Disclosures

Application Logic

06/18/2013 - https://labs.spotify.com/2013/06/18/creative-usernames/ - Creative usernames and Spotify account hijacking
06/26/2013 - Hijacking a Facebook Account with SMS - https://whitton.io/articles/hijacking-a-facebook-account-with-sms/
03/25/2014 - Phabricator Bypass auth.email-domains - https://hackerone.com/reports/2233
05/15/2016 - The Bank Job - https://boris.in/blog/2016/the-bank-job/
05/19/2016 - InstaBrute: Two Ways to Brute-force Instagram Account Credentials - https://www.arneswinnen.net/2016/05/instabrute-two-ways-to-brute-force-i...
06/06/2016 - Trello bug bounty: Payments informations are sent to the webhook - https://hethical.io/trello-bug-bounty-payments-informations-are-sent-to-...
06/07/2016 - Pwning Pornhub (memcache) - https://blog.zsec.uk/pwning-pornhub/
07/01/2016 - Magento – Re-Installation & Account Hijacking Vulnerabilities - http://netanelrub.in/2016/07/01/magento-re-installation-account-hijackin...
08/08/2016 - Free way to Facebook Freebooting | Hacking Rights Manager - http://www.7xter.com/2016/08/free-way-to-facebook-freebooting.html
08/16/2016 - Google Chrome, Firefox Address Bar Spoofing Vulnerability - http://www.rafayhackingarticles.net/2016/08/google-chrome-firefox-addres...
08/18/2016 - How I hacked an Android App to Get Free Beer - https://breakdev.org/how-i-hacked-an-android-app-to-get-free-beer/
09/02/2016 - Response To Request Injection (RTRI) - https://www.bugbountyhq.com/front/latestnews/dWRWR0thQ2ZWOFN5cTE1cXQrSFZ...

Authentication

04/27/2016 - Microsoft Office 365 SAML Bypass - http://www.economyofmechanism.com/office365-authbypass.html
04/28/2016 - Slack bot token leakage exposing business critical information - https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-b...
06/01/2016 - Taking over Heroku accounts - http://esevece.github.io/2016/06/01/taking-over-heroku-accounts.html
10/20/2016 - Slack, a Brief Journey to Mission Control - http://secalert.net/slack-security-bug-bounty.html
11/02/2016 - Bypassing Two-Factor Authentication on OWA & Office365 Portals - http://www.blackhillsinfosec.com/?p=5396

CORS/CSP

04/04/2016 - CSP: bypassing form-action with reflected XSS - https://labs.detectify.com/2016/04/04/csp-bypassing-form-action-with-ref...
12/16/2016 - Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - http://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin...

CSRF

05/17/2016 - How I bypassed Facebook CSRF in 2016 - http://pouyadarabi.blogspot.ca/2016/05/how-i-bypassed-facebook-csrf-in-2...
19/07/2016 - Paypal bug bounty: Updating the Paypal.me profile picture without consent (CSRF attack) - https://hethical.io/paypal-bug-bounty-updating-the-paypal-me-profile-pic...
26/10/2016 - Google Spreadsheet Vuln - CSRF and JSON Hijacking allows data theft - https://www.rodneybeede.com/Google_Spreadsheet_Vuln_-_CSRF_and_JSON_Hija...

CSV Injection

29/01/2013 - Cell Injection: Attacking the End User Through the Application - http://blog.7elements.co.uk/2013/01/cell-injection.html
04/17/2016 - CSV Injection in business.uber.com - http://blog.daviddworken.com/posts/csv-injection-in-businessubercom/

HPP

08/23/2015 - Twitter HPP vulnerability unsubscribing from emails - http://www.merttasci.com/blog/twitter-hpp-vulnerability/
12/03/2015 - Parameter Tampering Attack on Twitter Web Intents - https://ericrafaloff.com/parameter-tampering-attack-on-twitter-web-intents/
02/02/2016 - Bypassing Digits web authentication's host validation with HPP - https://hackerone.com/reports/114169

Host Header Injection
09/06/2016 - Internet Explorer has a URL Problem - http://blog.innerht.ml/internet-explorer-has-a-url-problem/
10/24/2016 - Combining Host Header Injection and Lax Host Parsing Service Malicious Data - https://labs.detectify.com/2016/10/24/combining-host-header-injection-an...

