$loading...
Copy-ready payload references for penetration testing. Each cheat sheet contains categorized payloads with descriptions, filter bypasses, and platform-specific variants.
Cross-Site Scripting (XSS) payloads for testing reflected, stored, and DOM-based XSS vulnerabilities.
SQL Injection payloads for testing authentication bypass, UNION-based, error-based, and blind injection.
Reverse shell one-liners for Bash, Python, PHP, Perl, Ruby, Netcat, PowerShell, and more.
OS command injection payloads for testing command separators, blind injection, and filter bypasses.
Local File Inclusion and Path Traversal payloads for reading files, bypassing filters, and PHP wrappers.
Server-Side Request Forgery payloads for accessing internal services, cloud metadata, and bypassing filters.
Server-Side Template Injection payloads for Jinja2, Twig, FreeMarker, ERB, and more template engines.
XML External Entity injection payloads for file reading, SSRF, out-of-band exfiltration, and denial of service.
Cross-Site Request Forgery proof-of-concept payloads for auto-submitting forms, XHR, fetch, and JSON CSRF.
JWT attack payloads for algorithm confusion, none algorithm, key injection, and claim manipulation.
File upload bypass payloads for extension filtering, MIME type checks, content validation, and webshell deployment.
Open redirect payloads for URL parsing confusion, protocol tricks, and filter bypass techniques.
NoSQL injection payloads for MongoDB, CouchDB, and other NoSQL databases.
Insecure Direct Object Reference testing techniques for sequential IDs, UUIDs, encoded references, and parameter tampering.
JavaScript prototype pollution payloads for __proto__, constructor, and deep merge exploitation.
CRLF injection payloads for HTTP response splitting, header injection, and log poisoning.
WAF evasion techniques for XSS, SQLi, RCE, and LFI payloads using encoding, comments, and alternative syntax.
HTTP request smuggling payloads for CL.TE, TE.CL, TE.TE desync, and HTTP/2 downgrade attacks.
Insecure deserialization payloads for Java, PHP, Python, and .NET with gadget chains and tool commands.
CORS misconfiguration exploitation payloads for origin reflection, null origin, and wildcard subdomain attacks.
Race condition payloads for exploiting time-of-check to time-of-use (TOCTOU) bugs in web applications.
GraphQL injection and exploitation payloads for testing GraphQL APIs — introspection, batching, injection, and DoS.
Linux privilege escalation techniques: SUID, sudo misconfigs, cron jobs, capabilities, writable files, path hijacking, kernel exploits, and container escapes.
Windows privilege escalation techniques: unquoted service paths, weak permissions, DLL hijacking, token impersonation, AlwaysInstallElevated, UAC bypass, and credential access.
Post-exploitation commands for shell stabilization, persistence, file transfer, data exfiltration, network pivoting, and covering tracks on Linux and Windows.
Cloud attack payloads for AWS, GCP, Azure, and Kubernetes. SSRF-to-metadata exploitation, IAM credential theft, S3/Cloud Storage misconfigs, container escape, and Kubernetes service account abuse.