Top 23 Infosec Open-Source Projects

• routersploit

  11 11,870 5.4 Python

  Exploitation Framework for Embedded Devices

  

• spiderfoot

  19 11,723 6.6 Python

  SpiderFoot automates OSINT for threat intelligence and mapping your attack surface.

• InfluxDB

  www.influxdata.com sponsored

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

• ffuf

  17 11,382 6.1 Go

  Fast web fuzzer written in Go

  

Project mention: Show HN: Pfuzz, a web fuzzer following the Unix philosophy | news.ycombinator.com | 2024-01-21

It seems to me like "fuzzing" has a different meaning in web application penetration testing. Here, "fuzzer" is a term for tools that just generate different request using wordlists, without adding any mutations. For example, the two popular web fuzzers ffuf [1] and wfuzz [2] also call themselves fuzzers.

I see how reusing a term for a different concept is bothersome, but I feel like "fuzzer" is the term that people learning about bug bounty hunting are familiar with.

[1] https://github.com/ffuf/ffuf

[2] https://wfuzz.readthedocs.io/en/latest/

• dirsearch

  12 11,213 7.9 Python

  Web path scanner

Project mention: Looking for some help with this Python package | /r/learnpython | 2023-08-19

I am new to Python. With the help of several users (thanks u/Diapolo10 and u/shiftybyte)I've been able to install Python and the dirsearch package. Dirsearch (https://github.com/maurosoria/dirsearch) allows for checking website paths with a wordlist. For example, I have a wordlist file with words like "dog", "cat", "bird", etc and I want to check the validity of those words as extensions on a website. Something like "example.com/bird", "example.com/cat", etc. I have a test wordlist in the same directory as dirsearch, but I am confused on how to proceed with the commands. I want to have it check my wordlist as extensions on the example.com website and then save output on if the webpath is valid or not. Just need a little bit of help.

• DVWA

  35 9,291 7.7 PHP

  Damn Vulnerable Web Application (DVWA)

Project mention: If you're looking for resources pertaining to hands-on practical demonstrations of learned skills and tools/techniques, look no further. | /r/Kalilinux | 2023-11-15

There's also a bunch of intentionally vulnerable Webapps and VMs aimed at demonstrating potential footholds and common exploits leading to owning of the host including but not limited to: bWAPP, Damn Vulnerable Web App, WebGoat, Metasploitable 3, Mutillidae, Juice Shop

• Wazuh

  151 9,161 10.0 C

  Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.

  

Project mention: Exclude certain CIS (sca) rules from agents | /r/Wazuh | 2023-12-11

There is currently no feature for excluding specific SCA rules however this feature has been requested here and would be added to the roadmap for future releases.

• Red-Teaming-Toolkit

  3 8,491 5.9

  This repository contains cutting-edge open-source security tools (OST) for a red teamer and threat hunter.

• WorkOS

  workos.com sponsored

  The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

  

• nishang

  15 8,324 0.0 PowerShell

  Nishang - Offensive PowerShell for red team, penetration testing and offensive security.

Project mention: PowerShell evasion | /r/AskNetsec | 2023-09-24

• rengine

  4 6,685 9.6 Python

  reNgine is an automated reconnaissance framework for web applications with a focus on highly configurable streamlined recon process via Engines, recon data correlation and organization, continuous monitoring, backed by a database, and simple yet intuitive User Interface. reNgine makes it easy for penetration testers to gather reconnaissance with minimal configuration and with the help of reNgine's correlation, it just makes recon effortless.

Project mention: Any self-host FOSS suites for running phishing testing campaigns? | /r/selfhosted | 2023-05-21

I couldn't find anything named reEngine, but I found reNgine ( https://yogeshojha.github.io/rengine/ ) which I think is what you meant.

• traitor

  17 6,491 0.0 Go

  :arrow_up: :skull_and_crossbones: :fire: Automatic Linux privesc via exploitation of low-hanging fruit e.g. gtfobins, pwnkit, dirty pipe, +w docker.sock

Project mention: Traitor – Automatic Linux privesc via exploitation of low-hanging fruits | news.ycombinator.com | 2023-06-12

• cve

  13 6,062 9.7 HTML

  Gather and update all available and newest CVEs with their PoC.

  

Project mention: Strange subdomain found during nmap scan | /r/cybersecurity | 2023-12-06

Did you try using https://trickest.com?

• Awesome-WAF

  3 5,917 2.5 Python

  🔥 Web-application firewalls (WAFs) from security standpoint.

• hetty

  3 5,906 0.0 Go

  An HTTP toolkit for security research.

• bugbounty-cheatsheet

  3 5,555 0.0

  A list of interesting payloads, tips and tricks for bug bounty hunters.

• AllAboutBugBounty

  3 5,409 3.5

  All about bug bounty (bypasses, payloads, and etc)

Project mention: How I hacked chess.com with a rookie exploit | news.ycombinator.com | 2024-01-26

Yeah, pretty close: "On-site request forgery"[0]

[0] https://github.com/daffainfo/AllAboutBugBounty/blob/master/O...

• Infosec_Reference

  9 5,358 4.2 CSS

  An Information Security Reference That Doesn't Suck; https://rmusser.net/git/admin-2/Infosec_Reference for non-MS Git hosted version.

• DefaultCreds-cheat-sheet

  2 5,269 7.4 Python

  One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password 🛡️

• awesome-shodan-queries

  3 5,032 0.0

  🔍 A collection of interesting, funny, and depressing search queries to plug into shodan.io 👩‍💻

• awesome-infosec

  16 4,966 0.0

  A curated list of awesome infosec courses and training resources.

Project mention: Ask HN: Guidance starting an infosec careeer from scratch | news.ycombinator.com | 2023-10-12

• awesome-security-hardening

  6 4,935 4.7

  A collection of awesome security hardening guides, tools and other resources

• Awesome-GPT-Agents

  2 4,692 8.8

  A curated list of GPT agents for cybersecurity

Project mention: Fr0gger/Awesome-GPT-Agents: A curated list of GPT agents for cybersecurity | news.ycombinator.com | 2023-11-18

• faraday

  8 4,615 5.0 Python

  Open Source Vulnerability Management Platform (by infobyte)

  

• can-i-take-over-xyz

  14 4,440 5.2 Python

  "Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.

• SaaSHub

  www.saashub.com sponsored

  SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

  

Infosec related posts

• Ronin: Free and Open Source Ruby Toolkit for Security Research and Development
  1 project | news.ycombinator.com | 19 Mar 2024
• Show HN: Toolkit for Reverse Engineers (indetectables-net)
  1 project | news.ycombinator.com | 1 Feb 2024
• Active Directory ACL Visualizer and Explorer
  1 project | news.ycombinator.com | 30 Jan 2024
• Show HN: Pfuzz, a web fuzzer following the Unix philosophy
  6 projects | news.ycombinator.com | 21 Jan 2024
• Show HN: Automatic security lookups from your clipboard
  1 project | news.ycombinator.com | 3 Jan 2024
• Fast web fuzzer written in Go
  1 project | news.ycombinator.com | 24 Dec 2023
• How to add a man page to your Ruby project, using kramdown-man and markdown
  2 projects | /r/ruby | 6 Dec 2023
• A note from our sponsor - SaaSHub
  www.saashub.com | 25 Apr 2024

  SaaSHub helps you find the best software and product alternatives Learn more →

Index

Sponsored

SaaSHub - Software Alternatives and Reviews

SaaSHub helps you find the best software and product alternatives

www.saashub.com