IDOR

06/23/2016 - UBER HACKING: HOW WE FOUND OUT WHO YOU ARE, WHERE YOU ARE AND WHERE YOU WENT! - https://labs.integrity.pt/articles/uber-hacking-how-we-found-out-who-you...
06/23/2016 - Facebook's Bug - Delete any video from Facebook - http://www.pranavhivarekar.in/2016/06/23/facebooks-bug-delete-any-video-...
08/25/2016 - How I Could Have Hacked Multiple Facebook Accounts - https://medium.com/@gurkiratsingh/how-i-could-have-hacked-multiple-faceb...
11/22/2016 - You get a UUID! You get a UUID! Everybody gets a UUID! - http://www.rohk.xyz/uber-uuid/

Information Disclosure

12/21/2016 - Disclosing the primary email address for each Facebook user - http://www.dawgyg.com/2016/12/21/disclosing-the-primary-email-address-fo...

SSRF

04/18/2016 - ESEA Server-Side Request Forgery and Querying AWS Meta Data - http://buer.haus/2016/04/18/esea-server-side-request-forgery-and-queryin...
02/23/2016 - FFMPEG File Disclosure - https://github.com/ctfs/write-ups-2015/tree/master/9447-ctf-2015/web/sup...
Trello Bug BOunty Access Servier Files Using Imagetragick - https://hethical.io/trello-bug-bounty-access-servers-files-using-imagetr...

SSTI

04/25/2016 - Adapting AngularJS Payloads to Exploit Real World Applications - http://blog.portswigger.net/2016/04/adapting-angularjs-payloads-to-explo...

Reverse Engineering

04/19/2016 - Digging into a Facebook Worm -https://gist.githubusercontent.com/phwd/0ec21c6289543f35135e17aa11f7dec1...
07/01/2016 - How I Cracked a Keylogger and Ended Up in Someone's Inbox - https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keyl...
11/14/2016 - Hacking Team Back For Your Androids - http://rednaga.io/2016/11/14/hackingteam_back_for_your_androids/

Relative Path Overwrite

03/21/2014 - Relative vs Absolute - http://www.thespanner.co.uk/2014/03/21/rpo/
02/17/2015 - Detecting and exploiting path-relative stylesheet import (PRSSI) vulnerabilities - http://blog.portswigger.net/2015/02/prssi.html
07/03/2016 - RPO Gadgets - http://blog.innerht.ml/rpo-gadgets/

