Git All the Payloads! A collection of web attack payloads. Pull requests are welcome!
run ./get.sh
to download external payloads and unzip any payload files that are compressed.
- fuzzdb - https://github.com/fuzzdb-project/fuzzdb
- SecLists - https://github.com/danielmiessler/SecLists
- xsuperbug - https://github.com/xsuperbug/payloads
- NickSanzotta - https://github.com/NickSanzotta/BurpIntruder
- 7ioSecurity - https://github.com/7ioSecurity/XSS-Payloads
- shadsidd - https://github.com/shadsidd
- shikari1337 - https://www.shikari1337.com/list-of-xss-payloads-for-cross-site-scripting/
- xmendez - https://github.com/xmendez/wfuzz
- minimaxir - https://github.com/minimaxir/big-list-of-naughty-strings
- xsscx - https://github.com/xsscx/Commodity-Injection-Signatures
- TheRook - https://github.com/TheRook/subbrute
- danielmiessler - https://github.com/danielmiessler/RobotsDisallowed
- FireFart - https://github.com/FireFart/HashCollision-DOS-POC
- HybrisDisaster - https://github.com/HybrisDisaster/aspHashDoS
- swisskyrepo - https://github.com/swisskyrepo/PayloadsAllTheThings
- 1N3 - https://github.com/1N3/IntruderPayloads
- cujanovic - https://github.com/cujanovic/Open-Redirect-Payloads
- cujanovic - https://github.com/cujanovic/Content-Bruteforcing-Wordlist
- cujanovic - https://github.com/cujanovic/subdomain-bruteforce-list
- cujanovic - https://github.com/cujanovic/CRLF-Injection-Payloads
- cujanovic - https://github.com/cujanovic/Virtual-host-wordlist
- cujanovic - https://github.com/cujanovic/dirsearch-wordlist
- lavalamp- - https://github.com/lavalamp-/password-lists
- arnaudsoullie - https://github.com/arnaudsoullie/ics-default-passwords
- scadastrangelove - https://github.com/scadastrangelove/SCADAPASS
- jeanphorn - https://github.com/jeanphorn/wordlist
- j3ers3 - https://github.com/j3ers3/PassList
- nyxxxie - https://github.com/nyxxxie/awesome-default-passwords
- dirbuster - https://www.owasp.org/index.php/DirBuster
- fuzzing_code_database - https://www.owasp.org/index.php/Category:OWASP_Fuzzing_Code_Database
- JBroFuzz - https://www.owasp.org/index.php/JBroFuzz
- xss/ismailtasdelen.txt - https://github.com/ismailtasdelen/xss-payload-list
- xss/jsf__k.txt - http://www.jsfuck.com/
- xss/kirankarnad.txt - https://www.linkedin.com/pulse/20140812222156-79939846-xss-vectors-you-may-need-as-a-pen-tester
- xss/packetstorm.txt - https://packetstormsecurity.com/files/112152/Cross-Site-Scripting-Payloads.html
- xss/smeegessec.com.txt - http://www.smeegesec.com/2012/06/collection-of-cross-site-scripting-xss.html
- xss/d3adend.org.txt - http://d3adend.org/xss/ghettoBypass
- xss/soaj1664ashar.txt - http://pastebin.com/u6FY1xDA
- xss/billsempf.txt - https://www.sempf.net/post/Six-hundred-and-sixty-six-XSS-vectors-suitable-for-attacking-an-API.aspx (http://pastebin.com/48WdZR6L)
- xss/787373.txt - https://84692bb0df6f30fc0687-25dde2f20b8e8c1bda75aeb96f737eae.ssl.cf1.rackcdn.com/--xss.html
- xss/bhandarkar.txt - http://hackingforsecurity.blogspot.com/2013/11/xss-cheat-sheet-huge-list.html
- xss/xssdb.txt - http://xssdb.net/xssdb.txt
- xss/0xsobky.txt - https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
- xss/secgeek.txt - https://www.secgeek.net/solutions-for-xss-waf-challenge/
- xss/reddit_xss_get.txt - All XSS GET requests from https://www.reddit.com/r/xss (as of 3/30/2016)
- xss/rafaybaloch.txt - http://www.rafayhackingarticles.net/2016/09/breaking-great-wall-of-web-xss-waf.html
- sqli/camoufl4g3.txt - https://github.com/camoufl4g3/SQLi-payload-Fuzz3R/blob/master/payloads.txt
- sqli/c0rni3sm.txt - http://c0rni3sm.blogspot.in/2016/02/a-quite-rare-mssql-injection.html
- sqli/sqlifuzzer.txt - https://github.com/ContactLeft/sqlifuzzer/tree/master/payloads
- sqli/jstnkndy.txt - https://foxglovesecurity.com/2017/02/07/type-juggling-and-php-object-injection-and-sqli-oh-my/
- sqli/d0znpp.txt - https://medium.com/@d0znpp/how-to-bypass-libinjection-in-many-waf-ngwaf-1e2513453c0f
- sqli/libinjection-bypasses.txt - https://gist.github.com/migolovanov/432fe28c8c7e9fa675ab3903c5eda77f
- traversal/dotdotpwn.txt - https://github.com/wireghoul/dotdotpwn
- codeinjection/fede.txt - https://techblog.mediaservice.net/2016/10/exploiting-ognl-injection/
- commandinjection/ismailtasdelen-unix.txt - https://github.com/ismailtasdelen/command-injection-payload-list
- commandinjection/ismailtasdelen-windows.txt - https://github.com/ismailtasdelen/command-injection-payload-list
Requests extracted from either packet captures or log files of capture the flag (ctf) events. Mostly raw data so not all requests are actual payloads, however requests should be deduplicated.
- maccdc2010.txt - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC
- maccdc2011.txt - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC
- maccdc2012.txt - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC
- ists12_2015.txt - Information Security Talent Search (http://ists.sparsa.org/), source: http://www.netresec.com/?page=ISTS
- defcon20.txt - DEFCON Capture the Flag (https://www.defcon.org/html/links/dc-ctf.html), source: http://www.netresec.com/?page=PcapFiles
- XSS references that may overlap with sources already included above: