General methods

  1. Is it talking to a DB?

    • Is there parameter passing? - if yes…

    • Insert a single quote

  2. Can I or someone else see what I type?

    • Is there a forum, blog, guestbook, contact us page, feedback form, instant messenger? - if yes…

    • Insert <script>alert('xss')</script

  3. Does it reference a file?

    • Is it talking about a file on the local file system - if yes…

    • Insert ../../../../../../etc/passwd, ../../../../../../etc/passwd%00

    • ../../../../../../windows/win.ini, ../../../../../../windows/win.ini%00

Last updated