XSS

07/06/2010 - Facebook XSS via Cross-Origin Resource Sharinghttp://maustin.net/2010/07/06/facebook_html5.html
02/14/2013 - How I got the Bug Bounty for Mega.co.nz XSS - https://labs.detectify.com/2013/02/14/how-i-got-the-bug-bounty-for-mega-...
04/22/2015 - XSS via Host header - www.google.com/cse - http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html
12/08/2015 - Creative bug which result Stored XSS on m.youtube.com - http://sasi2103.blogspot.ca/2015/12/creative-bug-which-result-stored-xss...
04/17/2016 - XSS in pypi (and Uber!) - http://blog.daviddworken.com/posts/xss-in-pypi-and-uber/
04/17/2016 - XSS in getrush.uber.com - http://blog.daviddworken.com/posts/xss-in-getrushubercom/
04/19/2016 - Using a Braun Shaver to Bypass XSS Audit and WAF - https://blog.bugcrowd.com/guest-blog-using-a-braun-shaver-to-bypass-xss-...
05/09/2016 - XSS and RCE, domain takeover with remote loaded JS - http://brutelogic.com.br/blog/xss-and-rce/
06/13/2016 - Embedding XSS in SVG files - http://bini.tech/wordpress-remote-upload-unrestricted-file-upload/
07/02/2016 - OneDrive: an easter egg into MS library - XSS on Microsoft and not only - https://luc10.github.io/onedrive-an-easter-egg-into-ms-library/
07/04/2016 - Apple and the 5 XSSes - http://strukt93.blogspot.ca/2016/07/apple-and-5-xsses.html
07/19/2016 - Instagram Reflected XSS in Link Shim - http://ameeras.me/Instagram-Reflected-XSS-in-Link-Shim/
07/19/2016 - Blind XSS in Spotify - https://mhmdiaa.github.io/jekyll/update/2016/07/19/blind-xss-in-spotify....
07/22/2016 - United to XSS United - http://strukt93.blogspot.ca/2016/07/united-to-xss-united.html
08/29/2016 - Turning Self-XSS into Good XSS v2: Challenge Completed but Not Rewarded - https://httpsonly.blogspot.ca/2016/08/turning-self-xss-into-good-xss-v2....
08/31/2016 - Breaching a CA – Blind Cross-site Scripting (BXSS) in the GeoTrust SSL Operations Panel Using XSS Hunter - https://thehackerblog.com/breaching-a-ca-blind-cross-site-scripting-bxss...
09/19/2016 - Combination of techniques lead to DOM Based XSS in Google - http://sasi2103.blogspot.ca/2016/09/combination-of-techniques-lead-to-do...
12/07/2016 - Stored XSS Affecting All Fantasy Sports on Yahoo - http://dawgyg.com/2016/12/07/stored-xss-affecting-all-fantasy-sports-fan...

XXE

06/25/2014 - Identifying Xml eXternal Entity vulnerability (XXE) in GPX files - http://blog.h3xstream.com/2014/06/identifying-xml-external-entity.html
03/21/2015 - XML External Entity (XXE) Injection in Apache Batik Library [CVE-2015-0250] - https://www.insinuator.net/2015/03/xxe-injection-in-apache-batik-library...
08/14/2015 - XXE ALL THE THINGS!!! (INCLUDING APPLE IOS’S OFFICE VIEWER) - https://labs.integrity.pt/articles/xxe-all-the-things-including-apple-io...

CRLF

03/15/2015 - Parse.com - X-Forwarded-Host Injection - Bypass secure & HTTP_only Vulnerability - https://www.youtube.com/watch?v=1yUw7rtTTeI

Remote Code Execution

12/09/2013 - Remote Code Execution exploit in WordPress 3.5.1 - https://tom.vg/2013/12/wordpress-rce-exploit/
02/15/2015 - RCE in Oracle NetBeans Opensource Plugins: PrimeFaces 5.x Expression Language Injection - http://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource...
11/06/2015 - Java unserialization - https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss...
11/12/2015 - XSS to Remote Code Execution with HipChat - http://maustin.net/2015/11/12/hipchat_rce.html
05/04/2016 - Remote Code Execution via ImageMagick - http://pastebin.com/aE4sKnCg (file)
05/10/2016 - Exploiting ImageMagick on Polyvore (Yahoo) - http://nahamsec.com/exploiting-imagemagick-on-yahoo/
07/22/2016 - Exploiting Java Deserialization via JBoss - https://seanmelia.wordpress.com/2016/07/22/exploiting-java-deserializati...
07/25/2016 - CVE-2016-5840: Trend Micro Deep Discovery hotfix_upload.cgi filename Remote Code Execution Vulnerability - http://www.korpritzombie.com/cve-2016-5840-trend-micro-deep-discovery-ho...
08/15/2016 - Jetbrains IDE Remote Code Execution and Local File Disclosure - http://blog.saynotolinux.com/blog/2016/08/15/jetbrains-ide-remote-code-e...
08/24/2016 - The Million Dollar Dissident - https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-...
09/21/2016 - pwn them for learn -http://bugdisclose.blogspot.ca/2016/09/pwn-them-for-learn.html
10/26/2016 - Details on the Privilege Escalation Vulnerability in Joomla - https://blog.sucuri.net/2016/10/details-on-the-privilege-escalation-vuln...

