Skip to main content

Exploiting / Pwn

Tools used for solving Pwn challenges

  • afl - Security-oriented fuzzer.
  • honggfuzz - Security oriented software fuzzer. Supports evolutionary, feedback-driven fuzzing based on code coverage.
  • libformatstr - Simplify format string exploitation.
  • One_gadget - Tool for finding one gadget RCE.
  • Pwntools - CTF framework for writing exploits.
  • ROPgadget - Framework for ROP exploitation.
  • Ropper - Display information about files in different file formats and find gadgets to build rop chains for different architectures.
  • Shellcodes Database - A massive shellcodes database.
  • Arachni - Web Application Security Scanner Framework.
  • Beautifier.io - Online JavaScript Beautifier.
  • BurpSuite - A graphical tool to testing website security.
  • Commix - Automated All-in-One OS Command Injection Exploitation Tool.
  • debugHunter - Discover hidden debugging parameters and uncover web application secrets.
  • Dirhunt - Find web directories without bruteforce.
  • dirsearch - Web path scanner.
  • nomore403 - Tool to bypass 40x errors.
  • ffuf - Fast web fuzzer written in Go.
  • git-dumper - A tool to dump a git repository from a website.
  • Gopherus - Tool that generates gopher link for exploiting SSRF and gaining RCE in various servers.
  • Hookbin - Free service that enables you to collect, parse, and view HTTP requests.
  • JSFiddle - Test your JavaScript, CSS, HTML or CoffeeScript online with JSFiddle code editor.
  • ngrok - Secure introspectable tunnels to localhost.
  • OWASP Zap - Intercepting proxy to replay, debug, and fuzz HTTP requests and responses.
  • PHPGGC - Library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.
  • Postman - Addon for chrome for debugging network requests.
  • REQBIN - Online REST & SOAP API Testing Tool.
  • Request Bin - A modern request bin to inspect any event by Pipedream.
  • Revelo - Analyze obfuscated Javascript code.
  • Smuggler - An HTTP Request Smuggling / Desync testing tool written in Python3.
  • SQLMap - Automatic SQL injection and database takeover tool.
  • W3af - Web application attack and audit framework.
  • XSSer - Automated XSS testor.
  • ysoserial - Tool for generating payloads that exploit unsafe Java object deserialization.