Payloads All The Things

A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! I <3 pull requests :)

Tools

• Kali Linux
• Web Developper
• Hackbar
• Burp Proxy
• Fiddler
• DirBuster
• GoBuster
• Knockpy
• SQLmap
• Nikto
• Nessus
• Recon-ng
• Wappalyzer
• Metasploit

Docker

• docker pull remnux/metasploit - docker-metasploit

• docker pull paoloo/sqlmap - docker-sqlmap

• docker pull kalilinux/kali-linux-docker official Kali Linux

• docker pull owasp/zap2docker-stable - official OWASP ZAP

• docker pull wpscanteam/wpscan - official WPScan

• docker pull infoslack/dvwa - Damn Vulnerable Web Application (DVWA)

• docker pull danmx/docker-owasp-webgoat - OWASP WebGoat Project docker image

• docker pull opendns/security-ninjas - Security Ninjas

• docker pull ismisepaul/securityshepherd - OWASP Security Shepherd

• docker-compose build && docker-compose up - OWASP NodeGoat

• docker pull citizenstig/nowasp - OWASP Mutillidae II Web Pen-Test Practice Application

• docker pull bkimminich/juice-shop - OWASP Juice Shop

More resources

Book's list:

• Web Hacking 101

• OWASP Testing Guide v4

• Penetration Testing: A Hands-On Introduction to Hacking

• The Hacker Playbook 2: Practical Guide to Penetration Testing

• The Mobile Application Hacker’s Handbook

• Black Hat Python: Python Programming for Hackers and Pentesters

• Metasploit: The Penetration Tester's Guide

• The Database Hacker's Handbook, David Litchfield et al., 2005

• The Shellcoders Handbook by Chris Anley et al., 2007

• The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi, 2009

• The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011

• iOS Hackers Handbook by Charlie Miller et al., 2012

• Android Hackers Handbook by Joshua J. Drake et al., 2014

• The Browser Hackers Handbook by Wade Alcorn et al., 2014

• The Mobile Application Hackers Handbook by Dominic Chell et al., 2015

• Car Hacker's Handbook by Craig Smith, 2016

Blogs/Websites

• http://blog.zsec.uk/101-web-testing-tooling/
• https://blog.innerht.ml
• https://blog.zsec.uk
• https://www.exploit-db.com/google-hacking-database
• https://www.arneswinnen.net
• https://forum.bugcrowd.com/t/researcher-resources-how-to-become-a-bug-bounty-hunter/1102

Youtube

• Hunting for Top Bounties - Nicolas Grégoire
• BSidesSF 101 The Tales of a Bug Bounty Hunter - Arne Swinnen
• Security Fest 2016 The Secret life of a Bug Bounty Hunter - Frans Rosén

Practice

• Root-Me
• Zenk-Security
• W3Challs
• NewbieContest
• Vulnhub
• The Cryptopals Crypto Challenges
• Penetration Testing Practice Labs
• alert(1) to win
• Hacksplaining
• HackThisSite
• PentesterLab : Learn Web Penetration Testing: The Right Way

Bug Bounty

• HackerOne
• BugCrowd
• Bounty Factory
• List of Bounty Program