https://github.com/foospidy/payloads

Git All the Payloads! A collection of web attack payloads.
https://github.com/foospidy/payloads

appsec cybersecurity hacking passwords payload payloads pentest sqli web-attack-payloads xss

Last synced: 7 days ago
JSON representation

Git All the Payloads! A collection of web attack payloads.

• Host: GitHub
• URL: https://github.com/foospidy/payloads
• Owner: foospidy
• License: gpl-3.0
• Created: 2016-02-21T21:27:15.000Z (almost 9 years ago)
• Default Branch: master
• Last Pushed: 2023-05-15T21:54:24.000Z (over 1 year ago)
• Last Synced: 2024-10-29T17:39:48.246Z (about 1 month ago)
• Topics: appsec, cybersecurity, hacking, passwords, payload, payloads, pentest, sqli, web-attack-payloads, xss
• Language: Shell
• Homepage:
• Size: 69.6 MB
• Stars: 3,617
• Watchers: 198
• Forks: 965
• Open Issues: 4
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome - foospidy/payloads - Git All the Payloads! A collection of web attack payloads. (Shell)
• Hacking-Awesome - - Collection of web attack payloads (Uncategorized / Uncategorized)
• Awesome-Cybersecurity-Datasets - Web Attack Payloads - A collection of web attack payloads. (Datasets / WebApps)
• Awesome-Hacking - Payloads
• Awesome-WAF - Other Payloads
• awesome-security-collection - **2057**星
• awesome-hacking-lists - foospidy/payloads - Git All the Payloads! A collection of web attack payloads. (Shell)
• fucking-Awesome-Hacking - Payloads
• awesome-hacking - Payloads
• awesome-hacking - Payloads

README

        
# payloads

Git All the Payloads! A collection of web attack payloads. Pull requests are welcome!

### Usage

run `./get.sh` to download external payloads and unzip any payload files that are compressed.

### Payload Credits

- fuzzdb         - https://github.com/fuzzdb-project/fuzzdb

- SecLists       - https://github.com/danielmiessler/SecLists

- xsuperbug      - https://github.com/xsuperbug/payloads

- NickSanzotta   - https://github.com/NickSanzotta/BurpIntruder

- 7ioSecurity    - https://github.com/7ioSecurity/XSS-Payloads

- shadsidd       - https://github.com/shadsidd

- shikari1337    - https://www.shikari1337.com/list-of-xss-payloads-for-cross-site-scripting/

- xmendez        - https://github.com/xmendez/wfuzz

- minimaxir      - https://github.com/minimaxir/big-list-of-naughty-strings

- xsscx          - https://github.com/xsscx/Commodity-Injection-Signatures

- TheRook        - https://github.com/TheRook/subbrute

- danielmiessler - https://github.com/danielmiessler/RobotsDisallowed

- FireFart       - https://github.com/FireFart/HashCollision-DOS-POC

- HybrisDisaster - https://github.com/HybrisDisaster/aspHashDoS

- swisskyrepo    - https://github.com/swisskyrepo/PayloadsAllTheThings

- 1N3            - https://github.com/1N3/IntruderPayloads

- cujanovic      - https://github.com/cujanovic/Open-Redirect-Payloads

- cujanovic      - https://github.com/cujanovic/Content-Bruteforcing-Wordlist

- cujanovic      - https://github.com/cujanovic/subdomain-bruteforce-list

- cujanovic      - https://github.com/cujanovic/CRLF-Injection-Payloads

- cujanovic      - https://github.com/cujanovic/Virtual-host-wordlist

- cujanovic      - https://github.com/cujanovic/dirsearch-wordlist

- lavalamp-      - https://github.com/lavalamp-/password-lists

- arnaudsoullie  - https://github.com/arnaudsoullie/ics-default-passwords

- scadastrangelove  - https://github.com/scadastrangelove/SCADAPASS

- jeanphorn         - https://github.com/jeanphorn/wordlist

- j3ers3            - https://github.com/j3ers3/PassList

- nyxxxie           - https://github.com/nyxxxie/awesome-default-passwords

- foospidy          - https://github.com/foospidy/web-cve-tests

- terjanq           - https://github.com/terjanq/Tiny-XSS-Payloads

#### OWASP

- dirbuster              - https://www.owasp.org/index.php/DirBuster

- fuzzing_code_database  - https://www.owasp.org/index.php/Category:OWASP_Fuzzing_Code_Database

