A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Branch: master
Clone or download
swisskyrepo Merge pull request #46 from 0xInfection/patch-2
Added a new bypass variant + fixed a payload
Latest commit abb81ab Feb 20, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
AWS Amazon Bucket S3 AWS S3 and Open redirect rewritten Dec 29, 2018
CRLF injection Adding references sectio Dec 24, 2018
CSRF injection .git/index file parsing + fix CSRF payload typo Feb 7, 2019
CSV injection SQL wildcard '_' + CSV injection reverse shell Dec 26, 2018
CVE Exploits Use print() function in both Python 2 and Python 3 Feb 17, 2019
Command injection Command injection renamed + sudo/doas privesc Jan 22, 2019
Directory traversal Directory traversal / File inclusion rewritten Dec 27, 2018
File inclusion Use print() function in both Python 2 and Python 3 Feb 17, 2019
Insecure deserialization References added based on @ngalongc bug-bounty-references Dec 25, 2018
Insecure direct object references References added based on @ngalongc bug-bounty-references Dec 25, 2018
Insecure management interface Adding references sectio Dec 24, 2018
Insecure source code management .git/index file parsing + fix CSRF payload typo Feb 7, 2019
JSON Web Token JWT - Payload detail Feb 11, 2019
LDAP injection Adding references sectio Dec 24, 2018
LaTeX injection Adding references sectio Dec 24, 2018
Methodology and Resources Jenkins Grrovy + MSSQL UNC + PostgreSQL list files Feb 17, 2019
NoSQL injection Adding references sectio Dec 24, 2018
OAuth References added based on @ngalongc bug-bounty-references Dec 25, 2018
Open redirect AWS S3 and Open redirect rewritten Dec 29, 2018
SQL injection SQL injection - MySQL version for error based Feb 17, 2019
Server Side Request Forgery Use print() function in both Python 2 and Python 3 Feb 17, 2019
Server Side Template Injection Bugfix - Errors in stashed changes Jan 28, 2019
Tar commands execution Adding references sectio Dec 24, 2018
Type juggling Bugfix - Errors in stashed changes Jan 28, 2019
Upload insecure files EICAR file Feb 19, 2019
Web cache deception Adding references sectio Dec 24, 2018
XPATH injection Adding references sectio Dec 24, 2018
XSS injection Added a new bypass variant + fixed a payload Feb 20, 2019
XXE injection References added based on @ngalongc bug-bounty-references Dec 25, 2018
_template_vuln CSRF - First draft Dec 24, 2018
.gitignore Shell IPv6 + Sandbox credential Jan 7, 2019
README.md Fixed Hack The Box-Link Feb 18, 2019

README.md

Payloads All The Things

A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! I <3 pull requests :)

You can also contribute with a beer IRL or with buymeacoffee.com

Coffee

Every section contains the following files, you can use the _template_vuln folder to create a new chapter:

  • README.md - vulnerability description and how to exploit it
  • Intruder - a set of files to give to Burp Intruder
  • Images - pictures for the README.md
  • Files - some files referenced in the README.md

You might also like :

Try Harder

Ever wonder where you can use your knowledge ? The following list will help you find "targets" to improve your skills.

Book's list

Grab a book and relax, these ones are the best security books (in my opinion).

More resources

Blogs/Websites

Youtube