Payloads All The Things

A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques !
I ❤️ pull requests :)

You can also contribute with a 🍻 IRL, or using the sponsor button

An alternative display version is available at PayloadsAllTheThingsWeb.

📖 Documentation

Every section contains the following files, you can use the _template_vuln folder to create a new chapter:

README.md - vulnerability description and how to exploit it, including several payloads
Intruder - a set of files to give to Burp Intruder
Images - pictures for the README.md
Files - some files referenced in the README.md

You might also like the Methodology and Resources folder :

Methodology and Resources

You want more ? Check the Books and Youtube videos selections.

👨‍💻 Contributions

Be sure to read CONTRIBUTING.md

Thanks again for your contribution! ❤️

🧙‍♂️ Sponsors

This project is proudly sponsored by these companies:

Name		Name	Last commit message	Last commit date
Latest commit History 1,908 Commits
.github		.github
API Key Leaks		API Key Leaks
AWS Amazon Bucket S3		AWS Amazon Bucket S3
Account Takeover		Account Takeover
Argument Injection		Argument Injection
Business Logic Errors		Business Logic Errors
CICD		CICD
CORS Misconfiguration		CORS Misconfiguration
CRLF Injection		CRLF Injection
CSRF Injection		CSRF Injection
CSV Injection		CSV Injection
CVE Exploits		CVE Exploits
Clickjacking		Clickjacking
Command Injection		Command Injection
DNS Rebinding		DNS Rebinding
Dependency Confusion		Dependency Confusion
Directory Traversal		Directory Traversal
Dom Clobbering		Dom Clobbering
File Inclusion		File Inclusion
Google Web Toolkit		Google Web Toolkit
GraphQL Injection		GraphQL Injection
HTTP Parameter Pollution		HTTP Parameter Pollution
Hidden Parameters		Hidden Parameters
Insecure Deserialization		Insecure Deserialization
Insecure Direct Object References		Insecure Direct Object References
Insecure Management Interface		Insecure Management Interface
Insecure Randomness		Insecure Randomness
Insecure Source Code Management		Insecure Source Code Management
JSON Web Token		JSON Web Token
Java RMI		Java RMI
Kubernetes		Kubernetes
LDAP Injection		LDAP Injection
LaTeX Injection		LaTeX Injection
Mass Assignment		Mass Assignment
Methodology and Resources		Methodology and Resources
NoSQL Injection		NoSQL Injection
OAuth Misconfiguration		OAuth Misconfiguration
Open Redirect		Open Redirect
Prompt Injection		Prompt Injection
Prototype Pollution		Prototype Pollution
Race Condition		Race Condition
Request Smuggling		Request Smuggling
SAML Injection		SAML Injection
SQL Injection		SQL Injection
Server Side Include Injection		Server Side Include Injection
Server Side Request Forgery		Server Side Request Forgery
Server Side Template Injection		Server Side Template Injection
Tabnabbing		Tabnabbing
Type Juggling		Type Juggling
Upload Insecure Files		Upload Insecure Files
Web Cache Deception		Web Cache Deception
Web Sockets		Web Sockets
XPATH Injection		XPATH Injection
XSLT Injection		XSLT Injection
XSS Injection		XSS Injection
XXE Injection		XXE Injection
_LEARNING_AND_SOCIALS		_LEARNING_AND_SOCIALS
_template_vuln		_template_vuln
.gitignore		.gitignore
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE		LICENSE
README.md		README.md
custom.css		custom.css
mkdocs.yml		mkdocs.yml

License

swisskyrepo/PayloadsAllTheThings

Folders and files

Latest commit

History

Repository files navigation

Payloads All The Things

📖 Documentation

👨‍💻 Contributions

🧙‍♂️ Sponsors

About

Topics

Resources

License

Stars

Watchers

Forks