Thank you for your interest in contributing to this project! This guide will help you understand how to contribute effectively.
There are several ways you can contribute to this project:
- Add new payloads - Submit new injection payloads
- Improve existing payloads - Enhance or optimize current payloads
- Fix errors - Correct mistakes or outdated information
- Improve documentation - Enhance README, guides, and comments
- Report issues - Report bugs or suggest improvements
- Authorization Only: All payloads must be intended for authorized security testing
- Quality over Quantity: Submit well-tested, unique payloads
- Clear Documentation: Include comments explaining payload purpose and usage
- Ethical Use: Ensure contributions align with ethical security practices
- One payload per line
- Use comments starting with
#for explanations - Group related payloads with descriptive comment headers
- No trailing whitespace
- UTF-8 encoding
# Category Description
# Brief explanation of the payload type
# Basic Payload
payload_here
# Advanced Payload with encoding
%encoded%payload%here
# Payload with special characters
payload;with;separators
Payloads should be added to the appropriate file in the Intruder/ directory:
http-injection.txt- HTTP protocol injectionsmtp-injection.txt- SMTP/email injectionldap-injection.txt- LDAP injectionsql-injection.txt- SQL injectionxpath-injection.txt- XPath injectionssrf-injection.txt- SSRF payloadscommand-injection.txt- OS command injectionxxe-injection.txt- XXE injection
Before submitting payloads:
-
Test in a controlled environment
- Use local test servers
- Set up vulnerable applications (DVWA, WebGoat, etc.)
- Never test on production systems without authorization
-
Verify uniqueness
- Check if the payload already exists
- Ensure it provides value over existing payloads
-
Document behavior
- Note which systems/versions the payload works on
- Document any special requirements or conditions
- Be respectful and professional
- Provide constructive feedback
- Help others learn and improve
- Follow ethical security practices
- Respect intellectual property
Click the "Fork" button at the top right of the repository page.
git clone https://github.com/YOUR_USERNAME/protocol-injection-payload-list.git
cd protocol-injection-payload-listgit checkout -b feature/add-new-payloadsUse descriptive branch names:
feature/add-xxe-payloadsfix/sql-injection-typosdocs/improve-readme
- Open the appropriate file in the
Intruder/directory - Add your payloads following the format guidelines
- Include clear comments and descriptions
Example:
# New XSS Bypass Technique - 2024
# Bypasses modern WAFs using Unicode normalization
%u003Cscript%u003Ealert(1)%u003C/script%u003E
# Alternative encoding
\u003Cscript\u003Ealert(1)\u003C/script\u003E
- Update README.md with new information
- Add examples and use cases
- Improve clarity and readability
-
Validate formatting
# Check for trailing whitespace grep -n '[[:space:]]$' Intruder/*.txt # Check file encoding file -i Intruder/*.txt
-
Test payloads in your controlled environment
-
Review for duplicates
# Check for duplicate lines sort Intruder/sql-injection.txt | uniq -d
Write clear, descriptive commit messages:
git add Intruder/sql-injection.txt
git commit -m "Add SQL injection payloads for PostgreSQL JSON operators
- Add JSON operator injection payloads
- Include error-based injection variants
- Add bypass techniques for parameterized queries"<type>: <subject>
<body>
<footer>
Types:
feat: New feature or payloadsfix: Bug fix or correctiondocs: Documentation changesstyle: Formatting changesrefactor: Code restructuringtest: Adding testschore: Maintenance tasks
git push origin feature/add-new-payloads- Go to your fork on GitHub
- Click "New Pull Request"
- Fill in the PR template with:
- Clear title describing the change
- Detailed description of what was added/changed
- Testing performed
- Any special considerations
## Description
Brief description of changes
## Type of Change
- [ ] New payloads
- [ ] Bug fix
- [ ] Documentation update
- [ ] Payload improvement
## Payload Category
- [ ] HTTP Injection
- [ ] SMTP Injection
- [ ] LDAP Injection
- [ ] SQL Injection
- [ ] XPath Injection
- [ ] SSRF
- [ ] Command Injection
- [ ] XXE
## Testing
Describe testing performed:
- Environment used
- Results obtained
- Systems tested against
## Checklist
- [ ] Payloads are unique
- [ ] Format guidelines followed
- [ ] Comments included
- [ ] Tested in controlled environment
- [ ] No trailing whitespace
- [ ] Appropriate file updated- Effectiveness - Does the payload work as intended?
- Uniqueness - Is it different from existing payloads?
- Documentation - Are comments clear and helpful?
- Format - Does it follow style guidelines?
- Safety - Is it appropriate for ethical testing?
- Initial review: 3-7 days
- Feedback provided for improvements
- Merged after approval
- Address reviewer comments promptly
- Make requested changes in your branch
- Push updates to your PR branch
- DVWA - Damn Vulnerable Web Application
- WebGoat - OWASP WebGoat
- bWAPP - buggy Web Application
- HackTheBox - Penetration testing labs
- TryHackMe - Security learning platform
Include:
- Description of the issue
- Expected behavior
- Actual behavior
- Steps to reproduce
- Environment details
If a payload doesn't work:
- Describe the target system
- Share error messages
- Suggest improvements or alternatives
Have ideas for improvement?
- Open an issue describing your suggestion
- Explain the benefit and use case
- Provide examples if applicable
Need help?
- Open a discussion on GitHub
- Check existing issues for answers
- Review documentation
By contributing, you agree that your contributions will be licensed under the MIT License.
All contributors will be recognized in the project. Significant contributions may be highlighted in release notes.
Thank you for helping make this project better! Your contributions help the security community stay safer.