Pentest Cheat Sheets
Curated payload, bypass, and defence references for the vulnerability classes you actually find in engagements. Every payload explains the technique. Every defence cites the source.
SQL Injection Cheat Sheet
SQL injection is a flaw where attacker-controlled input is concatenated into a database query, letting it escape the value slot and run as code. Variants split into in-band (UNION, error), blind (boolean, time, error-based blind) and out-of-band (DNS/HTTP exfil) channels, with second-order, stacked, NoSQL, ORM and JSON-SQLi sub-classes that each bypass different controls.
Cross-Site Scripting (XSS) Cheat Sheet
Cross-site scripting is a flaw where attacker-controlled input is rendered into a page in an executable context, letting JavaScript run in another user’s browser session. The canonical taxonomy is reflected (single-victim link), stored (multi-victim, persisted), DOM-based (client-side source-to-sink) and mutation XSS where a sanitiser-then-parser round trip exposes a tag the sanitiser blessed.
SSRF Cheat Sheet
Server-Side Request Forgery (SSRF) tricks a server into issuing HTTP, gopher, dict, file, or LDAP requests on the attacker's behalf to internal services. This cheat sheet collects the canonical payloads (loopback IP encodings, cloud-metadata endpoints, DNS rebinding hosts, exotic schemes), modern parser-confusion bypasses, and the deny-by-default defenses that actually hold up against IMDSv2-aware attackers in 2026.
Local File Inclusion Cheat Sheet
Local File Inclusion (LFI) and path traversal abuse user-controlled file paths to read or execute files outside the intended directory. This cheat sheet covers the canonical traversal payloads, encoding bypasses, PHP wrappers (php://filter, phar://, data://, expect://), Synacktiv filter-chain LFI2RCE, log and /proc poisoning, RFI variants, and the canonical-path defenses that hold up in 2026.
Server-Side Template Injection (SSTI) Cheat Sheet
Server-Side Template Injection (SSTI) occurs when user input is concatenated into a template that the server evaluates, letting an attacker reach arbitrary expressions and usually remote code execution. Detect SSTI by sending a polyglot like ${{<%[%'"}}%\ then identify the engine with the divergence test {{7*'7'}} (Jinja → 7777777, Twig → 49). Exploit via engine-specific gadgets — Jinja2 globals, Twig filter callbacks, FreeMarker ?new(), Velocity classloader, ERB system().
XML External Entity (XXE) Cheat Sheet
XML External Entity (XXE) injection abuses XML parsers that resolve external entities, letting an attacker read local files, perform SSRF, exfiltrate data via DNS/HTTP, or DoS the server through entity expansion. Test with a DOCTYPE declaring a SYSTEM entity pointing at file:///etc/passwd; if the response reflects content, you have classic XXE. If not, escalate to blind OOB DTD or error-based local-DTD reuse.
OS Command Injection Cheat Sheet
OS Command Injection occurs when user input is concatenated into a shell command, letting an attacker append commands or flags. Detect with separator probes (; | & && ||), command substitution ($() or backticks), and time-based blind tests (sleep 10). When a verb is fixed, pivot to argument injection — supplying a value that begins with - or -- to introduce new flags into curl, ssh, git, find or tar.
Open Redirect Cheat Sheet
An open redirect lets an attacker control the destination of a server- or client-driven redirect, sending users from a trusted host to attacker.tld. Vulnerabilities sit on parameters like ?next=, ?url=, ?return_to= or in OAuth redirect_uri validation. Impact ranges from phishing and SAML RelayState abuse to full account takeover when chained with implicit-flow OAuth, where a token leaks via the URL fragment.
Subdomain Takeover Cheat Sheet
A subdomain takeover happens when a DNS record (CNAME, NS, or MX) points at a third-party service that no longer claims the host, so an attacker can re-register the orphaned resource and serve content from a real corporate subdomain. Impact ranges from phishing and cookie theft to NS-takeover-driven full HTTPS impersonation, supply-chain JS injection from re-registered S3 buckets, and password-reset hijacking via MX takeover.
HTTP Request Smuggling Cheat Sheet
HTTP request smuggling exploits parser disagreements between a front-end proxy and a back-end server about where one request ends and the next begins. By crafting ambiguous Content-Length and Transfer-Encoding framing — or downgrading HTTP/2 to HTTP/1.1 mid-flight — an attacker prepends a hidden request to an unrelated victim's connection. Impact is socket poisoning, response queue poisoning, ACL bypass, cache poisoning, and credential theft from in-flight requests.