Select a module below to start testing.
Auth bypass, UNION extraction, blind and time-based techniques
Reflected, Stored, and DOM-based variants
OS command execution via unsanitized user input
Local and remote file inclusion via include()
Unrestricted upload, no extension or MIME validation
Weak credentials, session fixation, predictable tokens
XXE to read local files via XML parser
Object injection via unsafe deserialization
Server-side request forgery to reach internal services
Directory traversal to read files outside webroot
Checks Content-Type header only, not actual file extension.