swisskyrepo/payloadsallthethings

★ 77,781PythonAudience · developerComplexity · 1/5ActiveLicenseSetup · easy

Mindmap

mindmap
  root((repo))
    What it does
      Vulnerability payloads
      Bypass techniques
      Exploitation examples
    Organization
      Vulnerability chapters
      Burp Intruder files
      Reference images
    Use cases
      Security testing
      Bug bounty hunting
      CTF preparation
    Audience
      Security testers
      Penetration testers
      CTF players
    Related resources
      Internal pentesting
      Hardware testing
      Web display version

mindmap root((repo)) What it does Vulnerability payloads Bypass techniques Exploitation examples Organization Vulnerability chapters Burp Intruder files Reference images Use cases Security testing Bug bounty hunting CTF preparation Audience Security testers Penetration testers CTF players Related resources Internal pentesting Hardware testing Web display version

Things people build with this

USE CASE 1

Find ready-made payloads to test a web application for SQL injection, XSS, authentication bypasses, and other known vulnerabilities.

USE CASE 2

Prepare for a CTF competition by reviewing common exploitation techniques and payload patterns organized by vulnerability type.

USE CASE 3

Learn bypass tricks and enumeration methodologies used by security professionals during penetration tests.

Tech stack

PythonMarkdownBurp Suite

Getting it running

Difficulty · easy Time to first run · 5min

Use freely for any purpose including commercial, as long as you keep the copyright notice.

In plain English

PayloadsAllTheThings is a community-curated list of useful payloads and bypasses for web application security work. The README describes it as a resource for web application security and invites people to contribute their own payloads and techniques. It is meant for security testers, bug-bounty hunters, and CTF players who need ready-made strings, snippets, and patterns to probe a target for known classes of vulnerabilities, rather than for end users running an app. The repository is organized as a documentation-style collection. Each chapter focused on a specific class of vulnerability follows a consistent layout. There is a README.md describing the vulnerability and how to exploit it, including several example payloads, plus subdirectories: an Intruder folder with files intended for use with Burp Intruder, an Images folder, and a Files folder for any extra files referenced from the text. A _template_vuln folder is provided so new chapters can be added in the same shape. The README links to companion resources by the same author: InternalAllTheThings, a cheat sheet for Active Directory and internal pentests, and HardwareAllTheThings, a wiki on hardware and IoT testing. There are also curated lists of recommended books and YouTube channels. An alternative HTML display of the same content is published as PayloadsAllTheThingsWeb. Someone would use this when assessing a web application or preparing for a CTF and looking for known payloads to try, bypass tricks, methodology references, or enumeration tips. The repository's primary language is Python, with Markdown documentation as its main delivery format.

Copy-paste prompts

Prompt 1

Show me the SQL injection payloads from PayloadsAllTheThings that work against common databases.

Prompt 2

What are the XSS bypass techniques documented in PayloadsAllTheThings for modern browsers?

Prompt 3

Give me a list of authentication bypass payloads from PayloadsAllTheThings I can test on a login form.

Prompt 4

How do I use the Burp Intruder files from PayloadsAllTheThings to automate vulnerability scanning?

Open on GitHub → Explain another repo

Generated 2026-05-18 · Model: sonnet-4-6 · Verify against the repo before relying on details.