A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Go to file
FatEarthler 975dde665a
added 'xss_alert_identifiable.txt'
same as 'xss_alert.txt', but with identifiable payloads (e.g. alert(1992) instead of just alert(1)). This is useful in case of stored xss, when you inject all the payloads and then need to identify which payloads were successful.
2024-09-14 22:14:45 +02:00
_LEARNING_AND_SOCIALS Update Books References 2023-10-12 10:22:37 +02:00
_template_vuln Fix uppercase links and anchor 2024-09-13 22:43:18 +02:00
.github Randomness mt_rand + Analytics 2024-09-06 21:59:41 +02:00
Account Takeover Formatting changes 2023-01-04 21:06:36 +05:30
API Key Leaks Fix uppercase links and anchor 2024-09-13 22:43:18 +02:00
Argument Injection Update README.md 2022-10-11 18:49:17 +02:00
AWS Amazon Bucket S3 fix: broken link on AWS Amazon Bucket S3 page 2023-07-26 15:09:56 +03:00
Business Logic Errors Fix typo and structure 2024-09-11 17:07:51 +02:00
CICD Randomness mt_rand + Analytics 2024-09-06 21:59:41 +02:00
Clickjacking Update README.md 2023-10-09 20:52:28 +02:00
Client Side Path Traversal Fix typo and structure 2024-09-11 17:07:51 +02:00
Command Injection bypass techniques added 2024-03-09 21:46:33 +05:30
CORS Misconfiguration SOCKS Compatibility Table + CORS 2023-01-05 01:50:11 +01:00
CRLF Injection Business Logic Errors + Mass Assignment 2023-07-09 13:01:03 +02:00
Cross-Site Request Forgery Fix broken pictures 2024-09-13 21:59:29 +02:00
CSV Injection Normalize Titles 2022-10-12 12:13:55 +02:00
CVE Exploits Normalize Titles 2022-10-12 12:13:55 +02:00
Dependency Confusion Windows Management Instrumentation Event Subscription 2022-04-24 15:01:18 +02:00
Directory Traversal ASP Cookieless + ReDOS backtrack 2024-05-29 23:23:51 +02:00
DNS Rebinding DOM Clobbering 2023-06-10 20:08:23 +02:00
Dom Clobbering DOM Clobbering 2023-06-10 20:08:23 +02:00
File Inclusion SSRF DNS AXFR + LFI PHAR payloads + LFI iconv 2024-06-16 21:17:42 +02:00
Google Web Toolkit Google Web Toolkit 2023-09-19 09:58:22 +02:00
GraphQL Injection Fix typo in GraphQL Injection README.md 2023-10-14 16:39:25 +02:00
Headless Browser XSLT payloads + Headless Browser 2024-05-31 00:07:21 +02:00
Hidden Parameters Hidden Parameters 2023-08-24 22:15:11 +02:00
HTTP Parameter Pollution Prototype Pollution 2023-07-07 23:10:33 +02:00
Insecure Deserialization IIS MachineKeys + CI/CD + CSPT + ORM leak 2024-08-26 11:27:47 +02:00
Insecure Direct Object References Race Condition WIP + AD asreproast/kerberoasting 2023-10-01 12:42:20 +02:00
Insecure Management Interface Normalize Titles 2022-10-12 12:13:55 +02:00
Insecure Randomness Randomness mt_rand + Analytics 2024-09-06 21:59:41 +02:00
Insecure Source Code Management Normalize Titles 2022-10-12 12:13:55 +02:00
Java RMI Java beanshooter 2023-10-15 19:31:16 +02:00
JSON Web Token Recover Public Key From Signed JWTs 2023-09-04 11:37:15 +02:00
Kubernetes update link URL 2022-10-24 12:28:31 -05:00
LaTeX Injection CSP updates + Indirect Prompt Injection 2024-05-29 15:32:58 +02:00
LDAP Injection Normalize Titles 2022-10-12 12:13:55 +02:00
Mass Assignment Business Logic Errors + Mass Assignment 2023-07-09 13:01:03 +02:00
Methodology and Resources switch to nxc as cme is archived 2024-03-29 21:22:18 +00:00
NoSQL Injection IIS MachineKeys + CI/CD + CSPT + ORM leak 2024-08-26 11:27:47 +02:00
OAuth Misconfiguration Business Logic Errors + Mass Assignment 2023-07-09 13:01:03 +02:00
Open Redirect Open Redirect + SSI Injection 2023-07-08 10:09:59 +02:00
ORM Leak IIS MachineKeys + CI/CD + CSPT + ORM leak 2024-08-26 11:27:47 +02:00
Prompt Injection CSP updates + Indirect Prompt Injection 2024-05-29 15:32:58 +02:00
Prototype Pollution adding the payload for Polluting the prototype via the constructor property in JSON input 2024-01-03 17:24:28 +05:30
Race Condition IIS MachineKeys + CI/CD + CSPT + ORM leak 2024-08-26 11:27:47 +02:00
Regular Expression IIS MachineKeys + CI/CD + CSPT + ORM leak 2024-08-26 11:27:47 +02:00
Request Smuggling update old url's 2022-10-26 20:36:15 -05:00
SAML Injection Add ZAP Addon in Tools 2022-05-01 00:47:18 +09:00
Server Side Include Injection Open Redirect + SSI Injection 2023-07-08 10:09:59 +02:00
Server Side Request Forgery Fix broken pictures 2024-09-13 21:59:29 +02:00
Server Side Template Injection Tools Update 2024-01-21 21:39:23 +01:00
SQL Injection Update README.md 2024-05-26 10:40:54 -04:00
Tabnabbing Fix uppercase links and anchor 2024-09-13 22:43:18 +02:00
Type Juggling AWS Key Patterns 2023-06-22 19:03:06 +02:00
Upload Insecure Files Fix link to SecLists/content-type.txt 2024-05-04 11:12:54 -07:00
Web Cache Deception Web Cache Deception + phpt file format 2024-01-11 12:20:25 +01:00
Web Sockets Fix typo 2023-07-18 22:19:29 +02:00
XPATH Injection Normalize Titles 2022-10-12 12:13:55 +02:00
XSLT Injection XSLT payloads + Headless Browser 2024-05-31 00:07:21 +02:00
XSS Injection added 'xss_alert_identifiable.txt' 2024-09-14 22:14:45 +02:00
XXE Injection CSP updates + Indirect Prompt Injection 2024-05-29 15:32:58 +02:00
.gitignore YAML Deserialization 2022-09-16 16:37:40 +02:00
CONTRIBUTING.md PR Guidelines + User Hunting + HopLa Configuration 2022-06-30 16:33:35 +02:00
custom.css CSS - Update style color + Blind SQL Oracle 2023-12-10 13:27:21 +01:00
LICENSE Create License 2019-05-25 16:27:35 +02:00
mkdocs.yml Randomness mt_rand + Analytics 2024-09-06 21:59:41 +02:00
README.md Fix broken pictures 2024-09-13 21:59:29 +02:00

Payloads All The Things

A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques !
I ❤️ pull requests :)

You can also contribute with a 🍻 IRL, or using the sponsor button

Sponsor Tweet

An alternative display version is available at PayloadsAllTheThingsWeb.

📖 Documentation

Every section contains the following files, you can use the _template_vuln folder to create a new chapter:

  • README.md - vulnerability description and how to exploit it, including several payloads
  • Intruder - a set of files to give to Burp Intruder
  • Images - pictures for the README.md
  • Files - some files referenced in the README.md

You might also like the Methodology and Resources folder :

You want more ? Check the Books and Youtube videos selections.

🧑‍💻 Contributions

Be sure to read CONTRIBUTING.md

Thanks again for your contribution! ❤️

🍻 Sponsors

This project is proudly sponsored by these companies: