🐚 GTFOBins 🪟 LOLBAS 🩸 BloodHound 🩸 bloodyAD 📜 Certipy ☁️ Cloud ⚡ goexec 🤖 HackTricks 🔌 HardwareATT 📦 Impacket 🏰 InternalATT 🔀 Ligolo-ng 🐱 Mimikatz 💣 msfvenom 🔧 NetExec 🤖 OSAI 💥 PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
💥

PayloadsAllTheThings

63 pages
API Key and Token Leaks
API Key and Token Leaks API keys and tokens are forms of authentication commonly used to manage permissions and access t…
Account Takeover
Account Takeover Account Takeover (ATO) is a significant threat in the cybersecurity landscape, involving unauthorized a…
Brute Force & Rate Limit
Brute Force & Rate Limit Summary Tools Bruteforce Burp Suite Intruder FFUF Rate Limit TLS Stack - JA3 Network IPv4 N…
Business Logic Errors
Business Logic Errors Business logic errors, also known as business logic flaws, are a type of application vulnerability…
CORS Misconfiguration
CORS Misconfiguration A site-wide CORS misconfiguration was in place for an API domain. This allowed an attacker to make…
Carriage Return Line Feed
Carriage Return Line Feed CRLF Injection is a web security vulnerability that arises when an attacker injects unexpected…
CSS Injection
CSS Injection CSS Injection is a vulnerability that occurs when an application allows untrusted CSS to be injected into …
CSV Injection
CSV Injection Many web applications allow the user to download content such as templates for invoices or user settings t…
Common Vulnerabilities and Exposures
Common Vulnerabilities and Exposures A CVE (Common Vulnerabilities and Exposures) is a unique identifier assigned to a p…
Clickjacking
Clickjacking Clickjacking is a type of web security vulnerability where a malicious website tricks a user into clicking …
Client Side Path Traversal
Client Side Path Traversal Client-Side Path Traversal (CSPT), sometimes also referred to as "On-site Request Forgery," i…
Command Injection
Command Injection Command injection is a security vulnerability that allows an attacker to execute arbitrary commands in…
Cross-Site Request Forgery
Cross-Site Request Forgery Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwant…
DNS Rebinding
DNS Rebinding DNS rebinding changes the IP address of an attacker controlled machine name to the IP address of a target …
DOM Clobbering
DOM Clobbering DOM Clobbering is a technique where global variables can be overwritten or "clobbered" by naming HTML ele…
Denial of Service
Denial of Service A Denial of Service (DoS) attack aims to make a service unavailable by overwhelming it with a flood of…
Dependency Confusion
Dependency Confusion A dependency confusion attack or supply chain substitution attack occurs when a software installer …
Directory Traversal
Directory Traversal Path Traversal, also known as Directory Traversal, is a type of security vulnerability that occurs w…
Encoding and Transformations
Encoding and Transformations Encoding and Transformations are techniques that change how data is represented or transfer…
External Variable Modification
External Variable Modification External Variable Modification Vulnerability occurs when a web application improperly han…
File Inclusion
File Inclusion A File Inclusion Vulnerability refers to a type of security vulnerability in web applications, particular…
Google Web Toolkit
Google Web Toolkit Google Web Toolkit (GWT), also known as GWT Web Toolkit, is an open-source set of tools that allows w…
GraphQL Injection
GraphQL Injection GraphQL is a query language for APIs and a runtime for fulfilling those queries with existing data. A …
HTTP Parameter Pollution
HTTP Parameter Pollution HTTP Parameter Pollution (HPP) is a Web attack evasion technique that allows an attacker to cra…
Headless Browser
Headless Browser A headless browser is a web browser without a graphical user interface. It works just like a regular br…
HTTP Hidden Parameters
HTTP Hidden Parameters Web applications often have hidden or undocumented parameters that are not exposed in the user in…
Insecure Deserialization
Insecure Deserialization Serialization is the process of turning some object into a data format that can be restored lat…
Insecure Direct Object References
Insecure Direct Object References Insecure Direct Object References (IDOR) is a security vulnerability that occurs when …
Insecure Management Interface
Insecure Management Interface Insecure Management Interface refers to vulnerabilities in administrative interfaces used …
Insecure Randomness
