Share
## https://sploitus.com/exploit?id=CE40D77A-E916-5CCD-909D-454E62D2C863
# Web Security Payloads & Exploitation Reference
> Comprehensive reference for web application security testing — 30 vulnerability categories with ready-to-use payloads, bypass techniques, and step-by-step exploitation methodology.
## Categories
### Injection
| File | Description |
|------|-------------|
| [SQL Injection](websec_sqli.md) | UNION, Error-based, Blind (boolean/time), OOB, second-order, WAF bypass |
| [NoSQL Injection](websec_nosql.md) | MongoDB operator injection, regex extraction, `$where` JS injection |
| [OS Command Injection](websec_cmdi.md) | Operators, blind detection, OOB exfil, filter bypass (no spaces/chars) |
| [Server-Side Template Injection](websec_ssti.md) | Jinja2, Twig, Freemarker, ERB, Velocity, Handlebars, Pug, Thymeleaf |
| [XML External Entity (XXE)](websec_xxe.md) | File read, OOB exfil, XInclude, SVG/DOCX upload, PHP wrappers |
### Client-Side
| File | Description |
|------|-------------|
| [Cross-Site Scripting (XSS)](websec_xss.md) | Reflected, Stored, DOM-based, context-specific payloads, CSP bypass |
| [Cross-Site Request Forgery (CSRF)](websec_csrf.md) | POST/GET/JSON CSRF, SameSite bypass, token bypass, referer bypass |
| [Clickjacking](websec_clickjacking.md) | UI redress, multi-step, frame buster bypass, sandbox tricks |
| [DOM-based Vulnerabilities](websec_dom.md) | Sources/sinks mapping, DOM clobbering, postMessage exploitation |
| [Prototype Pollution](websec_prototype_pollution.md) | Client→XSS, Server→RCE, detection, gadget chains |
### Server-Side
| File | Description |
|------|-------------|
| [SSRF](websec_ssrf.md) | Cloud metadata (AWS/GCP/Azure), IP bypass, DNS rebinding, Gopher |
| [Path Traversal](websec_path_traversal.md) | Encoding bypass, LFI→RCE, PHP wrappers, log poisoning |
| [Insecure Deserialization](websec_deserialization.md) | Java (ysoserial), PHP, Python (pickle), .NET, Ruby, YAML |
| [File Upload](websec_file_upload.md) | Web shells, extension/content-type/magic byte bypass, race condition |
### Authentication & Authorization
| File | Description |
|------|-------------|
| [Access Control](websec_access_control.md) | IDOR, vertical/horizontal privesc, method override, path bypass |
| [Authentication](websec_auth.md) | Brute force, 2FA bypass, password reset poisoning, session attacks |
| [OAuth](websec_oauth.md) | redirect_uri bypass, PKCE, state CSRF, token theft, account linking |
| [JWT](websec_jwt.md) | None algorithm, alg confusion (RS256→HS256), JWK/JKU/KID injection |
### HTTP & Caching
| File | Description |
|------|-------------|
| [HTTP Request Smuggling](websec_smuggling.md) | CL.TE, TE.CL, TE.TE, HTTP/2 smuggling, CRLF injection |
| [Host Header Attacks](websec_host_header.md) | Password reset poisoning, routing-based SSRF, cache poisoning |
| [Web Cache Poisoning](websec_cache_poison.md) | Unkeyed headers, fat GET, parameter cloaking |
| [Web Cache Deception](websec_cache_deception.md) | Path confusion, delimiter attacks, normalization discrepancies |
| [CORS Misconfiguration](websec_cors.md) | Origin reflection, null origin, regex bypass, credential theft |
### API & Modern Web
| File | Description |
|------|-------------|
| [API Testing](websec_api_testing.md) | BOLA/BFLA, mass assignment, versioning, rate limit bypass |
| [GraphQL](websec_graphql.md) | Introspection, batching brute force, IDOR, nested query DoS |
| [WebSockets](websec_websockets.md) | Cross-site WS hijacking, injection, auth issues |
| [Web LLM Attacks](websec_llm_attacks.md) | Prompt injection, indirect injection, tool abuse, data exfil |
### Logic & Miscellaneous
| File | Description |
|------|-------------|
| [Business Logic](websec_business_logic.md) | Workflow bypass, negative values, coupon abuse, race conditions |
| [Race Conditions](websec_race_conditions.md) | TOCTOU, single-packet attack, limit overrun, multi-endpoint races |
| [Information Disclosure](websec_info_disclosure.md) | Debug endpoints, .git exposure, error messages, metadata leaks |
## Structure
Each file follows a consistent format:
1. **Concept** — What the vulnerability is
2. **Payloads** — Ready-to-use, copy-paste payloads
3. **Bypass Techniques** — How to evade filters, WAFs, and defenses
4. **Exploitation Flow** — Step-by-step reasoning for real-world testing
5. **Tools** — Relevant tools when applicable
## Disclaimer
This material is intended for **authorized security testing**, **CTF competitions**, and **educational purposes** only. Always obtain proper authorization before testing any system you do not own.
## License
MIT