Memory Related

5/13/2016 - 7-Zip vulnerabilities found by Talos - http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html

Source Code Disclosure

03/27/2016 - A tale of an interesting source code leak - http://secalert.net/#scl-soh
07/19/2016 - Accessing PornHub's SVN repo - https://hackerone.com/reports/72243
07/22/2016 - Twitter's Vine Source code dump - https://avicoder.me/2016/07/22/Twitter-Vine-Source-code-dump/
10/14/2016 - Importance of up-to-date application usage plus complex password OR from directory traversal to admin panel takeover - http://zuh4n.blogspot.ca/

SQLi

12/20/2016 - Flickr from SQLi to RCE - https://pwnrules.com/flickr-from-sql-injection-to-rce/
07/25/2016 - SQL Injection on sctrack.email.uber.com.cn - https://hackerone.com/reports/150156

Subdomain Takeover

10/21/14 - Hostile Subdomain Takeover using Heroku/Github/Desk + more - https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-h...
12/08/14 - Hijacking of abandoned subdomains part 2 - https://labs.detectify.com/2014/12/08/hijacking-of-abandoned-subdomains-...
07/26/16 - Uber Subdomain Takeover - http://blog.eseccyber.tech/article/uber.html
09/05/2016 - How I was able to read Uber logs and internal emails - http://blog.pentestnepal.tech/post/149985438982/how-i-was-able-to-read-u...

HTML Injection

07/26/2016 - Keeping Positive – Obtaining Arbitrary Wildcard SSL Certificates from Comodo via Dangling Markup Injection - https://thehackerblog.com/keeping-positive-obtaining-arbitrary-wildcard-...

OAuth

02/07/2014 - How I Hacked GitHub Again. - http://homakov.blogspot.ca/2014/02/how-i-hacked-github-again.html
07/20/2015 - Bypassing Google Authentication on Periscope's Administration Panel - https://whitton.io/articles/bypassing-google-authentication-on-periscope...
01/04/2016 - Bypassing callback_url validation on Digits - https://hackerone.com/reports/108113
02/29/2016 - Swiping Facebook Official Access Tokens - http://philippeharewood.com/swiping-facebook-official-access-tokens/
04/03/2016 - Obtaining Login Tokens for Outlook, Office or Azure (OAuth) - https://whitton.io/articles/obtaining-tokens-outlook-office-azure-account/
06/16/2016 - Bypass Disabled Client OAuth Login in Facebook Pages Manager App - http://philippeharewood.com/bypass-disabled-client-oauth-login-in-facebo...
10/13/2016 - CVE-2016-4977: RCE in Spring Security OAuth - http://secalert.net/#CVE-2016-4977

Mobile

04/12/2015 - Shopify android client all API request's response leakage - https://hackerone.com/reports/56002
07/26/2016 - Odnoklassniki Android application vulnerabilities - https://hackerone.com/reports/97295

Browser
12/06/16 - Firefox - SVG cross domain cookie vulnerability - https://insert-script.blogspot.ca/2016/12/firefox-svg-cross-domain-cooki...


CTF Writeups

03/03/2013 - Unauthorized Access: Bypassing PHP strcmp() - http://danuxx.blogspot.ca/2013/03/unauthorized-access-bypassing-php-strc...
06/09/2016 - Hack in the Box 2016 – MISC400 Writeup (Part 1) - http://rileykidd.com/2016/06/09/hack-in-the-box-2016-misc400-writeup-par...
10/03/2016 - Hacking the Hard Way at the Derbycon CTF - https://labs.signalsciences.com/hacking-the-hard-way-at-the-derbycon-ctf...
BSides Ottawa CTF - Second Place! - https://blog.fletchto99.com/2016/october/bsides-ottawa/
2016 Hack the Vote - https://github.com/ctfs/write-ups-2016/tree/master/hack-the-vote-ctf-2016
Resources

