This is the data that powers the PortSwigger URL validation bypass cheat sheet. We have put this data on Github so the community can contribute vectors via pull requests.
To contribute, please create a pull request with changes to the JSON data.
For example, to add a new payload to the domain_allow_list_bypass.json file, use the following template:
{
"id": "d82a33ae7aa92b0f1f1f5d71a24c0f1197da4e7a",
"payload": "<attacker>.<allowed>",
"description": "<attacker>.<allowed>",
"tags": ["URL", "HOST", "CORS"],
"filters": []
}id should be a sha1 hash of the payload parameters: ${prefix}${payload}${suffix}.payload may include template strings <attacker> and <allowed>, which will be replaced with corresponding domain names during wordlist generation.description property is not processed during execution.tags array should only include supported tags: URL, HOST, and CORS. filters array should remain empty as it is intended for future releases with advanced filtering options.Please make sure you search the data to ensure your vector hasn't already been added. The json schema validation file available at schema.json Please include your Twitter handle in the pull request message if you would like to be credited with it.
The copyright for this project belongs to PortSwigger Web Security. We do not want this data to be used to create derivative cheat sheets hosted elsewhere, so we are not providing a license. That said, you are free to fork this repo in order to create pull requests back.