~ Early Web Links ~

The Joy of Cryptography is a free online undergraduate textbook by Mike Rosulek, published by MIT Press, covering provable security from one-time pads and pseudorandomness through RSA, zero-knowledge proofs, and post-quantum cryptography. The first three chapters are available under a Creative Commons license, with the remaining chapters releasing in July 2026, making it an invaluable open resource for students and educators alike.

The personal weblog of Martin Johns (aka Maddin), a security researcher whose posts focus on web security topics including CSRF protection, XSS detection, DNS rebinding, Firefox extensions, and OWASP conference coverage. It offers a window into early-to-late 2000s browser security research, with references to tools like NoScript, LocalRodeo, noXSS, and XSSDS that Johns developed or contributed to.

Maxwell S. Fritz's personal site covers their work and interests in cybersecurity, software engineering, telecommunications, and amateur radio, with a strong emphasis on privacy as a fundamental human right. Visitors will find links to projects, a directory, updates, and connections to webrings like The Hacker Webring and IndieWeb Webring.

Created by Freerk, this comprehensive tutorial covers dozens of techniques for bypassing internet censorship, including proxies, shell accounts, JAP, and circumventing blocked ports in schools, workplaces, and countries with restrictive filtering. It documents specific censorware products like NetNanny, WebSense, and DansGuardian, making it a rare and detailed reference for anyone facing restricted internet access.

Anurag Agarwal's threat modeling blog dives into real-world web security vulnerabilities, including this post presenting a working proof-of-concept Ajax sniffer that overrides XMLHttpRequest to intercept and exfiltrate data. The site covers topics like XSS, Ajax worms, SQL injection, clipboard theft, and secure SDLC integration, making it a valuable technical resource for security researchers and developers.

A comprehensive reference covering SQL injection techniques across MySQL, MSSQL, Oracle, and other database platforms, with detailed cheat sheets for testing, exploitation, obfuscation, and prevention. The Knowledge Base is organized as a dense technical reference for security researchers and penetration testers, covering everything from basic injection testing to advanced topics like out-of-band channeling and password cracking.

The Web Application Security Consortium (WASC) is a 501c3 nonprofit bringing together international security experts to produce open-source best-practice standards for web application security. The site hosts technical documentation, security guidelines, threat classifications, a web hacking incidents database, and collaborative research projects used by developers, governments, and security professionals worldwide.

SpamPoison is a community tool that has been trapping email-harvesting bots since 2003 by luring them into an infinite loop of dynamically generated fake email addresses on spammer-owned domains. Webmasters can join the fight by adding a simple link to their site, redirecting spam bots to poison traps that render their harvested lists commercially useless.

GNUCITIZEN is a security research blog by pdp and collaborators, focused on exposing web vulnerabilities including UPnP exploitation, XSS attacks, and router reconfiguration weaknesses. This 2008 post details a serious design-level flaw allowing UPnP to be abused across the web without XSS, making it a compelling read for anyone interested in network security research.

SecurityXploded is an information security research organization offering in-depth technical articles on topics like ARP spoofing, flooding, and poisoning alongside over 200 free security and password recovery tools. This particular article dives into network-layer attack techniques including MITM attacks and ARP cache manipulation, making it a valuable reference for security professionals and enthusiasts alike.