swisskyrepo/PayloadsAllTheThingsPublic

NotificationsYou must be signed in to change notification settings
Fork16k
Star70.6k

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

swisskyrepo.github.io/PayloadsAllTheThings/

License

MIT license

70.6k stars 16k forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 2,121 Commits
.github		.github
API Key Leaks		API Key Leaks
Account Takeover		Account Takeover
Brute Force Rate Limit		Brute Force Rate Limit
Business Logic Errors		Business Logic Errors
CORS Misconfiguration		CORS Misconfiguration
CRLF Injection		CRLF Injection
CSV Injection		CSV Injection
CVE Exploits		CVE Exploits
Clickjacking		Clickjacking
Client Side Path Traversal		Client Side Path Traversal
Command Injection		Command Injection
Cross-Site Request Forgery		Cross-Site Request Forgery
DNS Rebinding		DNS Rebinding
DOM Clobbering		DOM Clobbering
Denial of Service		Denial of Service
Dependency Confusion		Dependency Confusion
Directory Traversal		Directory Traversal
Encoding Transformations		Encoding Transformations
External Variable Modification		External Variable Modification
File Inclusion		File Inclusion
Google Web Toolkit		Google Web Toolkit
GraphQL Injection		GraphQL Injection
HTTP Parameter Pollution		HTTP Parameter Pollution
Headless Browser		Headless Browser
Hidden Parameters		Hidden Parameters
Insecure Deserialization		Insecure Deserialization
Insecure Direct Object References		Insecure Direct Object References
Insecure Management Interface		Insecure Management Interface
Insecure Randomness		Insecure Randomness
Insecure Source Code Management		Insecure Source Code Management
JSON Web Token		JSON Web Token
Java RMI		Java RMI
LDAP Injection		LDAP Injection
LaTeX Injection		LaTeX Injection
Mass Assignment		Mass Assignment
Methodology and Resources		Methodology and Resources
NoSQL Injection		NoSQL Injection
OAuth Misconfiguration		OAuth Misconfiguration
ORM Leak		ORM Leak
Open Redirect		Open Redirect
Prompt Injection		Prompt Injection
Prototype Pollution		Prototype Pollution
Race Condition		Race Condition
Regular Expression		Regular Expression
Request Smuggling		Request Smuggling
Reverse Proxy Misconfigurations		Reverse Proxy Misconfigurations
SAML Injection		SAML Injection
SQL Injection		SQL Injection
Server Side Include Injection		Server Side Include Injection
Server Side Request Forgery		Server Side Request Forgery
Server Side Template Injection		Server Side Template Injection
Tabnabbing		Tabnabbing
Type Juggling		Type Juggling
Upload Insecure Files		Upload Insecure Files
Virtual Hosts		Virtual Hosts
Web Cache Deception		Web Cache Deception
Web Sockets		Web Sockets
XPATH Injection		XPATH Injection
XSLT Injection		XSLT Injection
XSS Injection		XSS Injection
XXE Injection		XXE Injection
Zip Slip		Zip Slip
_LEARNING_AND_SOCIALS		_LEARNING_AND_SOCIALS
_template_vuln		_template_vuln
.gitignore		.gitignore
CONTRIBUTING.md		CONTRIBUTING.md
DISCLAIMER.md		DISCLAIMER.md
LICENSE		LICENSE
README.md		README.md
custom.css		custom.css
mkdocs.yml		mkdocs.yml

Repository files navigation

Payloads All The Things

A list of useful payloads and bypasses for Web Application Security.Feel free to improve with your payloads and techniques!

You can also contribute with a 🍻 IRL, or using the sponsor button.

An alternative display version is available atPayloadsAllTheThingsWeb.

📖 Documentation

Every section contains the following files, you can use the_template_vuln folder to create a new chapter:

README.md - vulnerability description and how to exploit it, including several payloads
Intruder - a set of files to give to Burp Intruder
Images - pictures for the README.md
Files - some files referenced in the README.md

You might also like the other projects from the AllTheThings family :

InternalAllTheThings - Active Directory and Internal Pentest Cheatsheets
HardwareAllTheThings - Hardware/IOT Pentesting Wiki

You want more? Check theBooks andYouTube channel selections.

🧑‍💻 Contributions

Be sure to readCONTRIBUTING.md

Thanks again for your contribution! ❤️

🍻 Sponsors

This project is proudly sponsored by these companies.

Logo	Description
	SerpApi is a real time API to access Google search results. It solves the issues of having to rent proxies, solving captchas, and JSON parsing.
	ProjectDiscovery - Detect real, exploitable vulnerabilities. Harness the power of Nuclei for fast and accurate findings without false positives.
	VAADATA - Ethical Hacking Services