A list of useful payloads and bypass for Web Application Security and Pentest/CTF https://github.com/swisskyrepo/PayloadsAllTheThings
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Swissky 8d31b7240b Office Attacks 4 days ago
.github DSRM Admin 2 months ago
API Key Leaks Added commands for testing Mapbox API Tokens 1 month ago
AWS Amazon Bucket S3 Fix AWS duplicated tool enumerate-iam 2 months ago
Account Takeover Office Attacks 4 days ago
CORS Misconfiguration Fix typos 2 months ago
CRLF Injection CORS and CRLF README.md updated 4 months ago
CSRF Injection Updated Summary and Fixed Broken Links in CSRF 1 year ago
CSV Injection Fix typos 2 months ago
CVE Exploits Fix typos 2 months ago
Command Injection clarification in 'bypass character filter' 9 months ago
Directory Traversal Update README.md 5 months ago
File Inclusion Add reference to panoptic and rip-hg tools 3 months ago
GraphQL Injection Added missing word 6 months ago
HTTP Parameter Pollution Updated to include modules used for golang 2 months ago
Insecure Deserialization Add gadgetprobe tool 2 months ago
Insecure Direct Object References Command injection rewritten 2 years ago
Insecure Management Interface Add Springboot Actuator RCE 4 months ago
Insecure Source Code Management Fix ToC 3 weeks ago
JSON Web Token RoadRecon + JSON None refs 10 months ago
Kubernetes Add Kubernetes Pentest Methodology Part 3 1 month ago
LDAP Injection add SSH key authentication via LDAP 6 months ago
LaTeX Injection Fix name's capitalization 2 years ago
Methodology and Resources Office Attacks 4 days ago
NoSQL Injection Bind shell cheatsheet (Fix #194) 9 months ago
OAuth Masscan + AD password in description + ZSH revshell bugfix + Mimikatz lsass.dmp 2 years ago
Open Redirect Update README.md 3 months ago
Race Condition Race Condition - First Draft 1 year ago
Request Smuggling Add PortSwigger http-desync reborn article 1 month ago
SAML Injection XSW 4 Fix #205 10 months ago
SQL Injection Add a one line postgres file write 4 weeks ago
Server Side Request Forgery Office Attacks 4 days ago
Server Side Template Injection Office Attacks 4 days ago
Tabnabbing Fix typos 2 months ago
Type Juggling AMSI + Trust 3 months ago
Upload Insecure Files AzureHound 3 months ago
Web Cache Deception Fix(Docs): Correcting typos on the repo 4 months ago
Web Sockets Added: Cross-Site WebSocket Hijacking (CSWSH) 11 months ago
XPATH Injection Bind shell cheatsheet (Fix #194) 9 months ago
XSLT Injection AD mitigations 1 year ago
XSS Injection Added closing bracket in unicode full width bypass 1 month ago
XXE Injection Add XXE via DTD file 1 month ago
_template_vuln SAML exploitation + ASREP roasting + Kerbrute 2 years ago
.gitignore Shell IPv6 + Sandbox credential 2 years ago
BOOKS.md README rewrite : BOOKS and YOUTUBE 2 years ago
CONTRIBUTING.md Upload Methodology 5 months ago
LICENSE Create License 2 years ago
README.md Update README.md 6 months ago
TWITTER.md Update TWITTER.md 4 months ago
YOUTUBE.md Update YOUTUBE.md 5 months ago


Payloads All The Things Tweet

A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! I ❤️ pull requests :)

You can also contribute with a 🍻 IRL, or using the sponsor button.

Every section contains the following files, you can use the _template_vuln folder to create a new chapter:

  • README.md - vulnerability description and how to exploit it, including several payloads
  • Intruder - a set of files to give to Burp Intruder
  • Images - pictures for the README.md
  • Files - some files referenced in the README.md

You might also like the Methodology and Resources folder :

You want more ? Check the Books and Youtube videos selections.