XXE Payloads in iOS - http://en.hackdig.com/08/28075.htm
Burp Tutorials - https://vimeo.com/album/3510171
Facebook CTF - https://github.com/facebook/fbctf
SSRF Bible - https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa...
Jerry Gamblin Hacking Blog - http://jerrygamblin.com/category/hacking
Filedescriptor XSS Polygots - http://polyglot.innerht.ml/
prompt.ml XSS Challenge - https://github.com/cure53/XSSChallengeWiki/wiki/prompt.ml#hidden-level--1
Hacking with Unicode - https://speakerdeck.com/mathiasbynens/hacking-with-unicode-in-2016
Programming Practice (paid premium) - https://coderbyte.com/
Online CTF Practice challenges - https://backdoor.sdslabs.co
Nicolas Grégoire Burp Pro Tips - http://www.agarri.fr/docs/HiP2k13-Burp_Pro_Tips_and_Tricks.pdf
Open Security Training - http://opensecuritytraining.info/
OWASP Mutillidae II Web Pen-Test Practice Application - https://sourceforge.net/projects/mutillidae/
DNS - https://haxpo.nl/haxpo2015ams/wp-content/uploads/sites/4/2015/04/D1-P.-M...
XSS without HTML: Client-Side Template Injection with AngularJS - http://blog.portswigger.net/2016/01/xss-without-html-client-side-templat...
File Upload XSS - http://brutelogic.com.br/blog/file-upload-xss/
CSV Injection Mitigations - https://blog.zsec.uk/csv-dangers-mitigations/
Comma Separated Vulnerabilities - http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/
Running your own anonymous rotating proxies - http://blog.databigbang.com/running-your-own-anonymous-rotating-proxies/
Reviewing bug bounties - a hacker's perspective - http://www.skeletonscribe.net/2016/08/reviewing-bug-bounties-hackers.html
Practical HTTP Host Header Attacks - http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks...
Practice CTF List / Permanant CTF List - https://captf.com/practice-ctf/
lcamtuf's blog - https://lcamtuf.blogspot.ca/
Backup File Artifacts - http://blog.mazinahmed.net/2016/08/backup-file-artifacts.html
Unicode Character 'PILE OF POO' - http://www.fileformat.info/info/unicode/char/1F4A9/index.htm
Decompile and Recompile Android APK - https://blog.bramp.net/post/2015/08/01/decompile-and-recompile-android-apk/
Frans Rosen - Time Based Captcha Protected SQLi - http://www.slideshare.net/fransrosen/time-based-captcha-protected-sql-in...
CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy - https://research.google.com/pubs/pub45542.html
How to View TLS Traffic in Android’s Logs - https://blog.securityevaluators.com/how-to-view-tls-traffic-in-androids-...
https://url.spec.whatwg.org/
AngularJS Sandbox Escapes Explained - https://www.reddit.com/r/angularjs/comments/557bhr/xss_in_angularjs_vide...
Senate Republicans were skimmed for six months, quietly fix store - https://gwillem.github.io/2016/10/04/how-republicans-send-your-credit-ca...
Introduction to OSINT: Recon-ng Tutorial - https://strikersecurity.com/blog/getting-started-recon-ng-tutorial/
Exploiting CORS misconfigurations - http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-fo...
Abusing Dorking and Robots.txt - http://sten0.ghost.io/2016/10/13/abusing-dorking-and-robots-txt/
Brute Logic XSS Challenge I - http://brutelogic.com.br/blog/xss-challenge-i/
How Google and Bing Protect their APIs - https://rudk.ws/2016/10/23/how-google-and-bing-protects-their-api/
Free Dev Books - https://devfreebooks.github.io/
IOS Application Security Review Methodology - http://research.aurainfosec.io/ios-application-security-review-methodology/
Anatomy of a Subtle JSON Vulnerability - http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerabi...
Finding XSS Slidedeck - http://slides.com/mscasharjaved/deck-13#/
XSS Polyglots - https://blog.bugcrowd.com/xss-polyglots-the-context-contest?utm_campaign...
Bypassing Saml 2.0 SSO - http://research.aurainfosec.io/bypassing-saml20-SSO/
Bypassing CSP using polyglot jpegs - http://blog.portswigger.net/2016/12/bypassing-csp-using-polyglot-jpegs.html
Facebook Graphql Crash Course - https://www.facebook.com/notes/phwd/a-facebook-graphql-crash-course/1189...
New XXSI Vector Untold Merits of nosniff - https://www.hurricanelabs.com/blog/new-xssi-vector-untold-merits-of-nosniff
Research papers

