Definition

What is Payload?

The component of an attack that performs the attacker's intended malicious action after a vulnerability has been triggered. In web security testing, a payload might be a JavaScript snippet injected through an XSS vulnerability, a SQL statement that exfiltrates database records, an OS command appended to a system call, or a serialized object that triggers code execution upon deserialization. Crafting effective payloads that evade filters while achieving exploitation is a core penetration testing skill.

Related terms

Exploit →

A piece of software, command sequence, or technique that leverages a known vulnerability to cause unintended or unauthorized behavior in a target system.

Cross-Site Scripting (XSS) →

A vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.

SQL Injection (SQLi) →

An injection attack where malicious SQL statements are inserted into application input fields that are passed unsanitized to a database query, allowing attackers to manipulate query logic.

Reverse Shell →

A type of remote shell session where the compromised target machine initiates an outbound network connection back to the attacker's system, circumventing inbound firewall rules that would block a traditional bind shell.

Put this into practice

Multi-step attack chain simulation →

See how Penetrify's autonomous AI agents find and validate this class of security issue in your application.