Skip to content

Web Code Snippets

CTRL K

CTRL K

Scaffolding
HTTP
BeautifulSoup
Parsing
Encodings
Utils
WebSockets
Concurrency & Infra
pwntools
Archives
Chains
SQL Injection
- Boolean
- Blind
- Time-based
NoSQL Injection
XPath Injection
LDAP Injection
- Boolean Blind
JavaScript Injection
- In-band
- Time-based
Command Injection
- Blind OOB

Scaffolding
HTTP
BeautifulSoup
Parsing
Encodings
Utils
WebSockets
Concurrency & Infra
pwntools
Archives
Chains
SQL Injection
- Boolean
- Blind
- Time-based
NoSQL Injection
XPath Injection
LDAP Injection
- Boolean Blind
JavaScript Injection
- In-band
- Time-based
Command Injection
- Blind OOB

Web Code Snippets

Web Code Snippets

A personal, searchable bank of reusable Python building blocks for web-exploitation scripting and OSWE prep. Each block is cleaned and copy-paste-ready — plumbing to assemble into new scripts. Browse from the sidebar, or press Ctrl K to search by goal — for example csrf token, boolean oracle, base64, or time based.

Building blocks

Scaffolding (5)

Script skeletons every exploit starts from: argument parsing, a Burp-routed requests session, and a safe request wrapper.

Sending requests the way a target expects them: query params, form and JSON bodies, multipart uploads, cookies, bearer tokens, and CSRF flows.

BeautifulSoup (7)

Focused BeautifulSoup recipes: reading attributes, element text, nested finds, find_all, CSS selectors, and stripped_strings.

Pulling structure out of responses without BeautifulSoup: regex extraction, JSON traversal, PDF text, and zipping scraped lists.

Base64, URL, hex and HTML codecs, and JWT decode and forge.

Hashing, random credential generation, file and wordlist helpers, and self-modifying scripts.

Synchronous and asyncio WebSocket clients, and a blind oracle that drives extraction over a single socket.

Concurrency & Infra (4)

Servers and primitives that catch callbacks: a threaded HTTP server, OOB capture, race-condition barriers, and hosted collaborators.

Catching a reverse shell end to end: a pwntools listener that binds before the trigger fires, reads the blocking request Timeout as delivery, and drops into an interactive session.

Building and reading ZIP and TAR files, including Zip-Slip and symlink-traversal archives.

End-to-end skeletons that stitch primitives together: SSRF internal port scans and second-order injection.

Injection techniques

SQL Injection (10)

Python automation for SQL injection, organised by oracle type: content-based boolean, blind row/length/char dumping, and time-based.

NoSQL Injection (4)

Operator and $regex boolean-blind exfiltration, server-side JavaScript injection, and time-based oracles for NoSQL backends.

XPath Injection (4)

XPath injection in Python: authentication bypass, in-band node dumping, and boolean and time-based blind extraction.

LDAP Injection (2)

Boolean-blind LDAP injection: bruteforcing a password and dumping arbitrary attributes one character at a time.

JavaScript Injection (3)

Server-side JavaScript code injection: in-band command output and time-based blind oracles.

Command Injection (1)

Blind command injection with out-of-band exfiltration and an ${IFS} space-filter bypass.

Powered by Hextra

© 2026 Hextra Project.