Insecure Randomness Insecure randomness refers to the weaknesses associated with random number generation in computing, …
Insecure Source Code Management
Insecure Source Code Management Insecure Source Code Management (SCM) can lead to several critical vulnerabilities in we…
JWT - JSON Web Token
JWT - JSON Web Token JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way f…
Java RMI
Java RMI Java RMI (Remote Method Invocation) is a Java API that allows an object running in one JVM (Java Virtual Machin…
LDAP Injection
LDAP Injection LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based o…
LaTeX Injection
LaTeX Injection LaTeX Injection is a type of injection attack where malicious content is injected into LaTeX documents. …
Mass Assignment
Mass Assignment A mass assignment attack is a security vulnerability that occurs when a web application automatically as…
NoSQL Injection
NoSQL Injection NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring few…
OAuth Misconfiguration
OAuth Misconfiguration OAuth is a widely-used authorization framework that allows third-party applications to access use…
ORM Leak
ORM Leak An ORM leak vulnerability occurs when sensitive information, such as database structure or user data, is uninte…
Open URL Redirect
Open URL Redirect Un-validated redirects and forwards are possible when a web application accepts untrusted input that c…
Prompt Injection
Prompt Injection A technique where specific prompts or cues are inserted into the input data to guide the output of a ma…
Prototype Pollution
Prototype Pollution Prototype pollution is a type of vulnerability that occurs in JavaScript when properties of Object.p…
Race Condition
Race Condition Race conditions may occur when a process is critically or unexpectedly dependent on the sequence or timin…
Regular Expression
Regular Expression Regular Expression Denial of Service (ReDoS) is a type of attack that exploits the fact that certain …
Request Smuggling
Request Smuggling HTTP Request smuggling occurs when multiple "things" process a request, but differ on how they determi…
Reverse Proxy Misconfigurations
Reverse Proxy Misconfigurations A reverse proxy is a server that sits between clients and backend servers, forwarding cl…
SAML Injection
SAML Injection SAML (Security Assertion Markup Language) is an open standard for exchanging authentication and authoriza…
SQL Injection
SQL Injection SQL Injection (SQLi) is a type of security vulnerability that allows an attacker to interfere with the que…
Server Side Include Injection
Server Side Include Injection Server Side Includes (SSI) are directives that are placed in HTML pages and evaluated on t…
Server-Side Request Forgery
Server-Side Request Forgery Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server …
Server Side Template Injection
Server Side Template Injection Template injection allows an attacker to include template code into an existing (or not) …
Tabnabbing
Tabnabbing Reverse tabnabbing is an attack where a page linked from the target page is able to rewrite that page, for ex…
Type Juggling
Type Juggling PHP is a loosely typed language, which means it tries to predict the programmer's intent and automatically…
Upload Insecure Files
Upload Insecure Files Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send …
Virtual Host
Virtual Host A Virtual Host (VHOST) is a mechanism used by web servers (e.g., Apache, Nginx, IIS) to host multiple domai…
Web Cache Deception
Web Cache Deception Web Cache Deception (WCD) is a security vulnerability that occurs when a web server or caching proxy…
Web Sockets
Web Sockets WebSocket is a communication protocol that provides full-duplex communication channels over a single, long-l…
XPATH Injection
XPATH Injection XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Langu…
XS-Leak
XS-Leak Cross-Site Leaks (XS-Leaks) are side-channel vulnerabilities allowing attackers to infer sensitive information f…
XSLT Injection
XSLT Injection Processing an un-validated XSL stylesheet can allow an attacker to change the structure and contents of t…
Cross Site Scripting
Cross Site Scripting Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web appl…
XML External Entity
XML External Entity An XML External Entity attack is a type of attack against an application that parses XML input and a…
Zip Slip
Zip Slip The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g.…