A curated list of awesome articles, papers, presentations, practices and blog posts from security independent researchers, students, vendors etc. There are plenty of resources available on the internet from conferences, universities, vendors etc. and those listed below are the ones I have read (probably recently), enjoyed and of course, remembered!
All the contents of this list are public and mostly free, use them for educational purpose only.
2019 - Acunetix - A Fresh Look On Reverse Proxy Related Attacks
2021 - Alex Birsan - Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
2021 - Assetnote - A glossary of blind SSRF chains
2019 - Asif Durani - Remode Command Execution with EL Injection Vulnerabilities
2017 - Auth0 - JWT Handbook
2020 - Brisk Infosec - Host header attack
2020 - Bishop Fox - An exploration of JSON interoperability vulnerabilities
2018 - Carnige Mellon - Threat Modeling: 12 available methods
2022 - Claroty - {JS-ON: Security-OFF}: Abusing JSON-Based SQL to Bypass WAF
2020 - Cobalt Strike - A pentester's guide to Server Side Template Injection - SSTI
2019 - CPDoS - CPDoS: cache poisoned denial of service
2023 - Cuybervelia - GraphQL exploitation - all you need to know
2017 - F5 - NGINX Cookbook (part 2): Advanced recipes for security
2018 - F5 - Abusing Googlebot services to delivery crypt-mining malware
2020 - F5 - Turing in his grave: what human CAPTCHA solvers reveal about control design
2021 - Flyio - API Tokens: a tedius survey
2019 - Google - How effective is basic account hygiene at preventing hijacking
2022 - Hacktricks - Hop-by-hop headers
2018 - Hackernoon - 10 common security gotchas in Python and how to avoid them
2021 - Hiroki Suezawa - Attacking and Securing CI/CD Pipeline
2021 - Intruder.io - Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond
2019 - JSSEC - Android application secure design/secure coding guidebook
2017 - Joao Matos - An overview of deserialization vulnerabilities in Java Virtual Machine (JVM)
2017 - Joao Matos - Um overview sobre as bases das falhas de desserialização nativa na JVM
2008 - LearnJSF - Securing JSF against the OWASP Top Ten
2023 - Malicious Group - From Akamai to F5 to NTLM
2018 - Microsoft - Learn how to add continuous security validation to your CI/CD pipeline
2017 - NCCGroup - Request encoding to bypass web application firewall
2019 - NCCGroup - Common Security Issues in FinanciallyOriented Web Applications
2021 - NCCGroup - SAML XML Injection
2019 - Nordic APIS - Everything you need to know about API rate limiting
2017 - Orange Tsai - A new era of SSRF - exploiting URL parser in trending programming languages!
2018 - Orange Tsai - Breaking parser logic!
2024 - Oragen Tsai - Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!
2022 - Payatu - Prototype pollution 101
2016 - Peking University - Targeted online password guessing: an underestimate threat
2021 - Polaridius - Python Vulnerabilities: code execution in Jinja Templates
2017 - PortSwigger - Cracking the lens: targeting HTTP's hidden attack-surface
2018 - PortSwigger - Practical web cache poisoning
2021 - PortSwigger - Hidden OAuth attack vectors
2022 - PortSwigger - Making HTTP header injection critical via response queue poisoning
2016 - Prabath Siriwardena - JWT, JWS and JWE for Not So Dummies! (Part I)
2023 - Praetorian - Refresh: compromising F5 BIG-IP with Request Smuggling| CVE-2023-46747
2012 - SafeCODE - Practical security stories for Agile development environments
2016 - Sec-1 - Hunting postMessage vulnerabilities
2022 - Somdev Sangwa - Bypassing Modsecurity for RCEs
2013 - SkeletonScribe - Practical HTTP Host header attacks
2022 - Synack - Exploits Explained: 5 Unusual Authentication Bypass Techniques
2013 - Synacktiv - JSF ViewState upside-down
2020 - Telekom Security - Smuggling HTTP headers throught reverse proxies
2020 - Tempest Security - HTML to PDF converters, can I hack them?
2017 - Wallarm - SSRF bible
2019 - Zeddyu - Help you understand HTTP Smuggling in one article
2023 - Cloudflare - Technical Breakdown HTTP/2 rapid reset ddos attack CVE-2023-44487
2020 - Plextrac - Writing a killer penetration test report
2020 - SANS - The ultimate list of SANS cheatsheet
2022 - SEC Consult - Melting the DNS Iceberg: Taking over your infrastructure Kaminsky style
2023 - Unit42 - DNS tuning in the wild
2016 - Adsecurity.org - Attack methods for gaining Domain Admin rights in Active Directory
2018 - Adsecurity.org - Unofficial guide to Mimikatz & command reference
2020 - CERT-FR - Active Directory security assessment checklist
2021 - Eloy Gonzales - Attacking Active Directory: 0 to 0.9
2017 - Harmj0y - Pass-the-Hash is dead: long live LocalAccountTokenFilterPolicy
2020 - Infosecmatter - Top 16 Active Directory vulnerabilities
2020 - Microsoft - Security Documentation
2020 - Positive Technologies - Attacking MS Exchange web interfaces
2019 - Shellz.club - Pass-the-Hash with RDP in 2019
2019 - ANSSI - Configuration recommendation of a GNU/Linux System
2016 - Amazon - AWS Security best practices
2021 - Astra - Complete Guide on AWS Security Audit
2020 - Gitlab - Tutorial on privilege escalation and post exploitation tactics in Google Cloud Platform environments
2022 - Gitlab - Terraform as part of software supply chain - part 1 - modules and providers
2022 - NCCGroup - A Guide to improving security through Infrastructure-as-Code
2020 - Microsoft - Security Documentation
2024 - Plerion Blog - Hacking Terraform State for Privilege Escalation
2023 - Prime Harbor - Introduction to Offensive Operations in AWS
2021 - SANS - Pratical Guide to Security in the AWS Cloud
2021 - SideChannel- Enumerating Services in AWS Accounts in an Anonymous and Unauthenticated Manner
2019 - Trend Micro - Why running a privileged container in docker is a bad idea