PayloadsAllTheThings

git clone https://github.com/swisskyrepo/PayloadsAllTheThings.git

# Keep updated
cd PayloadsAllTheThings && git pull

PayloadsAllTheThings/
├── SQL Injection/           # Error, blind, time-based, union SQLi
├── XSS Injection/           # Reflected, stored, DOM, blind XSS
├── XXE Injection/           # XXE payloads, OOB exfil techniques
├── SSRF/                    # Server-side request forgery payloads
├── SSTI/                    # Server-side template injection
├── CRLF Injection/          # HTTP response splitting
├── Command Injection/       # OS command execution
├── Directory Traversal/     # Path traversal payloads
├── File Inclusion/          # LFI/RFI payloads
├── CORS Misconfiguration/   # CORS bypass techniques
├── CSRF/                    # Cross-site request forgery
├── IDOR/                    # Insecure direct object reference
├── JWT/                     # JSON Web Token attacks
├── GraphQL Injection/       # GraphQL-specific attacks
├── Open Redirect/           # URL redirect payloads
├── Race Condition/          # Concurrency exploitation
├── Request Smuggling/       # HTTP desync attacks
├── Upload Insecure Files/   # Malicious file upload
├── NoSQL Injection/         # MongoDB, CouchDB injection
├── OAuth/                   # OAuth flow attacks
├── Prototype Pollution/     # JavaScript prototype attacks
└── Type Juggling/           # PHP type comparison bypass

# XSS testing
cat PayloadsAllTheThings/XSS\ Injection/XSS\ Payloads.md

# SQLi WAF bypass
cat PayloadsAllTheThings/SQL\ Injection/WAF\ Bypass.md

# SSTI detection
cat PayloadsAllTheThings/Server\ Side\ Template\ Injection/README.md

# Use payloads with ffuf
ffuf -u "https://target.com/search?q=FUZZ" -w payloads.txt -mr "alert|onerror|<script"

# Workflow:
# 1. Identify input → check PayloadsAllTheThings for that vuln class
# 2. Start with basic payloads → escalate to WAF bypasses
# 3. Check the "Methodology and Resources" section for checklists
# 4. Each section includes both detection and exploitation payloads