Pentest Arsenal

All-in-one security testing resources

Wordlists

Common wordlists used for brute forcing, discovery, and password attacks.

Name Description Link

XSS Payloads

Cross-Site Scripting (XSS) payload collection for testing web applications, based on PortSwigger's XSS Cheat Sheet.

Payload Description Action
Payload Description Action
Payload Description Action
Payload Description Action
Payload Description Action
Payload Description Action
Payload Description Action
Payload Description Action
Payload Description Action
Payload Description Action
Payload Description Action
Payload Description Action
Payload Description Action
Payload Description Action

Encode XSS payloads with various encoding methods to bypass different security filters. Use this tool to encode your payloads for WAF bypass, filter evasion, or other security testing purposes.

Available Encoding Methods:
  • HTML Entity - Encodes special characters as HTML entities
  • URL Encode - Encodes characters for use in URLs
  • Base64 - Base64 encoding for binary data representation
  • Hex - Converts characters to hexadecimal escape sequences
  • Decimal HTML Entity - Encodes characters as decimal HTML entities
  • JS Escape - Escapes special characters for JavaScript strings
  • Unicode - Converts to Unicode escape sequences
  • JS Unicode - JavaScript-style Unicode escapes
Encoding Method Result Action

HTML Payloads

HTML payloads and snippets for testing web applications.

Payload Description Action

LFI Payloads

Local File Inclusion (LFI) payload collection for testing server vulnerabilities.

Payload Description Action

Windows Privilege Escalation

Windows privilege escalation techniques, commands, and tools.

Payload Description Action

Resources

Name Description Link

Linux Privilege Escalation

Linux privilege escalation techniques, commands, and tools.

Payload Description Action

Resources

Name Description Link

Command Injection Payloads

Command injection payloads for testing server-side command execution vulnerabilities.

Payload Description Action

SQL Injection Payloads

SQL injection payloads for testing database vulnerabilities.

Payload Description Action

CSV Injection Payloads

CSV (Comma-Separated Values) injection payloads for exploiting formula injection vulnerabilities in spreadsheet applications.

Payload Description Action

OSINT Resources

Open Source Intelligence (OSINT) tools and resources for information gathering and reconnaissance.

Name Description Link

Regex Patterns

Useful regular expression patterns for security testing and data validation.

Pattern Description Action

Payload Generator

Tools for generating custom security payloads for testing and exploitation.

Name Description Link
Payload Playground An interactive platform for creating, testing, and sharing security payloads Visit

External Resources

Links to external resources, repositories, and tools for security testing.

Name Description Link

AWS Security

Amazon Web Services security testing resources, tools, and CLI commands.

Tool Description Link
Pacu AWS exploitation framework GitHub
ScoutSuite Multi-cloud security auditing tool GitHub
Prowler AWS CIS Benchmark tool GitHub
S3Scanner S3 bucket scanning GitHub
CloudSploit Cloud security configuration scanner GitHub
Warning: These techniques are for educational purposes only. Use only in environments where you have proper authorization.
Misconfiguration Description Detection Method
IAM User Keys Exposed IAM user access keys aws iam list-access-keys --user-name [username]
IAM Role Trust Policies Overly permissive trust relationships aws iam list-roles | grep RoleName
EC2 Instance Profile Over-privileged EC2 instance profiles aws iam list-instance-profiles
S3 Bucket Policies Permissive bucket policies aws s3api get-bucket-policy --bucket [bucket-name]
Lambda Policies Excessive Lambda function permissions aws lambda get-policy --function-name [function-name]
Command Description Action

Azure Security

Microsoft Azure security testing resources, tools, and CLI commands.

Tool Description Link
Warning: These techniques are for educational purposes only. Use only in environments where you have proper authorization.
Misconfiguration Description Detection Method
Command Description Action

GCP Security

Google Cloud Platform security testing resources, tools, and CLI commands.

Tool Description Link
GCP Scanner Scanner for GCP resources GitHub
GCPBucketBrute GCP storage bucket enumeration GitHub
ScoutSuite Multi-cloud security auditing tool GitHub
Forseti Security GCP security monitoring tool GitHub
GCP IAM Recommender Permissions management tool Docs
Warning: These techniques are for educational purposes only. Use only in environments where you have proper authorization.
Misconfiguration Description Detection Method
Service Account Roles Over-permissive service account roles gcloud projects get-iam-policy [project-id]
Custom Roles Custom roles with excessive permissions gcloud iam roles list --project=[project-id]
Service Account Keys Exposed service account keys gcloud iam service-accounts keys list --iam-account=[account]
Compute Instance Metadata Access to compute instance metadata curl -H "Metadata-Flavor: Google" 'http://metadata.google.internal/computeMetadata/v1/instance/'
Cloud Storage ACLs Permissive bucket ACLs gsutil iam get gs://[bucket-name]
Command Description Action

Bookmark Tools

Useful browser bookmarklets for security testing and web development. Each bookmarklet is shown with its code, description, and actions. To use a bookmarklet, drag the "Drag to Bookmarks Bar" button directly to your browser's bookmarks bar - do not click it. Once saved, you can click the bookmark when visiting any website to run the tool.

Code Description Action