Reference

Security Cheatsheets

Comprehensive payload references for every major web vulnerability class — with bypass techniques, real-world CVE examples, and exact exploit commands.

Command Injection Cheatsheet: OS Command Injection Payloads & Bypass

Complete OS command injection payload reference — Linux & Windows operators, blind detection, WAF...

Read →

CORS Misconfiguration Cheatsheet: Detection, Exploitation & Bypass

Complete CORS misconfiguration reference — origin reflection, null origin, subdomain trust, protocol...

Read →

CRLF Injection & Open Redirect Cheatsheet: Header Injection, HTTP Response Splitting & Redirect Bypass

Complete CRLF injection and open redirect reference — HTTP response splitting, header injection,...

Read →

File Upload Bypass Cheatsheet: Extension Bypass, Magic Bytes & RCE

Complete file upload vulnerability reference — extension blacklist/whitelist bypass, MIME type...

Read →

GraphQL Injection Cheatsheet: Introspection, IDOR, Batching & Injection Attacks

Complete GraphQL security reference — introspection abuse, IDOR via object ID manipulation, query...

Read →

IDOR & Broken Access Control Cheatsheet: Finding and Exploiting Object References

Complete IDOR and Broken Access Control reference — horizontal/vertical privilege escalation,...

Read →

Insecure Deserialization Cheatsheet: Java, PHP, Python, .NET — Gadget Chains to RCE

Complete insecure deserialization reference — Java gadget chains (ysoserial), PHP object injection,...

Read →

JWT Attack Cheatsheet: Algorithm Confusion, Key Confusion & Token Forgery

Complete JWT attack reference — alg:none bypass, HS256/RS256 confusion, weak secret cracking, JWK...

Read →

LFI & Path Traversal Cheatsheet: File Inclusion to RCE

Complete Local File Inclusion and Path Traversal payload reference — basic traversal, filter bypass,...

Read →

NoSQL Injection Cheatsheet: MongoDB, Redis, CouchDB & Firebase

Complete NoSQL injection payload reference — MongoDB operator injection, JavaScript injection, blind...

Read →

SQL Injection Cheatsheet: Complete Payload Reference & WAF Bypass Guide

The most comprehensive SQL Injection payload reference — MySQL, PostgreSQL, MSSQL, Oracle, SQLite....

Read →

SSRF Payload Cheatsheet: Cloud Metadata, Protocols & Bypass Techniques

Complete SSRF payload reference — AWS/GCP/Azure/DigitalOcean metadata, protocol handlers (gopher,...

Read →

SSTI Payload Cheatsheet: Every Template Engine — Detection to RCE

Complete Server-Side Template Injection payload reference for Jinja2, Twig, Freemarker, Velocity,...

Read →

XSS Cheatsheet: Cross-Site Scripting Payloads, Bypass & Exploitation

Complete XSS payload reference — reflected, stored, DOM-based, blind XSS, CSP bypass, filter...

Read →

XXE Cheatsheet: XML External Entity Injection — File Read to SSRF to RCE

Complete XXE injection payload reference — classic XXE, blind XXE, OOB data exfiltration, parameter...

Read →

More attack-chain research →

SSRF Hub RCE Hub Race Condition Hub CVE Portfolio All Posts

Tagmac Han

He's a passionate Cyber Security Consultant & Vulnerability Researcher in Turkey

OSWE | OSCP | CEH | eMAPT

Security Cheatsheets