foospidy
payloads
Shell

Git All the Payloads! A collection of web attack payloads.

Last updated Jul 9, 2026
4.0k
Stars
991
Forks
4
Issues
+2
Stars/day
Attention Score
88
Language breakdown
No language data available.
โ–ธ Files click to expand
README

payloads

Git All the Payloads! A collection of web attack payloads. Pull requests are welcome!

Usage

run ./get.sh to download external payloads and unzip any payload files that are compressed.

Payload Credits

  • fuzzdb - https://github.com/fuzzdb-project/fuzzdb
  • SecLists - https://github.com/danielmiessler/SecLists
  • xsuperbug - https://github.com/xsuperbug/payloads
  • NickSanzotta - https://github.com/NickSanzotta/BurpIntruder
  • 7ioSecurity - https://github.com/7ioSecurity/XSS-Payloads
  • shadsidd - https://github.com/shadsidd
  • shikari1337 - https://www.shikari1337.com/list-of-xss-payloads-for-cross-site-scripting/
  • xmendez - https://github.com/xmendez/wfuzz
  • minimaxir - https://github.com/minimaxir/big-list-of-naughty-strings
  • xsscx - https://github.com/xsscx/Commodity-Injection-Signatures
  • TheRook - https://github.com/TheRook/subbrute
  • danielmiessler - https://github.com/danielmiessler/RobotsDisallowed
  • FireFart - https://github.com/FireFart/HashCollision-DOS-POC
  • HybrisDisaster - https://github.com/HybrisDisaster/aspHashDoS
  • swisskyrepo - https://github.com/swisskyrepo/PayloadsAllTheThings
  • 1N3 - https://github.com/1N3/IntruderPayloads
  • cujanovic - https://github.com/cujanovic/Open-Redirect-Payloads
  • cujanovic - https://github.com/cujanovic/Content-Bruteforcing-Wordlist
  • cujanovic - https://github.com/cujanovic/subdomain-bruteforce-list
  • cujanovic - https://github.com/cujanovic/CRLF-Injection-Payloads
  • cujanovic - https://github.com/cujanovic/Virtual-host-wordlist
  • cujanovic - https://github.com/cujanovic/dirsearch-wordlist
  • lavalamp- - https://github.com/lavalamp-/password-lists
  • arnaudsoullie - https://github.com/arnaudsoullie/ics-default-passwords
  • scadastrangelove - https://github.com/scadastrangelove/SCADAPASS
  • jeanphorn - https://github.com/jeanphorn/wordlist
  • j3ers3 - https://github.com/j3ers3/PassList
  • nyxxxie - https://github.com/nyxxxie/awesome-default-passwords
  • foospidy - https://github.com/foospidy/web-cve-tests
  • terjanq - https://github.com/terjanq/Tiny-XSS-Payloads

OWASP

  • dirbuster - https://www.owasp.org/index.php/DirBuster
  • fuzzingcodedatabase - https://www.owasp.org/index.php/Category:OWASPFuzzingCode_Database
  • JBroFuzz - https://www.owasp.org/index.php/JBroFuzz

Other

  • xss/ismailtasdelen.txt - https://github.com/ismailtasdelen/xss-payload-list
  • xss/jsf__k.txt - http://www.jsfuck.com/
  • xss/kirankarnad.txt - https://www.linkedin.com/pulse/20140812222156-79939846-xss-vectors-you-may-need-as-a-pen-tester
  • xss/packetstorm.txt - https://packetstormsecurity.com/files/112152/Cross-Site-Scripting-Payloads.html
  • xss/smeegessec.com.txt - http://www.smeegesec.com/2012/06/collection-of-cross-site-scripting-xss.html
  • xss/d3adend.org.txt - http://d3adend.org/xss/ghettoBypass
  • xss/soaj1664ashar.txt - http://pastebin.com/u6FY1xDA
  • xss/billsempf.txt - https://www.sempf.net/post/Six-hundred-and-sixty-six-XSS-vectors-suitable-for-attacking-an-API.aspx (http://pastebin.com/48WdZR6L)
  • xss/787373.txt - https://84692bb0df6f30fc0687-25dde2f20b8e8c1bda75aeb96f737eae.ssl.cf1.rackcdn.com/--xss.html
  • xss/bhandarkar.txt - http://hackingforsecurity.blogspot.com/2013/11/xss-cheat-sheet-huge-list.html
  • xss/xssdb.txt - http://xssdb.net/xssdb.txt
  • xss/0xsobky.txt - https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
  • xss/secgeek.txt - https://www.secgeek.net/solutions-for-xss-waf-challenge/
  • xss/redditxssget.txt - All XSS GET requests from https://www.reddit.com/r/xss (as of 3/30/2016)
  • xss/rafaybaloch.txt - http://www.rafayhackingarticles.net/2016/09/breaking-great-wall-of-web-xss-waf.html
  • xss/alternume0.txt - https://www.openbugbounty.org/reports/722726/
  • xss/XssPayloads - https://twitter.com/XssPayloads
  • sqli/camoufl4g3.txt - https://github.com/camoufl4g3/SQLi-payload-Fuzz3R/blob/master/payloads.txt
  • sqli/c0rni3sm.txt - http://c0rni3sm.blogspot.in/2016/02/a-quite-rare-mssql-injection.html
  • sqli/sqlifuzzer.txt - https://github.com/ContactLeft/sqlifuzzer/tree/master/payloads
  • sqli/harisec.txt - https://hackerone.com/reports/297478
  • sqli/jstnkndy.txt - https://foxglovesecurity.com/2017/02/07/type-juggling-and-php-object-injection-and-sqli-oh-my/
  • sqli/d0znpp.txt - https://medium.com/@d0znpp/how-to-bypass-libinjection-in-many-waf-ngwaf-1e2513453c0f
  • sqli/libinjection-bypasses.txt - https://gist.github.com/migolovanov/432fe28c8c7e9fa675ab3903c5eda77f
  • traversal/dotdotpwn.txt - https://github.com/wireghoul/dotdotpwn
  • codeinjection/fede.txt - https://techblog.mediaservice.net/2016/10/exploiting-ognl-injection/
  • commandinjection/ismailtasdelen-unix.txt - https://github.com/ismailtasdelen/command-injection-payload-list
  • commandinjection/ismailtasdelen-windows.txt - https://github.com/ismailtasdelen/command-injection-payload-list

ctf

Requests extracted from either packet captures or log files of capture the flag (ctf) events. Mostly raw data so not all requests are actual payloads, however requests should be deduplicated.

  • maccdc2010.txt - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC
  • maccdc2011.txt - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC
  • maccdc2012.txt - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC
  • ists12_2015.txt - Information Security Talent Search (http://ists.sparsa.org/), source: http://www.netresec.com/?page=ISTS
  • defcon20.txt - DEFCON Capture the Flag (https://www.defcon.org/html/links/dc-ctf.html), source: http://www.netresec.com/?page=PcapFiles

Miscellaneous

  • XSS references that may overlap with sources already included above:
- https://www.owasp.org/index.php/XSSFilterEvasionCheatSheet - http://htmlpurifier.org/live/smoketests/xssAttacks.php
๐Ÿ”— More in this category

ยฉ 2026 GitRepoTrend ยท foospidy/payloads ยท Updated daily from GitHub