This project was created to help provide rigorous tests for Web Application Firewalls (WAFs) rules.
You can use these payloads to ensure the expected response is received from a sent payload or to check the efficacy of a WAF solution.
Some false positives are included to test if an acceptable payload is incorrectly identified as malicious.
The payloads were divided into their respective categories, duplicates, comments, blank lines, etc. were removed. Data has been cleaned as good as possible to contain as much real/working payloads as possible.
To check for bypasses, most XSS payloads exist three times - with alert(), prompt() and confirm() - since WAFs may block only alert().
Payloads from the following Github repositories and web pages are included:
- SecLists "Fuzzing": LFI, SQLi, XSS, XML-FUZZ, XSS-Fuzzing, XXE-Fuzzing and Polygots
- Foospidy's Payloads: XSS, SQLi and code injection payloads
- PayloadsAllTheThings: XXE Injection, Comman Injection, dotdotpwn.txt, Traversal.txt, JHADDIX_LFI.txt, SQL Injection and XSS Injection payloads
- Awesome-WAF: Exotic WAF bypasses
- WAF Efficacy Framework: payloads and most of its false positives
- WAF community bypasses
- SQLi and Community SQLi, XML and Community XXE, XSS and Community XSS of GoTestWAF and most of its false positives.
- Payloadbox's XXE Injection Payload List
- Payloadbox's SQL Injection Payload List
- Log4Shell Payloads from Ox4Shell, Log4Shell hell and log4shell-analysis
- Shellshock payloads are taken from Inside Shellshock and Tishna
The last day of access on them was October 07, 2022.
Payloads can be found in nuclei/payloads/[category]/true-positives.txt
You can use any tool of your choice for testing, because they are just simple text files with one payload per line.
However, this repository was created for use with WAF Efficacy Framework in mind.
WAF Efficacy Framework was chosen because it is free, open source, modular and allows easy integration of new test scenarios/payloads. It is user-friendly, actively developed and standardized. Last but not least all requests are recorded and logged in JSON format and include request/response pairs and additional metadata.
-
nuclei/config.yaml
Config file for Nuclei -
nuclei/templates
Contains YAML template files for Nuclei -
nuclei/payloads
Contains payloads (true/false positives) in text files
Just clone the repository and overwrite the contents of the nuclei folder with the one in this repository. Then run the tool as usual.
We do not claim any copyright. This is just a collection of payloads from different sources. Most of them are MIT licensed and you have to comply to the rules of the licenses used.