MENU

Git All the Payloads! A collection of web attack payloads.

June 25, 2016 • Security

http://github.com/foospidy/payloads

payloads

Git All the Payloads! A collection of web attack payloads. Pull requests are welcome!

Usage

run ./get.sh to download external payloads and unzip any payload files that are compressed.

Payload Credits

fuzzdb - http://github.com/fuzzdb-project/fuzzdb

SecLists - http://github.com/danielmiessler/SecLists

xsuperbug - http://github.com/xsuperbug/payloads

NickSanzotta - http://github.com/NickSanzotta/BurpIntruder

7ioSecurity - http://github.com/7ioSecurity/XSS-Payloads

shadsidd - http://github.com/shadsidd

shikari1337 - http://www.shikari1337.com/list-of-xss-payloads-for-cross-site-scripting/

xmendez - http://github.com/xmendez/wfuzz

minimaxir - http://github.com/minimaxir/big-list-of-naughty-strings

xsscx - http://github.com/xsscx/Commodity-Injection-Signatures

TheRook - http://github.com/TheRook/subbrute

OWASP

dirbuster - http://www.owasp.org/index.php/DirBuster

fuzzing_code_database - http://www.owasp.org/index.php/Category:OWASP_Fuzzing_Code_Database

JBroFuzz - http://www.owasp.org/index.php/JBroFuzz

Other

xss/jsf__k.txt - http://www.jsfuck.com/

xss/kirankarnad.txt - http://www.linkedin.com/pulse/20140812222156-79939846-xss-vectors-you-may-need-as-a-pen-tester

xss/packetstorm.txt - http://packetstormsecurity.com/files/112152/Cross-Site-Scripting-Payloads.html

xss/smeegessec.com.txt - http://www.smeegesec.com/2012/06/collection-of-cross-site-scripting-xss.html

xss/d3adend.org.txt - http://d3adend.org/xss/ghettoBypass

xss/soaj1664ashar.txt - http://pastebin.com/u6FY1xDA

xss/billsempf.txt - http://www.sempf.net/post/Six-hundred-and-sixty-six-XSS-vectors-suitable-for-attacking-an-API.aspx (http://pastebin.com/48WdZR6L)

xss/787373.txt - http://84692bb0df6f30fc0687-25dde2f20b8e8c1bda75aeb96f737eae.ssl.cf1.rackcdn.com/--xss.html

xss/bhandarkar.txt - http://hackingforsecurity.blogspot.com/2013/11/xss-cheat-sheet-huge-list.html

xss/xssdb.txt - http://xssdb.net/xssdb.txt

xss/0xsobky.txt - http://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot

xss/secgeek.txt - http://www.secgeek.net/solutions-for-xss-waf-challenge/

xss/reddit_xss_get.txt - All XSS GET requests from http://www.reddit.com/r/xss (as of 3/30/2016)

sqli/camoufl4g3.txt - http://github.com/camoufl4g3/SQLi-payload-Fuzz3R/blob/master/payloads.txt

sqli/c0rni3sm.txt - http://c0rni3sm.blogspot.in/2016/02/a-quite-rare-mssql-injection.html

sqli/sqlifuzzer.txt - http://github.com/ContactLeft/sqlifuzzer/tree/master/payloads

traversal/dotdotpwn.txt - http://github.com/wireghoul/dotdotpwn

ctf

Requests extracted from either packet captures or log files of capture the flag (ctf) events. Mostly raw data so not all requests are actual payloads, however requests should be deduplicated.

maccdc2010.txt - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC

maccdc2011.txt - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC

maccdc2012.txt - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC

ists12_2015.txt - Information Security Talent Search (http://ists.sparsa.org/), source: http://www.netresec.com/?page=ISTS

defcon20.txt - DEFCON Capture the Flag (http://www.defcon.org/html/links/dc-ctf.html), source: http://www.netresec.com/?page=PcapFiles

Miscellaneous

XSS references that may overlap with sources already included above:

http://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

http://htmlpurifier.org/live/smoketests/xssAttacks.php

Tags: payloads
Archives QR Code
QR Code for this page
Tipping QR Code