Minded Security Expression Language Injection Paper - https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf
Sandboxing JavaScript in the Browser - https://var.thejh.net/thesis_excerpt.pdf
Does The Online Card Payment Landscape Unwittingly Facilitate Fraud? - http://eprint.ncl.ac.uk/file_store/production/230123/19180242-D02E-47AC-...
Online Courses / Training

Cyber Security Base with F-Secure is a free course series by University of Helsinki - https://cybersecuritybase.github.io/
Vulnerable Web Applications for Learning - https://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applica...
Jame Kettle's hackxor - http://hackxor.sourceforge.net/cgi-bin/index.pl#demo
Google XSS Game - https://xss-game.appspot.com/
Google DOM Based XSS - https://public-firing-range.appspot.com/address/index.html
Code Lab: Web Application Exploits and Defenses - https://google-gruyere.appspot.com/
Cheat Sheets

Path Traversal Cheat Sheet Linux - https://www.gracefulsecurity.com/path-traversal-cheat-sheet-linux/
XXE - https://www.gracefulsecurity.com/xxe-cheatsheet/
HTML5 Security Cheat Sheet - https://html5sec.org/
Brute XSS Cheat Sheet - http://brutelogic.com.br/blog/cheat-sheet/
MySQL SQL Injection Cheat Sheet - http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-c...
AngularJS Sandbox Bypass Collection (includes 1.5.7) - http://pastebin.com/xMXwsm0N
Java Deserialization - https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
Penetration testing tools cheat sheet - https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/
OAuth - https://github.com/homakov/oauthsecurity
Burp How Tos

http://security-geek.in/2014/08/22/using-burp-suite-to-brute-force-http-...
Tools

Discovery
https://github.com/OJ/gobuster
Sublist3r is python tool that is designed to enumerate subdomains of websites using search engines - https://github.com/aboul3la/Sublist3r
EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible - https://github.com/ChrisTruncer/EyeWitness
Smart content discovery burp plugin with context awareness - https://github.com/pathetiq/BurpSmartBuster
An automated tool that checks for backup artifacts that may discloses the web-application's source code - https://github.com/mazen160/bfac

Recon-ng
Recon-ng + Google Dorks + Burp = ... - https://averagesecurityguy.github.io/2016/10/21/recon-ng-dorks-burp/

Port Scanning
Resolve and quickly portscan a list of (sub)domains - https://github.com/melvinsh/subresolve

Mobile
JD-GUI, a standalone graphical utility that displays Java sources from CLASS files. - https://github.com/java-decompiler/jd-gui
Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static, dynamic analysis and web API testing - https://github.com/ajinabraham/Mobile-Security-Framework-MobSF
An xposed module that disables SSL certificate checking for the purposes of auditing an app with cert pinning - https://github.com/Fuzion24/JustTrustMe
Blackbox tool to disable SSL certificate validation - including certificate pinning - within iOS and OS X Apps - https://github.com/nabla-c0d3/ssl-kill-switch2
Android APK Tool - https://ibotpeaches.github.io/Apktool/
Android Dex2Jar - https://github.com/pxb1988/dex2jar

Decompiler
JPEXS Free Flash Decompiler - https://github.com/jindrapetrik/jpexs-decompiler
Flashbang, find theflashVars of a naked SWF and display them - https://github.com/cure53/Flashbang

Java Deserialization
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization - https://github.com/frohoff/ysoserial

Password Cracking
John the Ripper - http://www.openwall.com/john/

Hash Cracking
Online Hash Crack - http://www.onlinehashcrack.com/
CyberChef - https://gchq.github.io/CyberChef/

Vulnerability SaaS
SSRF Detector - https://ssrfdetector.com/
XSSHunter - https://xsshunter.com



via: www.torontowebsitedeveloper.com