Web Security List

• 2017-How I Hacked 40 Websites in 7 minutes

• 2017-Common Security Issues in Web Applications #Series#: I hope this article will help developers to have simple understanding of some issues that appear to be in 80–85% of applications.

• A practical security guide for web developers

• 2018-Hacker101: Hacker101 is a free class for web security. Whether you’re a programmer with an interest in bug bounties or a seasoned security professional, Hacker101 has something to teach you.

• 12 best practices for user account, authorization and password management

• MDN-Web security: The web security oriented articles listed here provide information that may help you secure your site and its code from attacks and data theft.

• The Bug Hunters Methodology: This repo is a conglomeration of tips, tricks, tools, and data analysis to use while doing web application security assessments, and more specifically towards bug hunting in bug bounties.

Overview | 概述

• 2018-Web Application Penetration Testing Cheat Sheet: This cheatsheet is intended to run down the typical steps performed when conducting a web application penetration test.

• Web Developer Security Checklist: Michael O’Brien shares a security checklist for web developers so that you don’t forget anything crucial in your next projects.

Browser Security | 浏览器安全

• CSS-Keylogging: Chrome extension and Express server that exploits keylogging abilities of CSS.

• 2018-How to stop me harvesting credit card numbers and passwords from your site

• 2017-From Markdown to RCE in Atom: Recently I took a look at Atom, a text editor by GitHub. With a little bit of work, I was able to chain multiple vulnerabilities in Atom into an actual Remote Code Execution.

• 2019-HTTP Security Headers - A Complete Guide: In this article, I will walk through the commonly evaluated headers, recommend security values for each, and give a sample header setting.

• 扒一扒浏览器的安全机制

WebAPI

• 2017-Improve Your Website Security in 5 Minutes With These HTTP Headers

• REST_Security_Cheat_Sheet

• OWASP_API_Security_Project

• 浏览器漏洞挖掘思路: 在这篇讲座(文章)中，我们会给读者带来挖掘浏览器漏洞的思路。

• 2019-REST API 面临的 7 大安全威胁: API 安全性是组织希望在未来几年内解决的最大挑战，而安全性挑战的解决很有可能会成为 API 领域增长的催化剂。

JWT

• 2019-JWT 攻击手册：如何入侵你的 Token: 不仅可以让你伪造任意用户获得无限的访问权限，而且还可能进一步发现更多的安全漏洞，如信息泄露，越权访问，SQLi，XSS，SSRF，RCE，LFI 等。

密码、校验与过滤

• Password Rules Are Bullshit: Let this pledge be duly noted on the permanent record of the Internet. I don’t know if there’s an afterlife, but I’ll be finding out soon enough, and I plan to go out mad as hell.

XSS

• Preventing cross-site attacks using same-site cookies

• Cross-site scripting for dummies

• 2018-Practical Web Cache Poisoning: In this paper I’ll show you how to compromise websites by using esoteric web features to turn their caches into exploit delivery systems, targeting everyone that makes the mistake of visiting their homepage.

• 2018-如何防止 XSS 攻击？: 随着互联网的高速发展，信息安全问题已经成为企业最为关注的焦点之一，而前端又是引发企业安全问题的高危据点。

CSRF

• 从零开始学 CSRF

• Preventing CSRF

• Security Corner: Cross-Site Request Forgeries

• 深入解析跨站请求伪造漏洞：原理剖析

• Web 安全测试之跨站请求伪造(CSRF )

• 深入解析跨站请求伪造漏洞：实例讲解

SQLInjection

• 大话数据库 SQL 注入的 N 种姿势

• 2017-NetSPI SQL Injection Wiki: This wiki’s mission is to be a one stop resource for fully identifying, exploiting, and escalating SQL injection vulnerabilities across various Database Management Systems (DBMS).

WebShell

• PHP-backdoors

DDOS

• 浅析大规模 DDOS 防御架构：应对 T 级攻防: 在讲防御之前简单介绍一下各类攻击，因为 DDOS 是一类攻击而并不是一种攻击，并且 DDOS 的防御是一个可以做到相对自动化但做不到绝对自动化的过程，很多演进的攻击方式自动化不一定能识别，还是需要进一步的专家肉眼判断。

• 2018-被骗几十万总结出来的 Ddos 攻击防护经验！: DDoS(Distributed Denial of Service，分布式拒绝服务)攻击的主要目的是让指定目标无法提供正常服务，甚至从互联网上消失，是目前最强大、最难防御的攻击之一。这是一个世界级的难题并没有解决办法只能缓解.