Payloads All The Things

A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! I <3 pull requests :)

Every section contains:

• README.md - vulnerability description and how to exploit it
• Intruders - a set of files to give to Burp Intruder
• Some exploits

You might also like :

• Methodology and Resources
• CVE Exploits
  • Shellshock
  • HeartBleed
  • Apache Struts 2

Tools

• Kali Linux
• Web Developer
• Hackbar - Not compatible with Firefox Quantum
• Burp Proxy
• Fiddler
• DirBuster
• GoBuster
• Knockpy
• SQLmap
• Nikto
• Nessus
• Recon-ng
• Wappalyzer
• Metasploit
• OpenVAS

Online Challenges

• Hack The Box
• Root-Me
• Zenk-Security
• W3Challs
• NewbieContest
• Vulnhub
• The Cryptopals Crypto Challenges
• Penetration Testing Practice Labs
• alert(1) to win
• Hacksplaining
• HackThisSite
• PentesterLab : Learn Web Penetration Testing: The Right Way
• Hackers.gg

Bug Bounty

• HackerOne
• BugCrowd
• Bounty Factory
• List of Bounty Program

Docker

| Command | Link | | :------------- | :------------- | | docker pull remnux/metasploit | docker-metasploit | | docker pull paoloo/sqlmap | docker-sqlmap | | docker pull kalilinux/kali-linux-docker | official Kali Linux | | docker pull owasp/zap2docker-stable | official OWASP ZAP | | docker pull wpscanteam/wpscan | official WPScan | | docker pull infoslack/dvwa | Damn Vulnerable Web Application (DVWA) | | docker pull danmx/docker-owasp-webgoat | OWASP WebGoat Project docker image | | docker pull opendns/security-ninjas | Security Ninjas | | docker pull ismisepaul/securityshepherd | OWASP Security Shepherd | | docker-compose build && docker-compose up | OWASP NodeGoat | | docker pull citizenstig/nowasp | OWASP Mutillidae II Web Pen-Test Practice Application | | docker pull bkimminich/juice-shop | OWASP Juice Shop |

More resources

Book's list:

• Web Hacking 101
• OWASP Testing Guide v4
• Penetration Testing: A Hands-On Introduction to Hacking
• The Hacker Playbook 2: Practical Guide to Penetration Testing
• The Mobile Application Hacker’s Handbook
• Black Hat Python: Python Programming for Hackers and Pentesters
• Metasploit: The Penetration Tester's Guide
• The Database Hacker's Handbook, David Litchfield et al., 2005
• The Shellcoders Handbook by Chris Anley et al., 2007
• The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi, 2009
• The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011
• iOS Hackers Handbook by Charlie Miller et al., 2012
• Android Hackers Handbook by Joshua J. Drake et al., 2014
• The Browser Hackers Handbook by Wade Alcorn et al., 2014
• The Mobile Application Hackers Handbook by Dominic Chell et al., 2015
• Car Hacker's Handbook by Craig Smith, 2016

Blogs/Websites

• http://blog.zsec.uk/101-web-testing-tooling/
• https://blog.innerht.ml
• https://blog.zsec.uk
• https://www.exploit-db.com/google-hacking-database
• https://www.arneswinnen.net
• https://forum.bugcrowd.com/t/researcher-resources-how-to-become-a-bug-bounty-hunter/1102

Youtube

• Hunting for Top Bounties - Nicolas Grégoire
• BSidesSF 101 The Tales of a Bug Bounty Hunter - Arne Swinnen
• Security Fest 2016 The Secret life of a Bug Bounty Hunter - Frans Rosén
• IppSec Channel - Hack The Box Writeups