Skip to main content

Cheat Sheets

Quick reference guides for common security testing tasks.

SQL Injection

Basic Payloads

' OR '1'='1
' OR '1'='1'--
' OR '1'='1'#
' UNION SELECT NULL--

Testing for SQL Injection

  1. Try single quote: '
  2. Try basic payload: ' OR '1'='1
  3. Test with comment: '-- or '#
  4. Attempt UNION: ' UNION SELECT NULL--

XSS (Cross-Site Scripting)

Basic Payloads

<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>

Testing for XSS

  1. Test basic script tag
  2. Try event handlers: onerror, onload, onclick
  3. Test encoding: %3Cscript%3E
  4. Try in different contexts: HTML, JavaScript, attributes

Authentication Testing

Common Tests

  • SQL injection in login forms
  • Weak password policies
  • Account enumeration
  • Session management flaws
  • Password reset vulnerabilities

File upload testing

  1. Upload a benign .txt or real image—note save path and whether the app shows a URL.
  2. Try executable extensions the stack might run (e.g. .php, .jsp) in the lab only.
  3. Compare client validation (JavaScript, accept) to server behavior—bypass with Burp/curl.
  4. Check whether files land under web root and are served with execution—highest risk.

For methodology context, see OWASP File Upload Cheat Sheet and the DVWA File Upload scenario.

Quick Commands

curl Examples

# Basic GET request
curl https://example.com

# POST request with data
curl -X POST https://example.com/login -d "user=admin&pass=test"

# With headers
curl -H "Authorization: Bearer token" https://example.com/api

Browser Developer Tools

Network Tab

  • View HTTP requests and responses
  • Check headers and cookies
  • Analyze request timing

Console Tab

  • Execute JavaScript
  • View errors and warnings
  • Test payloads

Application Tab

  • View and edit cookies
  • Check local storage
  • Inspect session storage

Burp Suite Quick Reference

Proxy

  • Intercept requests: Proxy → Intercept (toggle on/off)
  • View history: Proxy → HTTP history
  • Configure: Proxy → Options

Repeater

  • Send requests: Right-click in Proxy → Send to Repeater
  • Modify and resend: Edit request, click Go
  • Compare responses: Use diff feature

Next Steps