finds.dev← search

// the find

swisskyrepo/PayloadsAllTheThings

★ 78,931 · Python · MIT · updated Jun 2026

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

PayloadsAllTheThings is a community-maintained reference library covering nearly every web application attack category — SQL injection, SSRF, SSTI, deserialization, file upload bypasses, and more. It's aimed at penetration testers and bug bounty hunters who need ready-to-paste payloads and Burp Intruder wordlists without having to reconstruct them from scratch each engagement.

The coverage is genuinely broad and stays current — 78k stars and active commits through mid-2026 mean someone is usually patching outdated techniques. The Intruder wordlist files are immediately usable in Burp without any transformation. The per-vulnerability folder structure (README + Intruder files + helper scripts) is consistent enough that you can navigate it blind. The companion InternalAllTheThings and HardwareAllTheThings branches extend the same format into AD/internal and hardware testing without fragmenting the core repo.

Quality is uneven across sections — older categories like Google Web Toolkit read like they haven't been touched in years while newer ones like Prompt Injection are thin. There's no machine-readable index or tagging system, so grepping for a specific bypass variant means knowing the folder name already. The 'Methodology and Resources' section mixes genuinely useful cheatsheets with Cobalt Strike and Mimikatz guides that are years behind the current tooling. No versioning or dated entries, so you can't tell whether a bypass that stopped working last year was ever removed or just silently wrong.

View on GitHub → Homepage ↗

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →