mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-21 11:56:11 +00:00
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
bountybugbountybypasscheatsheetenumerationhackinghacktoberfestmethodologypayloadpayloadspenetration-testingpentestprivilege-escalationredteamsecurityvulnerabilityweb-application
975dde665a
same as 'xss_alert.txt', but with identifiable payloads (e.g. alert(1992) instead of just alert(1)). This is useful in case of stored xss, when you inject all the payloads and then need to identify which payloads were successful. |
||
---|---|---|
_LEARNING_AND_SOCIALS | ||
_template_vuln | ||
.github | ||
Account Takeover | ||
API Key Leaks | ||
Argument Injection | ||
AWS Amazon Bucket S3 | ||
Business Logic Errors | ||
CICD | ||
Clickjacking | ||
Client Side Path Traversal | ||
Command Injection | ||
CORS Misconfiguration | ||
CRLF Injection | ||
Cross-Site Request Forgery | ||
CSV Injection | ||
CVE Exploits | ||
Dependency Confusion | ||
Directory Traversal | ||
DNS Rebinding | ||
Dom Clobbering | ||
File Inclusion | ||
Google Web Toolkit | ||
GraphQL Injection | ||
Headless Browser | ||
Hidden Parameters | ||
HTTP Parameter Pollution | ||
Insecure Deserialization | ||
Insecure Direct Object References | ||
Insecure Management Interface | ||
Insecure Randomness | ||
Insecure Source Code Management | ||
Java RMI | ||
JSON Web Token | ||
Kubernetes | ||
LaTeX Injection | ||
LDAP Injection | ||
Mass Assignment | ||
Methodology and Resources | ||
NoSQL Injection | ||
OAuth Misconfiguration | ||
Open Redirect | ||
ORM Leak | ||
Prompt Injection | ||
Prototype Pollution | ||
Race Condition | ||
Regular Expression | ||
Request Smuggling | ||
SAML Injection | ||
Server Side Include Injection | ||
Server Side Request Forgery | ||
Server Side Template Injection | ||
SQL Injection | ||
Tabnabbing | ||
Type Juggling | ||
Upload Insecure Files | ||
Web Cache Deception | ||
Web Sockets | ||
XPATH Injection | ||
XSLT Injection | ||
XSS Injection | ||
XXE Injection | ||
.gitignore | ||
CONTRIBUTING.md | ||
custom.css | ||
LICENSE | ||
mkdocs.yml | ||
README.md |
Payloads All The Things
A list of useful payloads and bypasses for Web Application Security.
Feel free to improve with your payloads and techniques !
I ❤️ pull requests :)
You can also contribute with a 🍻 IRL, or using the sponsor button
An alternative display version is available at PayloadsAllTheThingsWeb.
📖 Documentation
Every section contains the following files, you can use the _template_vuln
folder to create a new chapter:
- README.md - vulnerability description and how to exploit it, including several payloads
- Intruder - a set of files to give to Burp Intruder
- Images - pictures for the README.md
- Files - some files referenced in the README.md
You might also like the Methodology and Resources
folder :
- Methodology and Resources
- Active Directory Attack.md
- Cloud - AWS Pentest.md
- Cloud - Azure Pentest.md
- Cobalt Strike - Cheatsheet.md
- Linux - Evasion.md
- Linux - Persistence.md
- Linux - Privilege Escalation.md
- Metasploit - Cheatsheet.md
- Methodology and enumeration.md
- Network Pivoting Techniques.md
- Network Discovery.md
- Reverse Shell Cheatsheet.md
- Subdomains Enumeration.md
- Windows - AMSI Bypass.md
- Windows - DPAPI.md
- Windows - Download and Execute.md
- Windows - Mimikatz.md
- Windows - Persistence.md
- Windows - Privilege Escalation.md
- Windows - Using credentials.md
You want more ? Check the Books and Youtube videos selections.
🧑💻 Contributions
Be sure to read CONTRIBUTING.md
Thanks again for your contribution! ❤️
🍻 Sponsors
This project is proudly sponsored by these companies: