Penetration-Testing

Comprehensive XSS Guide A practitioner’s reference for Cross-Site Scripting — attack surface, context-aware payloads, filter/WAF/CSP bypass techniques, framework-specific vulnerabilities, real-world chains, and detection/prevention. Compiled from 293 research sources. Table of Contents Fundamentals Attack Surface & Entry Points Context-Aware Payloads Filter Bypass Techniques WAF Bypasses CSP Bypass Techniques Mutation XSS (mXSS) DOM Clobbering & Prototype Pollution Framework-Specific XSS AngularJS Sandbox Escapes postMessage & DOM XSS SVG, PDF & File Upload XSS Blind XSS Weaponized XSS Payloads Polyglots Real-World Exploitation Chains Tools & Automation Detection & Prevention Payload Quick Reference CVE Reference 1. Fundamentals XSS occurs when attacker-controlled input is rendered in a victim’s browser as executable code (JavaScript, or markup that leads to JavaScript execution). The victim’s browser runs the injected code with the origin’s privileges — same-origin access to cookies, DOM, API tokens, and session state. ...

Comprehensive SSRF Guide A practitioner’s reference for Server-Side Request Forgery — attack surface, exploitation techniques, bypass methods, real-world chains, and detection/prevention. Compiled from 299 research sources. Table of Contents Fundamentals Attack Surface & Entry Points IP Address Bypass Techniques URL Parsing & Protocol Tricks Cloud Metadata Exploitation Blind SSRF Techniques Protocol Smuggling Framework-Specific SSRF PDF Generator SSRF Real-World Exploitation Chains Tools & Automation MCP / AI Agent SSRF IPv6 & DNS Rebinding Bypass Patterns Detection & Prevention Payload Quick Reference 1. Fundamentals SSRF occurs when an attacker can make a server-side application send HTTP requests to an attacker-chosen destination. The server acts as a proxy, often with elevated network access (internal services, cloud metadata, localhost) and implicit trust (firewall bypass, authentication context). ...

Comprehensive SQL Injection Guide A practitioner’s reference for SQL Injection — attack classes, exploitation techniques, database-specific payloads, WAF bypass methods, ORM/NoSQL variants, real-world CVEs, and detection/prevention. Compiled from 33 research sources. Table of Contents Fundamentals Attack Classes Entry Points & Injection Contexts DBMS Fingerprinting Authentication Bypass Union-Based Injection Error-Based Injection Boolean Blind Injection Time-Based Blind Injection Out-of-Band (OOB) Injection Second-Order SQL Injection Stacked Queries & Polyglots WAF Bypass Techniques Database-Specific Payloads ORM Injection NoSQL Injection SQLi to RCE Header, Cookie & JSON-Body Injection Constraint-Based Attacks Real-World CVEs Tools & Automation Detection & Prevention Payload Quick Reference 1. Fundamentals SQL Injection (SQLi) occurs when an attacker can influence the SQL statements that an application sends to its database. The vulnerability arises from the unsafe concatenation of untrusted input into a query string, allowing the attacker to break out of the intended data context and execute attacker-controlled SQL. SQLi has sat in the OWASP Top Ten since its inception and remains one of the highest-impact classes of web vulnerability despite decades of awareness. ...

Comprehensive CSRF Guide A practitioner’s reference for Cross-Site Request Forgery — attack surface, exploitation techniques, SameSite and token bypasses, real-world chains, and detection/prevention. Compiled from 37 research sources. Table of Contents Fundamentals Attack Surface & Preconditions Attack Delivery Techniques Content-Type & JSON CSRF SameSite Cookie Model SameSite Bypass Techniques CSRF Token Bypasses Referer / Origin Check Bypasses Method Override & Verb Tampering Login & Logout CSRF CORS Misconfiguration Chains Clickjacking Overlap Real-World Cases & CVEs Exploitation Chains Tools & Automation Detection & Testing Methodology Prevention & Defense in Depth Payload Quick Reference 1. Fundamentals Cross-Site Request Forgery (CSRF / XSRF / “sea-surf”) is an attack that tricks an authenticated user’s browser into submitting a state-changing request to a target application. The victim’s browser automatically attaches ambient credentials — cookies, HTTP Basic auth, client certificates, Kerberos tickets, IP-based authorization — so the target application cannot distinguish a forged request from a legitimate one. ...

Comprehensive IDOR Guide A practitioner’s reference for Insecure Direct Object Reference (IDOR) and Broken Object Level Authorization (BOLA) — attack surface, enumeration patterns, bypass techniques, real-world writeups, detection workflow, and prevention. Compiled from 21 research sources. Table of Contents Fundamentals IDOR vs BOLA vs BFLA Attack Surface & Where Identifiers Live Horizontal vs Vertical Access Identifier Enumeration Patterns Parameter Tampering Techniques HTTP Method & Verb Tampering Content-Type & Format Bypasses Path, Version, and Endpoint Tricks Mass Assignment Overlap UUID & Unpredictable ID Defeats Second-Order and Blind IDOR GraphQL, WebSocket, and Non-REST Surfaces Real-World Writeups & CVEs Exploit Chains Detection Methodology with Autorize Tools & Automation Impact & Severity Mapping Prevention & Secure Design Testing Checklist Report Writing 1. Fundamentals IDOR occurs when an application uses user-supplied input to reference an internal object (database row, file, resource) and fails to verify whether the current user is authorized to access that specific object. The application trusts the identifier, not the identity. ...

Comprehensive RCE Guide A practitioner’s reference for Remote Code Execution — vulnerability classes, exploitation primitives, language-specific chains, real-world CVEs, and detection/prevention. Compiled from 63 research sources. Table of Contents Fundamentals RCE Classes & Taxonomy OS Command Injection Code Injection & Expression Injection Server-Side Template Injection (SSTI) File Upload to RCE Insecure Deserialization SQL Injection to RCE SSRF & LFI Chains to RCE Memory Corruption Primer Kernel, Driver & Container Escape Supply Chain RCE AI / LLM Agent RCE Real-World Exploit Chains Tools & Automation Detection & Prevention Payload Quick Reference 1. Fundamentals Remote Code Execution is the ability to run attacker-chosen instructions on a remote system without physical or local shell access. It sits at the top of the impact pyramid — almost every bug class, if chained far enough, ends at RCE. ...

Comprehensive XXE Guide A practitioner’s reference for XML External Entity injection — fundamentals, parser quirks, in-band and out-of-band exfiltration, parameter entity chains, file-format vectors, real-world CVEs, tooling, and hardening. Compiled from 40 research sources. Table of Contents Fundamentals Attack Surface & Entry Points Classic In-Band XXE Blind XXE via External DTD Error-Based XXE Parameter Entities & Local DTD Chains XXE → SSRF Pivoting XXE → File Read & Information Disclosure XXE → RCE Parser-Specific Behaviors XML File-Format Vectors WAF & Filter Bypasses Denial of Service Real-World CVEs & Chains Tooling Detection & Prevention Payload Quick Reference 1. Fundamentals XXE (XML External Entity) injection occurs when an XML parser processes attacker-controlled input with DTD (Document Type Definition) and external entity resolution enabled. The parser treats SYSTEM identifiers as URIs, fetching and substituting their content into the document — yielding file read, SSRF, blind exfiltration, DoS, and in some stacks RCE. ...

Comprehensive Insecure Deserialization Guide A practitioner’s reference for insecure deserialization — language-specific attack surface, gadget chain mechanics, real-world CVE chains, tools, and detection/prevention. Compiled from 47 research sources. Table of Contents Fundamentals Attack Surface & Entry Points Java Deserialization PHP Object Injection Python Pickle & ML Pipelines .NET Deserialization Ruby Marshal & YAML Node.js Deserialization YAML & JSON Format Attacks Gadget Chains Explained Real-World CVEs & Exploitation Chains Tools & Automation Detection & Static Analysis Prevention & Mitigation Signature & Gadget Quick Reference 1. Fundamentals Insecure deserialization occurs when an application reconstructs program objects from attacker-controlled data without sufficient validation. Serialization converts an in-memory object graph to a byte stream for storage or transit; deserialization reverses the process. The danger is that most native serialization formats are not just data — they are instructions for how to rebuild arbitrary objects, including which classes to instantiate and which methods (constructors, magic methods, callbacks) to run along the way. ...

Comprehensive GraphQL Security Guide A practitioner’s reference for attacking and defending GraphQL APIs — discovery, introspection, schema recovery, injection, authorization flaws, batching, DoS, subscriptions, CSRF/CSWSH, engine-specific quirks, and detection/prevention. Compiled from 31 research sources. Table of Contents Fundamentals Discovery & Fingerprinting Introspection Schema Recovery Without Introspection Query & Data Extraction Mutations & Mass Assignment Authorization Flaws (BOLA / BFLA / IDOR) Injection Through GraphQL Batching Attacks & Aliases Denial of Service CSRF & CSWSH Subscriptions & WebSockets Engine-Specific Notes (Apollo, Hasura, graphql-java, async-graphql, Mercurius) Notable CVEs & Real-World Chains Tooling Detection & Prevention Payload Quick Reference 1. Fundamentals GraphQL is a query language and server runtime for APIs, originally developed at Facebook and open-sourced in 2015. Instead of the multiple fixed endpoints of a REST API, a GraphQL service exposes a single endpoint that accepts typed queries and returns exactly the fields the client asks for. ...

Comprehensive API Security Guide A practitioner’s reference for API security — attack surface, OWASP API Top 10 exploitation, authentication and authorization bypasses, GraphQL-specific attacks, rate limit evasion, real-world chains, and detection/prevention. Compiled from 30 research sources. Table of Contents Fundamentals API Styles: REST vs GraphQL vs gRPC vs SOAP API Recon & Attack Surface Discovery OWASP API Security Top 10 (2023) BOLA / IDOR Deep Dive Broken Authentication & Token Attacks BOPLA: Mass Assignment & Excessive Data Exposure Broken Function Level Authorization (BFLA) Unrestricted Resource Consumption & Rate Limit Bypasses Business Flow Abuse SSRF in APIs Security Misconfiguration & Improper Inventory Unsafe Consumption of Third-Party APIs GraphQL-Specific Attacks JWT & OAuth 2.0 Exploitation Injection in APIs Real-World CVEs & Breach Chains Tools & Automation Detection & Prevention Testing Checklist 1. Fundamentals APIs now account for ~83% of web traffic. The average cost of an API breach is $4.88M (T-Mobile 2023, 37M users affected). Unlike traditional web apps, APIs expose more endpoints, lack a constraining UI, and are often protected by weaker compensating controls because developers assume machine-to-machine trust. ...