I’ve got a heap of resources I constantly come back to in talks, workshops and just during the course of my everyday work. Frankly, I have trouble remembering them all myself plus I reckon they’re kinda useful for other people too so I thought I’d drop them all into a post here. If you’ve got good stuff I’ve missed (and you almost certainly will), drop it into the comments below as I’d love to add to my own set of resources plus that way it gets shared with everyone. Enjoy!

SSL / TLS / HTTPS

Is TLS fast yet – A great site debunking the myths of SSL/TLS speed cost Firesheep – A watershed moment for SSL by demonstrating the ease with which unprotected traffic can be intercepted and sessions hijacked Qualys SSL Labs – Tests a variety of attributes of the SSL implementation by pointing it at any URL CloudFlare – Get SSL for free on any website Let’s Encrypt – It’s coming, and it promises to fix the current mess that is CAs and configuring certs Betsy’s free wifi – Shows a young girl standing up a rogue wifi hot spot Chromium HSTS preload list – All the sites submitted for HTTP strict transport security preload (a depressingly small number of them) HTTP Shaming – Sensitive data sent insecurely? Name and shame!

DDoS

Krista’s professional DDoS service – Video of an innocent teenager promoting a DDoS service Norse – Totally awesome real time map of DDoS attacks that’s absolutely mesmerising to watch Booter promotional video – Very professional advert for a “booter” service (complete with “Epic DDoS interface”) networkstresser.com – Example of a DDoS service… protected by CloudFlare… the world’s largest provider of DDoS defences…

SQL injection

sqlmap – The tool for mounting SQL injection attacks tests against a running site Drupal 7 SQL injection flaw of 2014 – great example of how impactful it still is (patch it within 7 hours or you’re owned) Ethical Hacking: SQL Injection – If you really want to go deep, here’s five and a half hours worth of Pluralsight content

XSS

XSSposed – List of sites found to be vulnerable to XSS (including attack vector) Dutch banks doing the Harlem Shake – Video collage of a number of Dutch banks with XSS risks being made to do the Harlem Shake via a script reflected from the URL XSS Filter Evasion Cheat Sheet – Because XSS payload filtering is almost always insufficient </xssed> – Heaps of XSS news and lists of vulnerabilities

Security scanners

NetSparker – My favourite dynamic analysis tool due to ease of use and practicality (especially good for developers who may not live in security land) OWASP Zed Attack Proxy (ZAP) – Great tool for dynamic analysis security testing and has a whole raft of other users too (oh – and it’s free!) Burp Suite – Seriously powerful with a heap of different tools and a freebie version to get you started Fiddler – Not a security tool per se, but I use it extensively to inspect website behaviour, tamper with requests and modify responses on the wire Acunetix – Popular dynamic analysis tool similar to NetSparker but is let down a bit in the usability stakes IMHO Nikto2 – Freebie open source app scanner sponsored by NetSparker

Exploit databases and breach coverage

seclists.org – Heaps of exploits consolidated from various bug tracking lists Exploit Database – Very comprehensive list of vulnerabilities PunkSPIDER – Lots of vulnerabilities of all kinds all over the web (about 90M sites scanned with over 3M vulns at present) Data Loss DB – Good list of breaches including stats on number of records compromised Information is Beautiful: World’s Biggest Data Breaches – Fantastic visualisation of incidents that give a great indication of scale

Cracking software

Hashcat – The tools for cracking hashed passwords; totally free with a great supportive community John the Ripper – Also top notch password cracking software with some different approaches to Hashcat RainbowCrack – Rainbow tables are becoming less relevant in the era of fast GPUs and tools like Hashcat, but it’s worth a mention anyway Aircrack-ng – For all your 802.11 WEP and WPA-PSK key cracking needs

Hacking and penetration testing tools

Metasploit – The canonical pen testing tool; seriously advanced and enormously powerful BeEF – The Browser Exploitation Framework offering remote control over a target’s browsing session Kali Linux – All your pen testing bits in one image! Backtrack-linux – Fallen out of favour a bit as Kali has emerged, but still deserves a mention Nmap – For all your mapping of network things needs Wireshark – When you need to down to monitoring at the packet level

Vulnerability definitions

The OWASP Top 10 Web Application Security Risks – The canonical categorisation of the top risks on the web today SANS 20 Critical Security Controls – Great consolidation of security controls presented in an easily consumable fashion

Security headers

Fiddler extension for CSP – Massively streamlines your creation of a CSP by building the policy as you browse SecurityHeaders.io – Everything security header related and a great place to assess your current state Report URI – Analyse your CSP and HPKP headers plus log your exception reports there Make any website do the Harlem Shake – if you can run this in the console against a website, they almost certainly don’t have a CSP prohibiting arbitrary content from being loaded into the site

Passwords

OWASP Password Storage Cheat Sheet – There are plenty of bad ways of doing it, this is a great resource documenting the good ways Jimmy Kimmel “What is your password” – video of interviewing people and engineering them into disclosing their password Diceware – A popular method of creating strong pass phrases suitable for use as a password

Password managers

1Password – Still my favourite password manager; client based, runs on all devices and the keychain is syncable via multiple mechanisms LastPass – A web based password manager (albeit with rich clients as well), one of the big players in password managers KeePass – A popular free alternative to commercial password managers

Account management

Adult Friend Finder password reset – Enumeration done wrong; initiate a password reset for any email address and be told if they’re a member of a highly personal site Entropay password reset – A great example of not disclosing the existence of an account (try resetting an account that isn’t registered on their system) Botnet brute force attack against GitHub – I regularly use this as an example of how hard it can be to defend against brute force

Personal security

F-Secure’s Freedome – My VPN of choice with lots of exit nodes around the world and a promise of no logging mycreditfile.com.au – This is an Aussie version so do find one local to you if you’re not down under, but identity protection and credit alerts is a “must have” today IMHO

Googledorks

Google Hacking Database – Great collection of Googledorks categorised by various classes of exposed data Google Hacking for Penetration Testers – In case you prefer books over web pages

Other tools and links

Security statistics reports

Verizon Data Breach Investigations Report – The annual DBIR is based on real world security incidents and is a great resource for evidence-based security metrics WhiteHat Security Statistics Report – Based on findings in the websites they monitor with their security products so another good evidence-based report Trustwave Global Security Report – Another annual report driven from real world investigations (plus they use the terms “threat intelligence”, “seedy criminal underground” and “data defender” so you know it’ll be good!) Websence Threat Report – Created by Websense Security Labs, a fairly high level overview of the threat landscape HP Cyber Risk Report – More cyber, more statistics, more reports

Noteworthy books

We are Anonymous – Still one of my favourite security books, a look inside Lulzsec and how it all unravelled Ghost in the Wires – The story of Kevin Mitnick’s early days and an absolutely fascinating read Data and Goliath – Just because you’re paranoid doesn't mean they’re not after you! Excellent read on data collection by Bruce Schneier

Other things you should be reading

What Every Programmer Absolutely, Positively Needs To Know About Encodings And Character Sets To Work With Text – Because encoding is one of those things you just need to know

Awesome people you want to read and follow

What did I miss?

Lots. Leave your favourites in the comments, I’d love to see them!