Is it talking to a DB?

• Is there parameter passing? - if yes…

• Insert a single quote

Can I or someone else see what I type?

• Is there a forum, blog, guestbook, contact us page, feedback form, instant messenger? - if yes…

• Insert <script>alert('xss')</script

Does it reference a file?

• Is it talking about a file on the local file system - if yes…

• Insert ../../../../../../etc/passwd, ../../../../../../etc/passwd%00

• ../../../../../../windows/win.ini, ../../../../../../windows/win.ini%00