Exploiting & Scanning
XSS
| Name | Link |
| XSS-Radar | https://github.com/bugbountyforum/XSS-Radar |
| XSSHunter | https://github.com/mandatoryprogrammer/xsshunter |
| xsshunter_client | https://github.com/mandatoryprogrammer/xsshunter_client |
| domxssscanner | https://github.com/yaph/domxssscanner |
| XSSer | https://github.com/epsylon/xsser |
| BruteXSS | https://github.com/rajeshmajumdar/BruteXSS |
| XSStrike | https://github.com/UltimateHackers/XSStrike |
| XSS'OR | http://xssor.io/ |
SQLi
| Name | Link |
| sqlmap | http://sqlmap.org/ |
XXE
| Name | Link |
| oxml_xxe | https://github.com/BuffaloWill/oxml_xxe/ |
| XXE Injector | https://github.com/enjoiz/XXEinjector |
SSRF
| Name | Link |
| ssrfDetector | https://github.com/JacobReynolds/ssrfDetector |
| ground-control | https://github.com/jobertabma/ground-control |
SSTI
| Name | Link |
| tplmap | https://github.com/epinna/tplmap |
LFI
| Name | Link |
| LFISuit | https://github.com/D35m0nd142/LFISuite |
File upload
| Name | Link |
| gen_xbin_avi | https://github.com/neex/ffmpeg-avi-m3u-xbin/ |
Exposed Git/SVN directory
| Name | Link |
| GitTools | https://github.com/internetwache/GitTools |
| dvcs-ripper | https://github.com/kost/dvcs-ripper |
Subdomain takeover
| Name | Link |
| tko-subs | https://github.com/anshumanbh/tko-subs |
| HostileSubBruteforcer | https://github.com/nahamsec/HostileSubBruteforcer |
| second-order | https://github.com/mhmdiaa/second-order |
Race conditions
| Name | Link |
| Race the Web | https://github.com/insp3ctre/race-the-web |
CORS misconfiguration
| Name | Link |
| CORStest | https://github.com/RUB-NDS/CORStest |
Struts
| Name | Link |
| RCE struts-pwn | https://github.com/mazen160/struts-pwn |
Serialization
| Name | Link |
| ysoserial | https://github.com/GoSecure/ysoserial |
| PHPGGC | https://github.com/ambionics/phpggc |
Known vulnerable software
| Name | Link |
| retire-js | https://github.com/RetireJS/retire.js |
| getsploit | https://github.com/vulnersCom/getsploit |
| Findsploit | https://github.com/1N3/Findsploit |
Default/config files
| Name | Link |
| bfac | https://github.com/mazen160/bfac |
CMS
| Name | Link |
| WPScan | https://wpscan.org/ |
| CMSMap | https://github.com/Dionach/CMSmap |
| joomscan | https://github.com/rezasp/joomscan |
JWT
| Name | Link |
| The JSON Web Token Toolkit | https://github.com/ticarpi/jwt_tool |