Displaying 1 to 20 from 41 results

payloads - Git All the Payloads! A collection of web attack payloads.

  •    Shell

run ./get.sh to download external payloads and unzip any payload files that are compressed. Requests extracted from either packet captures or log files of capture the flag (ctf) events. Mostly raw data so not all requests are actual payloads, however requests should be deduplicated.

Stitch - Python Remote Administration Tool (RAT)

  •    Python

Stitch is for education/research purposes only. The author takes NO responsibility and/or liability for how you choose to use any of the tools/source code/any files provided. The author and anyone affiliated with will not be liable for any losses and/or damages in connection with use of ANY files provided with Stitch. By using Stitch or any files included, you understand that you are AGREEING TO USE AT YOUR OWN RISK. Once again Stitch and ALL files included are for EDUCATION and/or RESEARCH purposes ONLY. Stitch is ONLY intended to be used on your own pentesting labs, or with explicit consent from the owner of the property being tested. This is a cross platform python framework which allows you to build custom payloads for Windows, Mac OSX and Linux as well. You are able to select whether the payload binds to a specific IP and port, listens for a connection on a port, option to send an email of system info when the system boots, and option to start keylogger on boot. Payloads created can only run on the OS that they were created on.




mpc - MSFvenom Payload Creator (MSFPC)

  •    Shell

A quick way to generate various "basic" Meterpreter payloads via msfvenom (part of the Metasploit framework). MSFvenom Payload Creator (MSFPC) is a wrapper to generate multiple types of payloads, based on users choice. The idea is to be as simple as possible (only requiring one input) to produce their payload.

CHAOS - :fire: CHAOS allow generate payloads and control remote Windows systems.

  •    Go

CHAOS allow generate payloads and control remote Windows systems. 📚 This project was created only for learning purpose.

AwesomeXSS - Awesome XSS stuff

  •    Javascript

Awesome XSS stuff. Put this repo on watch. I will be updating it regularly. Yep, confirm because alert is too mainstream.

gith - simple node server that responds to github post-receive events with meaningful data

  •    Javascript

In your node application, require gith and create a gith server. You can specify a port now, or you can use the .listen( portNumber ) method later. Pass an object of how you want to filter gith (if at all) and subscribe to an event.


HERCULES - HERCULES is a special payload generator that can bypass antivirus softwares.

  •    Go

HERCULES is a customizable payload generator that can bypass antivirus software. WARNING: Don't change the location of the HERCULES folder.

xss-payload-list - 🎯 Cross Site Scripting ( XSS ) Vulnerability Payload List

  •    HTML

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. For more details on the different types of XSS flaws, see: Types of Cross-Site Scripting.

Amber - Reflective PE packer.

  •    Assembly

amber is a reflective PE packer for bypassing security products and mitigations. It can pack regularly compiled PE files into reflective payloads that can load and execute itself like a shellcode. It enables stealthy in-memory payload deployment that can be used to bypass anti-virus, firewall, IDS, IPS products and application white-listing mitigations. If you want to learn more about the packing methodology used inside amber check out below. For more detail about usage, installation and how to decrease detection rate check out WIKI. Developed By Ege Balcı from INVICTUS/PRODAFT.

ezXSS - ezXSS is an easy way to test (blind) XSS

  •    HTML

ezXSS is an easy way to test (blind) Cross Site Scripting. I'm currently busy with building ezXSS 3. The whole application will be re-coded.

Cloak - Cloak can backdoor any python script with some tricks.

  •    Python

Cloak generates a python payload via msfvenom and then intelligently injects it into the python script you specify. To evade basic detection, Cloak breaks the payload into several parts and places it in different places in the code. If you want the victim to run your injected script as root, Cloak can handle that too. Cloak will be further upgraded in future to support a wide range of payloads, platforms and evasion techniques.

malware-jail - Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction

  •    Javascript

malware-jail is written for Node's 'vm' sandbox. Currently implements WScript (Windows Scripting Host) context env/wscript.js, at least the part frequently used by malware. Internet browser context is partialy implemented env/browser.js. Runs on any operating system. Developed and tested on Linux, Node.js v6.6.0.

ts-helpers - Typescript helpers for compiling typescript while specifying `--noEmitHelpers` within your `tsconfig

  •    TypeScript

Typescript helpers (TS <= 2.0) for compiling typescript while specifying --noEmitHelpers within your tsconfig.json.To mitigate this problem Typescript starting from version 1.8 allow us to specify noEmitHelpers: truewhich wont generate these helpers.

subtext - HTTP payload parser

  •    Javascript

HTTP payload parser.subtext parses the request body and returns it in a promise.

github-push-receive - issue a `git push` in response to a github post-receive hook payload

  •    Javascript

Issue a git push in response to a github post-receive hook payload.The github payloads received by this server will be forwarded to the git server running on http://localhost:8051. You can use whichever protocol you like here since github-push-receive just shells out to git.






We have large collection of open source products. Follow the tags from Tag Cloud >>


Open source products are scattered around the web. Please provide information about the open source projects you own / you use. Add Projects.