com/jhaddix/pentest-bookmarks/blob/master/wiki/BookmarksList.wiki) - Lengthy list of bookmarks in various application security categories. No descriptions on the individual links :persevere:
190 | - [paragonie's "awesome appsec" list](https://github.com/paragonie/awesome-appsec) - This list includes a breakdown by programming language, with a heavy emphasis on books. Created almost 2 years ago, so some resources may be a bit dated.
191 | - [infoslack's "awesome-web-hacking" list](https://github.com/infoslack/awesome-web-hacking) - Contains some good resources (books, useful Docker repos), but not much detail in the link descriptions.
192 | - [dloss's "Python tools for penetration testers" list](https://github.com/dloss/python-pentest-tools) - Huge list of Python tools and frameworks that are handy for security testing and building your own security tools.
193 | 
194 | ### Further Training Resources
195 | 
196 | **Free**
197 | - [Cyber Security Base](https://cybersecuritybase.github.io/) - A course created by F-Security and the University of Helsinki to teach security skills.
198 | - [Hacksplaining](https://www.hacksplaining.com/) - An immersive walk-through of numerous security issues, with animations and examples.
199 | 
200 | **Paid**
201 | - [Coursera Cybersecurity Course](https://www.coursera.org/specialization/cybersecurity/7?utm_medium=courseDescripTop) - If you find that cybersecurity is interesting to you, Coursera offers a certificate program that covers several broad topics in cybersecurity like software security, hardware security, and cryptography.
202 | - [CodeBashing](https://www.codebashing.com/) - Application security training for teams / businesses
203 | 
204 | ### Books
205 | 
206 | - [The Web Application Hacker's Handbook](https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470) by Dafydd Stuttard and Marcus Pinto
207 | - [The Tangled Web](https://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886) by Michal Zalewski
208 | 
209 | ### Miscellaneous
210 | 
211 | - [List of naughty strings](https://github.com/minimaxir/big-list-of-naughty-strings) - A list of strings that can cause various issues - unicode decode errors, spam/profanity filter triggers, XSS, memory exhaustion, etc.
212 | - [Exploitable PHP functions](https://stackoverflow.com/questions/3115559/exploitable-php-functions) - A list of PHP functions that can be used for malicious purposes
213 | 


--------------------------------------------------------------------------------