This is the data that powers the PortSwigger URL validation bypass cheat sheet. We have put this data on Github so the community can contribute vectors via pull requests.
To contribute, please create a pull request with changes to the JSON data.
For example, to add a new payload to the domain_allow_list_bypass.json file, use the following template:
{
"id": "d82a33ae7aa92b0f1f1f5d71a24c0f1197da4e7a",
"payload": "<attacker>.<allowed>",
"description": "<attacker>.<allowed>",
"tags": ["URL", "HOST", "CORS"],
"filters": []
}- The
idshould be a sha1 hash of the payload parameters:${prefix}${payload}${suffix}. - The
payloadmay include template strings<attacker>and<allowed>, which will be replaced with corresponding domain names during wordlist generation. - The
descriptionproperty is not processed during execution. - The
tagsarray should only include supported tags: URL, HOST, and CORS. - The
filtersarray should remain empty as it is intended for future releases with advanced filtering options.
Please make sure you search the data to ensure your vector hasn't already been added. The json schema validation file available at schema.json Please include your Twitter handle in the pull request message if you would like to be credited with it.
The copyright for this project belongs to PortSwigger Web Security. We do not want this data to be used to create derivative cheat sheets hosted elsewhere, so we are not providing a license. That said, you are free to fork this repo in order to create pull requests back.