A list of useful payloads and bypass for Web Application Security and Pentest/CTF
-
Updated
Jun 19, 2026 - Python
A bug bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Web path scanner
The recursive internet scanner for hackers. 🧡
OneForAll是一款功能强大的子域收集工具
One place for all the default credentials to assist the Blue/Red teamers identifying devices with default password 🛡️
Scanning APK file for URIs, endpoints & secrets.
A curated list of bugbounty writeups (Bug type wise) , inspired from https://github.com/ngalongc/bug-bounty-reference
Automated All-in-One OS Command Injection Exploitation Tool
Knock Subdomain Scan
💀 Generate malicious PDF test files for testing phone-home callbacks, SSRF, XSS, NTLM credential theft, and data exfiltration in PDF viewers, converters, and web applications. Can be used with Burp Collaborator or Interact.sh
pagodo (Passive Google Dork) - Automate Google Hacking Database scraping and searching
Automated NoSQL database enumeration and web application exploitation tool.
A collection of custom security tools for quick needs.
Mining URLs from dark corners of Web Archives for bug hunting/fuzzing/further probing
A Claude Code skill bundle for bug hunting and external red-team work — 71 skills, 15 slash commands, 681 disclosed-report patterns curated across 24 core vulnerability classes, plus enterprise identity + infrastructure attack matrices.
Flutter Reverse Engineering Framework
gitGraber: monitor GitHub to search and find sensitive data in real time for different online services such as: Google, Amazon, Paypal, Github, Mailgun, Facebook, Twitter, Heroku, Stripe...
A tool to find subdomains and interesting things hidden inside, external Javascript files of page, folder, and Github.