mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 10:26:09 +00:00

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

bounty bugbounty bypass cheatsheet enumeration hacking hacktoberfest methodology payload payloads penetration-testing pentest privilege-escalation redteam security vulnerability web-application

Go to file

Vunnm 273da9e1b5 Add JSON simple with form Add JSON simple paylaod with autosubmit form. Using autosubmit form instead of AJax, allow to bypass some protection like the Standard Enhanced Tracking Protection in Firfefox, which will refuse to send cookie with cross-site Ajax request (tested with Firefox 115.0.2esr),.		2023-08-05 14:39:33 +02:00
_LEARNING_AND_SOCIALS	Update BOOKS.md	2023-07-18 11:16:36 +03:00
_template_vuln	SAML exploitation + ASREP roasting + Kerbrute	2019-03-24 13:16:23 +01:00
.github	Web Theme + Credential Guard + PPL	2023-03-10 22:14:22 +01:00
Account Takeover	Formatting changes	2023-01-04 21:06:36 +05:30
API Key Leaks	AWS Key Patterns	2023-06-22 19:03:06 +02:00
Argument Injection	Update README.md	2022-10-11 18:49:17 +02:00
AWS Amazon Bucket S3	fix: broken link on AWS Amazon Bucket S3 page	2023-07-26 15:09:56 +03:00
Business Logic Errors	Business Logic Errors + Mass Assignment	2023-07-09 13:01:03 +02:00
CICD	Prototype Pollution	2023-07-07 23:10:33 +02:00
Command Injection	Update README.md	2022-11-06 12:28:26 +01:00
CORS Misconfiguration	SOCKS Compatibility Table + CORS	2023-01-05 01:50:11 +01:00
CRLF Injection	Business Logic Errors + Mass Assignment	2023-07-09 13:01:03 +02:00
CSRF Injection	Add JSON simple with form	2023-08-05 14:39:33 +02:00
CSV Injection	Normalize Titles	2022-10-12 12:13:55 +02:00
CVE Exploits	Normalize Titles	2022-10-12 12:13:55 +02:00
Dependency Confusion	Windows Management Instrumentation Event Subscription	2022-04-24 15:01:18 +02:00
Directory Traversal	Normalize Titles	2022-10-12 12:13:55 +02:00
DNS Rebinding	DOM Clobbering	2023-06-10 20:08:23 +02:00
Dom Clobbering	DOM Clobbering	2023-06-10 20:08:23 +02:00
File Inclusion	Fix path with sessionS with an S for php	2023-04-11 17:08:57 +02:00
GraphQL Injection	GraphQL Batching Attacks	2023-05-15 19:23:07 +02:00
HTTP Parameter Pollution	Prototype Pollution	2023-07-07 23:10:33 +02:00
Insecure Deserialization	fix rawsec url	2023-01-11 23:19:26 +01:00
Insecure Direct Object References	Business Logic Errors + Mass Assignment	2023-07-09 13:01:03 +02:00
Insecure Management Interface	Normalize Titles	2022-10-12 12:13:55 +02:00
Insecure Randomness	Insecure Randomness	2022-10-17 11:07:33 +02:00
Insecure Source Code Management	Normalize Titles	2022-10-12 12:13:55 +02:00
Java RMI	Update README.md	2022-10-12 20:35:32 +02:00
JSON Web Token	JWT jku and jwks - manual exploitation	2023-03-12 18:02:29 +01:00
Kubernetes	update link URL	2022-10-24 12:28:31 -05:00
LaTeX Injection	Update README.md	2023-06-29 10:19:14 +00:00
LDAP Injection	Normalize Titles	2022-10-12 12:13:55 +02:00
Mass Assignment	Business Logic Errors + Mass Assignment	2023-07-09 13:01:03 +02:00
Methodology and Resources	More details on NetNTLMv1 + typos	2023-07-25 11:31:35 +02:00
NoSQL Injection	Normalize Titles	2022-10-12 12:13:55 +02:00
OAuth Misconfiguration	Business Logic Errors + Mass Assignment	2023-07-09 13:01:03 +02:00
Open Redirect	Open Redirect + SSI Injection	2023-07-08 10:09:59 +02:00
Prompt Injection	Error Based XXE - Local DTD	2023-07-18 18:23:34 +02:00
Prototype Pollution	Prototype Pollution	2023-07-07 23:10:33 +02:00
Race Condition	fix: Fix spelling	2022-08-09 11:02:21 +02:00
Request Smuggling	update old url's	2022-10-26 20:36:15 -05:00
SAML Injection	Add ZAP Addon in Tools	2022-05-01 00:47:18 +09:00
Server Side Include Injection	Open Redirect + SSI Injection	2023-07-08 10:09:59 +02:00
Server Side Request Forgery	Merge pull request #651 from JLLeitschuh/patch-3	2023-06-29 10:59:10 +02:00
Server Side Template Injection	Update README.md	2023-06-07 14:15:07 +08:00
SQL Injection	Update SQLite Injection.md	2023-07-16 23:44:00 +08:00
Tabnabbing	Fix typos	2020-12-13 04:34:10 +11:00
Type Juggling	AWS Key Patterns	2023-06-22 19:03:06 +02:00
Upload Insecure Files	Update README.md	2023-04-09 12:35:43 -04:00
Web Cache Deception	Open Redirect + SSI Injection	2023-07-08 10:09:59 +02:00
Web Sockets	Fix typo	2023-07-18 22:19:29 +02:00
XPATH Injection	Normalize Titles	2022-10-12 12:13:55 +02:00
XSLT Injection	fix: Fix spelling	2022-08-09 11:02:21 +02:00
XSS Injection	WDAC Policy Removal + SSRF domains	2023-05-31 14:18:25 +02:00
XXE Injection	Error Based XXE - Local DTD	2023-07-18 18:23:34 +02:00
.gitignore	YAML Deserialization	2022-09-16 16:37:40 +02:00
CONTRIBUTING.md	PR Guidelines + User Hunting + HopLa Configuration	2022-06-30 16:33:35 +02:00
custom.css	Fix responsive - rollback - FF was glitching	2023-03-11 00:11:27 +01:00
LICENSE	Create License	2019-05-25 16:27:35 +02:00
mkdocs.yml	Web Theme + Credential Guard + PPL	2023-03-10 22:14:22 +01:00
README.md	Fix responsive display on PATT Web	2023-03-10 23:20:39 +01:00

README.md

Payloads All The Things

A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques !
I ❤️ pull requests :)

You can also contribute with a 🍻 IRL, or using the sponsor button

An alternative display version is available at PayloadsAllTheThingsWeb.

📖 Documentation

Every section contains the following files, you can use the _template_vuln folder to create a new chapter:

README.md - vulnerability description and how to exploit it, including several payloads
Intruder - a set of files to give to Burp Intruder
Images - pictures for the README.md
Files - some files referenced in the README.md

You might also like the Methodology and Resources folder :

Methodology and Resources

You want more ? Check the Books and Youtube videos selections.

👨‍💻 Contributions

Be sure to read CONTRIBUTING.md

Thanks again for your contribution! ❤️

🧙‍♂️ Sponsors

This project is proudly sponsored by these companies.