Personal knowledge base and tooling for AppSec / pentest work — cheatsheets, payloads, scripts, and bundled third-party tools.
⚠️ Authorized testing only. Materials in this repository are intended for security testing on systems you own or have written authorization to test, education, AppSec research, and CTF competitions. See DISCLAIMER.md.
| Directory | Purpose |
|---|---|
| cheatsheets/ | Tool cheatsheets — nmap, ffuf, curl, hydra, find, chisel, nginx, scan, png-analyze |
| recon/ | Service enumeration (FTP, SMB, NFS, DNS, SMTP, SNMP, IMAP, MySQL, MSSQL, IPMI, SSH, RDP, WinRM) |
| web/ | Web-application vulnerabilities — XSS, SQLi, XXE, LFI/RFI, IDOR, HTTP verb tampering, JWT, OAuth/SAML, request smuggling, prototype pollution, deserialization, checklist |
| api/ | REST + gRPC pentest, OWASP API Top 10 (2023) |
| mobile/ | Android, iOS, Frida/objection, TLS pinning bypass |
| cloud/ | AWS, GCP, Azure, cross-provider cloud-metadata SSRF |
| containers-k8s/ | Docker escape paths, Kubernetes attack paths, image scanning (Trivy/Grype/Syft) |
| cicd-supply-chain/ | GitHub Actions, Poisoned Pipeline Execution, dependency confusion, SBOM & Sigstore |
| ad-infrastructure/ | Active Directory enumeration, Kerberos, lateral movement |
| llm-security/ | Prompt injection, OWASP Top 10 for LLM Applications (2025) |
| post-exploitation/ | Reverse shells & TTY upgrade |
| payloads/ | Drop-in payloads — XSS, CSRF, SSRF, CSV-injection, PDF |
| scripts/ | Python helpers with argparse and proper error handling |
| server-uploads/ | Helper binaries to drop on a target — chisel, linpeas, pspy64 + SHA256SUMS |
| tools/ | Bundled third-party tools (offline copies) — see tools/README.md |
- Temp email
- Cyberchief
- JWT.io
- Request bin
- Revshellgenerator
- SecLists
- PayloadsAllTheThings
- Chat GPT
- CVE archive
- Exploit DB
- Snyk DB
- OWASP WSTG ENG
- OWASP WSTG RUS
- OWASP ASVS RUS
- OWASP MASTG (Mobile)
- OWASP API Security Top 10 (2023)
- OWASP Top 10 for LLM Applications (2025)
- OWASP Top 10 CI/CD Security Risks
- HackTricks
- MITRE ATT&CK
- MITRE ATLAS (AI/ML)
- CodeBy Forum
Bundled third-party tools live under tools/. Each one is kept in-repo for offline use; the tools/README.md index links every tool to its upstream and documents how to refresh.
- License: MIT — applies to original content in this repository. Bundled third-party tools retain their upstream licenses.
- Disclaimer: DISCLAIMER.md — authorization, legal scope, responsibility.
- Contributing: CONTRIBUTING.md — cheatsheet format, naming convention, sources requirement.