Ethical Warning: Research, educational, and authorized testing purposes only. Please do not use against systems without permission.
- CodeQL — Heavyweight source code analysis. Turns code into a queryable database to hunt for complex patterns.
- Semgrep — Lightweight static analysis. Excellent for quickly "grepping" for dangerous function calls across large codebases.
- GDB — Debugger tool. Allows you to see what is going on inside an application while it executes or crashes.
- Ghidra — Reverse engineering framework created by the NSA.
- Trufflehog — Find, verify, and analyze leaked credentials.
- Caido — Modern, lightweight web proxy (alternative to Burp Suite).
- RequestBin — HTTP request bins and DNS testing. Useful for SSRF testing.
- Beeceptor — Create mock APIs with custom rules. Useful for SSRF testing.
- URL Decoder/Encoder — Decode & Encode JavaScript URLs.
- Dalfox — Powerful automated XSS scanner.
- XSSHunter — Catch Blind XSS callbacks.
Standardized format for drafting vulnerability reports.
Educational blogs from my vulnerability hunts.
The mental frameworks and strategic approaches for vulnerability research.
| Cheatsheet | Focus Area |
|---|---|
| SQL Injection (SQLi) | Detection, Union-based extraction, Blind timing attacks, and Out-of-Band exfiltration. |
| XSS Payloads | Context-specific vectors, Modern WAF evasion, Polyglots, and Client-Side Template Injection. |
| Authentication & Identity | Authentication bypass techniques and defensive mitigation strategies for JWT, OAuth, and SAML |
| SSRF & Cloud | Cloud metadata endpoints (AWS, GCP, Azure), protocol wrappers, and filter bypasses. |
| RCE & Command Injection | Separator logic, space/character evasion (Linux/Windows), and Blind RCE techniques. |
| Dangerous Functions | White-box source code review patterns for C, PHP, Python, and Java. |
| Patch Diffing | Workflow for analyzing N-Day vulnerabilities, diffing commits, and hunting for variants. |
| Linux Commands | CLI reference guide for Linux Commands. |
| Reverse Engineering | GDB & Ghidra Cheatsheet. |
Automation scripts for reconnaissance, fuzzing, and impact measurement.
1. recon.sh
Automates subdomain enumeration and live host detection.
- Requirements:
subfinder,httpx-toolkit - Usage: Enumerates subdomains and checks for live web servers.
Automated directory and parameter fuzzing wrapper.
- Requirements:
ffuf, SecLists (or custom wordlists) - Configuration: Update headers with your username/email in the script before running.
Python script to measure service availability and latency impact during Denial of Service (DoS) testing. Currently configured to monitor Elasticsearch instances.
- Requirements:
requests,urllib3 - Usage: Tracks response times and logs critical latency thresholds against target endpoints to quantify availability impact.