Docs / Community / Resources

Resources Community

Community & resources

~5 min · learn · practice · contribute

The short version. A hand-picked map of the resources worth your time: where to learn web and API security, the best free and legal places to practice, the wordlists and tooling that pull their weight, the bug-bounty platforms that pay, and how to extend Crusader or reach the team. Everything here is an established, reputable resource — no affiliate padding, no filler.

01Learn web security

Start here if you're building the fundamentals or filling gaps. These are the references working hunters keep open in a tab — methodology, vulnerability classes, and the protocol details that decide whether an exploit lands.

  • OWASP Top 10 — the canonical shortlist of the most critical web app risks. The shared vocabulary for triage and reports; learn it before anything else.
  • OWASP Web Security Testing Guide (WSTG) — a thorough, test-by-test methodology. The closest thing to a complete checklist for assessing a web app end to end.
  • OWASP API Security Top 10 — APIs fail differently from rendered apps. This is the reference for BOLA/IDOR, broken auth, and the other risks that dominate modern API testing.
  • PortSwigger Web Security Academy — free, structured lessons paired with interactive labs (see below). The best on-ramp from theory to hands-on exploitation.
  • MDN HTTP docs — the authoritative reference for HTTP itself: methods, status codes, headers, caching, CORS. When you're staring at a raw request in Repeater, this explains what every line means.
  • HackTricks — a sprawling, practical knowledge base of techniques and payloads organized by service and scenario. Excellent for "I've found X, now what?"
  • PayloadsAllTheThings — a community-curated library of payloads and bypasses for nearly every vuln class. Pair it with Crusader's Intruder and Decoder when you need fresh test cases fast.

02Practice legally

Skill comes from reps, but only on systems you're authorized to test. These targets are built to be attacked — they're deliberately vulnerable apps you run yourself or labs the host explicitly invites you into.

  • OWASP Juice Shop — a modern, intentionally insecure web app covering the full OWASP Top 10 with a gamified scoreboard. The default "learn by breaking" target.
  • DVWA (Damn Vulnerable Web Application) — a classic PHP/MySQL app with adjustable difficulty, ideal for drilling one vuln class at a time at low, medium, and high security settings.
  • PortSwigger labs — hundreds of free, hosted labs spanning every major vulnerability, each with a guaranteed exploitable solution. Route them through Crusader to practice your real toolchain, not just the in-browser one.

Crusader ships mobile sample targets you can launch from Easy Mode — OWASP Juice Shop, Damn Vulnerable Bank, InsecureBankv2, and DIVA. They're linked (not bundled): pick one in Easy Mode's "Pick a test app" step to practice mobile interception on a legal, intentionally vulnerable app. See mobile cert-pinning bypass to get traffic flowing.

Wherever you practice, the rule is the same as on a live engagement: test only what you own or have explicit written authorization to test.

03Wordlists & tooling

Good inputs make the difference between a fuzzing run that finds something and one that wastes a budget. These two are staples worth installing once and reaching for often.

  • SecLists — the standard collection of wordlists for discovery, fuzzing, and credential testing: usernames, passwords, parameter names, payloads, and more. Crusader's Intruder reads SecLists directly, so you can load a list and attack without any conversion.
  • ProjectDiscovery Interactsh — the open-source out-of-band interaction framework Crusader's Beacon speaks. Use it to catch blind SSRF, XXE, and other callbacks. To keep callbacks on infrastructure you control, see run your own private OAST server.

04Bug bounty platforms

When you're ready to test real, in-scope targets for reward, these are the major platforms hosting public and private programs. Each defines its own scope, rules of engagement, and disclosure policy.

  • HackerOne — one of the largest bug-bounty and vulnerability-disclosure platforms, with a deep catalog of public programs to start on.
  • Bugcrowd — a long-running crowdsourced security platform running both bounty and disclosure programs across many industries.
  • Intigriti — a European-rooted bug-bounty platform with a strong slate of public and private programs.

Always stay in scope and follow each program's rules. The authorization to test comes from the program's policy and scope — anything outside it is not authorized, no matter how interesting the target.

05Extend & contribute to Crusader

Crusader is built to be bent to your workflow. Plugins are JavaScript with hot reload, and most plugin capabilities are available on Free (sensitive ones are consent-gated). If you build something useful, share it.

  • Extension catalog — browse community extensions that add scanner checks, payload generators, custom editor tabs, and CLI verbs. Community plugins are free to install.
  • Plugin authoring guide — a hands-on walkthrough of writing, previewing, and shipping your first plugin: the registration hooks, the host API, and the capability manifest.
  • Affiliate program — if you teach, stream, or write about Crusader, the affiliate program is how to earn from the audience you send our way.

06Get help

Stuck, or want a guide that isn't written yet? The fastest paths to an answer:

  • hello@crusaderproxy.com — email the team directly. No account or support tier required; we read every message.
  • The full documentation — every published guide in one place, from your first capture to MCP, mobile, and team workflows.
  • The bug-hunting workflow — how the pieces fit together on a real engagement: capture, scope, scan, replay, and report.

Next

Want a guide that isn't here yet? Email hello@crusaderproxy.com.