- JBroFuzz               - https://www.owasp.org/index.php/JBroFuzz

#### Other

- xss/ismailtasdelen.txt  - https://github.com/ismailtasdelen/xss-payload-list

- xss/jsf__k.txt          - http://www.jsfuck.com/

- xss/kirankarnad.txt     - https://www.linkedin.com/pulse/20140812222156-79939846-xss-vectors-you-may-need-as-a-pen-tester

- xss/packetstorm.txt     - https://packetstormsecurity.com/files/112152/Cross-Site-Scripting-Payloads.html

- xss/smeegessec.com.txt  - http://www.smeegesec.com/2012/06/collection-of-cross-site-scripting-xss.html

- xss/d3adend.org.txt     - http://d3adend.org/xss/ghettoBypass

- xss/soaj1664ashar.txt   - http://pastebin.com/u6FY1xDA

- xss/billsempf.txt       - https://www.sempf.net/post/Six-hundred-and-sixty-six-XSS-vectors-suitable-for-attacking-an-API.aspx (http://pastebin.com/48WdZR6L)

- xss/787373.txt          - https://84692bb0df6f30fc0687-25dde2f20b8e8c1bda75aeb96f737eae.ssl.cf1.rackcdn.com/--xss.html

- xss/bhandarkar.txt      - http://hackingforsecurity.blogspot.com/2013/11/xss-cheat-sheet-huge-list.html

- xss/xssdb.txt           - http://xssdb.net/xssdb.txt

- xss/0xsobky.txt         - https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot

- xss/secgeek.txt         - https://www.secgeek.net/solutions-for-xss-waf-challenge/

- xss/reddit_xss_get.txt  - All XSS GET requests from https://www.reddit.com/r/xss (as of 3/30/2016)

- xss/rafaybaloch.txt     - http://www.rafayhackingarticles.net/2016/09/breaking-great-wall-of-web-xss-waf.html

- xss/alternume0.txt      - https://www.openbugbounty.org/reports/722726/

- xss/XssPayloads         - https://twitter.com/XssPayloads

- sqli/camoufl4g3.txt     - https://github.com/camoufl4g3/SQLi-payload-Fuzz3R/blob/master/payloads.txt

- sqli/c0rni3sm.txt       - http://c0rni3sm.blogspot.in/2016/02/a-quite-rare-mssql-injection.html

- sqli/sqlifuzzer.txt     - https://github.com/ContactLeft/sqlifuzzer/tree/master/payloads

- sqli/harisec.txt        - https://hackerone.com/reports/297478

- sqli/jstnkndy.txt       - https://foxglovesecurity.com/2017/02/07/type-juggling-and-php-object-injection-and-sqli-oh-my/

- sqli/d0znpp.txt         - https://medium.com/@d0znpp/how-to-bypass-libinjection-in-many-waf-ngwaf-1e2513453c0f

- sqli/libinjection-bypasses.txt - https://gist.github.com/migolovanov/432fe28c8c7e9fa675ab3903c5eda77f

- traversal/dotdotpwn.txt - https://github.com/wireghoul/dotdotpwn

- codeinjection/fede.txt  - https://techblog.mediaservice.net/2016/10/exploiting-ognl-injection/

- commandinjection/ismailtasdelen-unix.txt - https://github.com/ismailtasdelen/command-injection-payload-list

- commandinjection/ismailtasdelen-windows.txt - https://github.com/ismailtasdelen/command-injection-payload-list

#### ctf

Requests extracted from either packet captures or log files of capture the flag (ctf) events. Mostly raw data so not all requests are actual payloads, however requests should be deduplicated.

- maccdc2010.txt          - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC

- maccdc2011.txt          - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC

- maccdc2012.txt          - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC

- ists12_2015.txt         - Information Security Talent Search (http://ists.sparsa.org/), source: http://www.netresec.com/?page=ISTS

- defcon20.txt            - DEFCON Capture the Flag (https://www.defcon.org/html/links/dc-ctf.html), source: http://www.netresec.com/?page=PcapFiles

### Miscellaneous

- XSS references that may overlap with sources already included above:

  - https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

  - http://htmlpurifier.org/live/smoketests/xssAttacks.php