ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-02-20 21:56:05 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
1,547 Commits 2 Branches 6 Tags 41 MiB
Python 83.8%
Ruby 6.3%
ASP.NET 3.8%
XSLT 2.6%
Classic ASP 1.4%
Other 1.9%
4b4a630085
Go to file
pop3ret 4b4a630085
Changed summary and chapters 
Changed summary to include the cheatsheet and also changed the format of the cheatsheet to be the same as the original file
2022-10-09 16:01:14 -03:00
_LEARNING_AND_SOCIALS Moving learning resources into a specific folder 2022-09-03 16:17:23 +02:00
_template_vuln SAML exploitation + ASREP roasting + Kerbrute 2019-03-24 13:16:23 +01:00
.github Shadow Credentials 2022-08-05 12:00:41 +02:00
Account Takeover Added 2FA bypass via Force Browsing on Account Takeover branch 2022-10-05 17:42:01 +06:00
API Key Leaks Api Key Leaks: Add Trivy to tools section 2022-10-01 17:20:51 +02:00
Argument Injection Fix links 2022-10-06 17:55:16 +02:00
AWS Amazon Bucket S3 Update README.md 2021-11-23 14:04:53 -03:00
Command Injection Added portswigger labs and reference 2022-10-05 12:50:10 +05:30
CORS Misconfiguration update 2022-10-01 19:56:49 +00:00
CRLF Injection update 2022-10-01 19:56:49 +00:00
CSRF Injection update 2022-10-01 19:56:49 +00:00
CSV Injection Updating Reference section hyperlinks 2022-08-15 11:15:33 +05:30
CVE Exploits CVE Exploit: Add trickest CVE repo 2022-10-03 17:51:39 +02:00
Dependency Confusion Windows Management Instrumentation Event Subscription 2022-04-24 15:01:18 +02:00
Directory Traversal Update 2022-10-02 06:13:01 +00:00
DNS Rebinding Add DNS rebinding 2021-10-27 16:19:56 -04:00
File Inclusion LFI2RCE - Picture Compression - SOCKS5 CS 2022-08-21 16:38:54 +02:00
GraphQL Injection DPAPI - Data Protection API 2022-09-23 00:35:34 +02:00
HTTP Parameter Pollution fix: Fix spelling 2022-08-09 11:02:21 +02:00
Insecure Deserialization Update YAML.md 2022-10-05 13:47:24 +02:00
Insecure Direct Object References Update 2022-10-02 06:13:01 +00:00
Insecure Management Interface Add Springboot Actuator RCE 2020-10-28 12:05:12 -04:00
Insecure Source Code Management ESC9 - No Security Extension 2022-09-03 12:07:24 +02:00
Java RMI Java RMI: Add remote-method-guesser to tools 2022-10-01 22:04:49 +02:00
JSON Web Token Update 2022-10-02 06:13:01 +00:00
Kubernetes fix: Fix spelling 2022-08-09 11:02:21 +02:00
LaTeX Injection LaTeX Injection catcode 2022-02-22 15:57:04 +01:00
LDAP Injection Dependency Confusion + LDAP 2021-07-04 13:32:32 +02:00
Methodology and Resources Changed summary and chapters 2022-10-09 16:01:14 -03:00
NoSQL Injection Blind NoSQL scripts 2022-09-23 00:36:41 +02:00
OAuth Update 2022-10-02 06:13:01 +00:00
Open Redirect Update 2022-10-02 06:13:01 +00:00
Race Condition fix: Fix spelling 2022-08-09 11:02:21 +02:00
Request Smuggling add simple http smuggler generator for easiest manually exploitation 2022-09-16 02:30:57 +03:00
SAML Injection Add ZAP Addon in Tools 2022-05-01 00:47:18 +09:00
Server Side Request Forgery Update 2022-10-02 06:13:01 +00:00
Server Side Template Injection Blind SSTI Jinja 2022-10-02 12:24:39 +02:00
SQL Injection Update 2022-10-02 06:13:01 +00:00
Tabnabbing Fix typos 2020-12-13 04:34:10 +11:00
Type Juggling Fixing TGS/ST 2022-09-06 10:03:49 +02:00
Upload Insecure Files Zip Slip: Add slipit to tools 2022-10-03 18:19:28 +02:00
Web Cache Deception Update 2022-10-02 06:13:01 +00:00
Web Sockets Update 2022-10-02 06:13:01 +00:00
XPATH Injection Bind shell cheatsheet (Fix #194) 2020-05-24 14:09:46 +02:00
XSLT Injection fix: Fix spelling 2022-08-09 11:02:21 +02:00
XSS Injection Update XSS_Polyglots.txt 2022-10-05 09:45:15 +00:00
XXE Injection Add reference 2022-10-05 10:20:05 +02:00
.gitignore YAML Deserialization 2022-09-16 16:37:40 +02:00
CONTRIBUTING.md PR Guidelines + User Hunting + HopLa Configuration 2022-06-30 16:33:35 +02:00
LICENSE Create License 2019-05-25 16:27:35 +02:00
README.md Blind SSTI Jinja 2022-10-02 12:24:39 +02:00

README.md

Payloads All The Things

A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques !
I ❤️ pull requests :)

You can also contribute with a 🍻 IRL, or using the sponsor button

Sponsor Tweet

An alternative display version is available at PayloadsAllTheThingsWeb.

📖 Documentation

Every section contains the following files, you can use the _template_vuln folder to create a new chapter:

  • README.md - vulnerability description and how to exploit it, including several payloads
  • Intruder - a set of files to give to Burp Intruder
  • Images - pictures for the README.md
  • Files - some files referenced in the README.md

You might also like the Methodology and Resources folder :

You want more ? Check the Books and Youtube videos selections.

👨‍💻 Contributions

Be sure to read CONTRIBUTING.md

Thanks again for your contribution! ❤️

🧙‍♂️ Sponsors

This project is proudly sponsored by these companies.