Skip to content
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Python Ruby ASP PHP Jupyter Notebook Shell Other
Branch: master
Clone or download

Latest commit

swisskyrepo Merge pull request #213 from DidierA/DidierA-patch-1
clarification in 'bypass character filter'
Latest commit c24cb01 Jun 5, 2020

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github Update FUNDING.yml with buymeacoffee Sep 13, 2019
API Key Leaks Windows Persistence Jun 1, 2020
AWS Amazon Bucket S3 AWS Patterns Feb 23, 2020
CORS Misconfiguration Bind shell cheatsheet (Fix #194) May 24, 2020
CRLF Injection Added Summary in CRLF Dec 17, 2019
CSRF Injection Updated Summary and Fixed Broken Links in CSRF Dec 17, 2019
CSV Injection HQL Injection + references update Jun 16, 2019
CVE Exploits fixing typo in file name Jan 28, 2020
Command Injection clarification in 'bypass character filter' Jun 4, 2020
Directory Traversal AD mitigations Dec 26, 2019
File Inclusion added additional way to chain php filters Feb 20, 2020
GraphQL Injection Fix - SSTI Payloads Apr 21, 2020
Insecure Deserialization add more refs May 16, 2020
Insecure Direct Object References Command injection rewritten Apr 21, 2019
Insecure Management Interface Fix name's capitalization Mar 6, 2019
Insecure Source Code Management ImageMagik Ghost Script + Typo git summary Jun 25, 2019
JSON Web Token RoadRecon + JSON None refs Apr 17, 2020
Kubernetes Docker escape and exploit Mar 29, 2020
LDAP Injection add ruby script Feb 21, 2020
LaTeX Injection Fix name's capitalization Mar 6, 2019
Methodology and Resources Windows Persistence Jun 1, 2020
NoSQL Injection Bind shell cheatsheet (Fix #194) May 24, 2020
OAuth Masscan + AD password in description + ZSH revshell bugfix + Mimikatz… May 12, 2019
Open Redirect Added new payloads Nov 14, 2019
Race Condition Race Condition - First Draft Jan 26, 2020
SAML Injection XSW 4 Fix #205 May 12, 2020
SQL Injection Bind shell cheatsheet (Fix #194) May 24, 2020
Server Side Request Forgery Windows Persistence Jun 1, 2020
Server Side Template Injection corrected a single quotation mark closure error May 29, 2020
Type Juggling Magic Hashes + SQL fuzz Apr 26, 2020
Upload Insecure Files Update README.md May 13, 2020
Web Cache Deception Fix dead youtube link Oct 3, 2019
Web Sockets Added: Cross-Site WebSocket Hijacking (CSWSH) Apr 11, 2020
XPATH Injection Bind shell cheatsheet (Fix #194) May 24, 2020
XSLT Injection AD mitigations Dec 26, 2019
XSS Injection Mimikatz Summary May 10, 2020
XXE Injection Merge pull request #128 from noraj/patch-1 Dec 2, 2019
_template_vuln SAML exploitation + ASREP roasting + Kerbrute Mar 24, 2019
.gitignore Shell IPv6 + Sandbox credential Jan 7, 2019
BOOKS.md README rewrite : BOOKS and YOUTUBE May 12, 2019
LICENSE Create License May 25, 2019
README.md README - Summary update Mar 19, 2020
YOUTUBE.md added Hacksplained's YT channel Apr 23, 2020

README.md

Payloads All The Things

A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! I ❤️ pull requests :)

You can also contribute with a 🍻 IRL

Every section contains the following files, you can use the _template_vuln folder to create a new chapter:

  • README.md - vulnerability description and how to exploit it
  • Intruder - a set of files to give to Burp Intruder
  • Images - pictures for the README.md
  • Files - some files referenced in the README.md

You might also like the Methodology and Resources folder :

You want more ? Check the Books and Youtube videos selections.

You can’t perform that action at this time.