Python HTML Ruby Other
Switch branches/tags
Nothing to show
Clone or download
Permalink
Failed to load latest commit information.
AWS Amazon Bucket S3 Update README.md Jul 31, 2017
CRLF injection SQLmap tips + Active Directory attacks + SQLite injections Mar 12, 2018
CSV injection Fix in juggling type + CSV injection Oct 20, 2016
CVE Exploits Drupalgeddon2 update + Payment API in Methodology Apr 23, 2018
File Inclusion - Path Traversal Path traversal refactor + AD cme module msf/empire + IIS web.config Jul 7, 2018
Insecured source code management Multiple update - LFI/RCE via phpinfo, Struts2 v2 Sep 13, 2017
Java Deserialization SSRF to XSS + Retail account Windows Jun 5, 2018
LDAP injection Refactoring XSS 0/? Mar 23, 2018
Methodology and Resources AD BloodHound + AD Relationship + SSRF Digital Ocean Jul 15, 2018
NoSQL injection Traversal Dir + NoSQL major updates + small addons Feb 15, 2018
OAuth Add CSRF to OAuth2 Oct 16, 2017
Open redirect AD Attack - Golden Ticket + SQL/OpenRed/SSRF Apr 12, 2018
PHP juggling type Fix in juggling type + CSV injection Oct 20, 2016
PHP serialization PHP Object serialization + README update Jul 9, 2018
Remote commands execution SQLmap tips + Active Directory attacks + SQLite injections Mar 12, 2018
SQL injection Path traversal refactor + AD cme module msf/empire + IIS web.config Jul 7, 2018
SSRF injection AD BloodHound + AD Relationship + SSRF Digital Ocean Jul 15, 2018
Server Side Template injections Windows port forwarding - Netsh Jun 9, 2018
Tar commands execution Clean project - Renamed and added PHP juggling type Oct 20, 2016
Traversal directory Traversal Dir + NoSQL major updates + small addons Feb 15, 2018
Upload insecure files Path traversal refactor + AD cme module msf/empire + IIS web.config Jul 7, 2018
Web cache deception Typo fix in Web cache Feb 27, 2017
XPATH injection LDAP & XPATH injection + Small fixes and payloads Jul 14, 2017
XSS injection XSS Colors highlighting + JS code eval Jun 27, 2018
XXE injections Payloads - Quick fix Feb 23, 2018
.gitignore Coffee contributing Jul 7, 2018
README.md PHP Object serialization + README update Jul 9, 2018

README.md

Payloads All The Things

A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! I <3 pull requests :)
You can also contribute with a beer IRL or Coffee

Every section contains:

  • README.md - vulnerability description and how to exploit it
  • Intruders - a set of files to give to Burp Intruder
  • Some exploits

You might also like :

Tools

Online Challenges

Bug Bounty

Docker

Command Link
docker pull remnux/metasploit docker-metasploit
docker pull paoloo/sqlmap docker-sqlmap
docker pull kalilinux/kali-linux-docker official Kali Linux
docker pull owasp/zap2docker-stable official OWASP ZAP
docker pull wpscanteam/wpscan official WPScan
docker pull infoslack/dvwa Damn Vulnerable Web Application (DVWA)
docker pull danmx/docker-owasp-webgoat OWASP WebGoat Project docker image
docker pull opendns/security-ninjas Security Ninjas
docker pull ismisepaul/securityshepherd OWASP Security Shepherd
docker-compose build && docker-compose up OWASP NodeGoat
docker pull citizenstig/nowasp OWASP Mutillidae II Web Pen-Test Practice Application
docker pull bkimminich/juice-shop OWASP Juice Shop

More resources

Book's list:

Blogs/Websites

Youtube