Payloads All The Things

A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques!

You can also contribute with a IRL, or using the sponsor button.

An alternative display version is available at PayloadsAllTheThingsWeb.

Documentation

Every section contains the following files, you can use the _template_vuln folder to create a new chapter:

• README.md - vulnerability description and how to exploit it, including several payloads
• Intruder - a set of files to give to Burp Intruder
• Images - pictures for the README.md
• Files - some files referenced in the README.md

You might also like the other projects from the AllTheThings family :

• InternalAllTheThings - Active Directory and Internal Pentest Cheatsheets
• HardwareAllTheThings - Hardware/IOT Pentesting Wiki

You want more? Check the Books and YouTube channel selections.

Contributions

Be sure to read CONTRIBUTING.md

Thanks again for your contribution!

Sponsors

This project is proudly sponsored by these companies.

Logo	Description
	SerpApi is a real time API to access Google search results. It solves the issues of having to rent proxies, solving captchas, and JSON parsing.
	ProjectDiscovery - Detect real, exploitable vulnerabilities. Harness the power of Nuclei for fast and accurate findings without false positives.
	VAADATA - Ethical Hacking Services

Share this content