Tools to work with android .dex and java .class files

A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

Android Package Inspector - dynamic analysis with api hooks, start unexported activities and more. (Xposed Module)

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

JNDI注入测试工具（A tool which generates JNDI links can start several servers to exploit JNDI Injection vulnerability,like Jackson,Fastjson,etc）

APIKit：Discovery, Scan and Audit APIs Toolkit All In One.

Burp Bounty (Scan Check Builder in BApp Store) is a extension of Burp Suite that allows you, in a quick and simple way, to improve the active and passive scanner by means of personalized rules thro…

The new bridge between Burp Suite and Frida!

An Android library that prevents your app from being pirated / cracked using Google Play Licensing (LVL), APK signature protection and more. API 14+ required.

TCP/UDP Non-HTTP Proxy Extension (NoPE) for Burp Suite.

HackBar plugin for Burpsuite

latest version of scanners for IIS short filename (8.3) disclosure vulnerability

Nuclei plugin for BurpSuite

Fiora：漏洞PoC框架Nuclei的图形版。快捷搜索PoC、一键运行Nuclei。即可作为独立程序运行，也可作为burp插件使用。

Burp plugin able to find reflected XSS on page in real-time while browsing on site

DIVA Android - Damn Insecure and vulnerable App for Android

A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques

Oversecured Vulnerable Android App

J2EEScan is a plugin for Burp Suite Proxy. The goal of this plugin is to improve the test coverage during web application penetration tests on J2EE applications.

Damn Vulnerable Bank is designed to be an intentionally vulnerable android application. This provides an interface to assess your android application security hacking skills.

Probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.

Automatically identify deserialisation issues in Java and .NET applications by using active and passive scans

Sample codes written for the Hackers to Hackers Conference magazine 2017 (H2HC).

Security profiling for blackbox Android

Research on GraphQL from an AppSec point of view.

Collection of bypass gadgets to extend and wrap ysoserial payloads

Add headers to all Burp requests to bypass some WAF products