Web application exploitation is one of the most common areas you will face in Hack The Box machines, CTF challenges, bug bounty testing, and real-world penetration testing.
Almost every practical hacking path starts with a question like: what is running on this website, what hidden paths exist, what parameters are accepted, and how does the application process user input?
That is why Part 2 of my Practical Hacking Cheatsheet Series focuses on Web Application Attack.
This cheatsheet is built as a fast, practical reference for web exploitation techniques and payloads commonly used in labs and challenges. It is not only a list of random payloads. The goal is to help you quickly remember what to test, which command to run, and how to move from recon to exploitation.
The full Web Application Attack Cheatsheet covers areas like:
- Directory brute-forcing
- File discovery
- Virtual host and subdomain discovery
- Parameter fuzzing
- Technology fingerprinting
- SQL injection
- Union-based SQLi
- Error-based SQLi
- Time-based blind SQLi
- SQLMap usage
- Cross-Site Scripting
- Server-Side Template Injection
- Server-Side Request Forgery
- Local File Inclusion
- PHP wrappers
- Log poisoning
- File upload bypasses
- Command injection
- Deserialization
- JWT attacks
- XXE
- Useful SecLists wordlists
This part is especially useful when you are working on a web-heavy HTB machine or CTF challenge and need a clean checklist beside you.
For example:
- How do I brute-force directories?
- How do I find hidden files?
- How do I discover virtual hosts?
- How do I fuzz parameters?
- How do I test for SQL injection?
- Which XSS payload should I try first?
- How do I check for SSTI?
- How do I test SSRF bypasses?
- How do I exploit LFI with PHP wrappers?
- How do I bypass file upload filters?
- How do I test JWT weaknesses?
The cheatsheet follows a practical methodology: start with reconnaissance, identify the technology stack, discover hidden attack surface, test inputs manually, and then use targeted payloads based on how the application behaves.
Full Cheatsheet Series
This is the complete planned series:
| Part | Cheatsheet | Focus |
|---|---|---|
| Part 1 | Active Directory | AD attack methodology and commands |
| Part 2 | Web Application | Web exploitation techniques and payloads |
| Part 3 | Linux Privesc | Linux privilege escalation vectors |
| Part 4 | Windows Privesc | Windows privilege escalation vectors |
| Part 5 | Reverse Shells | Reverse shell one-liners for all languages |
| Part 6 | File Transfers | Methods to transfer files between machines |
| Part 7 | Pivoting | SSH tunneling, Chisel, Ligolo, SOCKS |
| Part 8 | Password Attacks | Cracking, spraying, brute-forcing |
| Part 9 | Linux Enumeration | Post-exploitation Linux enumeration |
| Part 10 | Windows Enumeration | Post-exploitation Windows enumeration |
Each part is designed to be short enough to use during practice, but structured enough to help you understand the attack flow instead of blindly copying commands.
Who This Is For
This cheatsheet series is made for:
- Hack The Box players
- CTF learners
- Beginner web hackers
- Bug bounty beginners
- Cybersecurity students
- Practical pentesting learners
- People preparing for web exploitation labs
- Anyone building organized hacking notes
If you are practicing web exploitation, this cheatsheet gives you a clean starting point for recon, payload testing, and common vulnerability classes.
One subscription.
Every cheatsheet, forever.
Get the full Web Application Attack Cheatsheet now — plus every new part of the Practical Hacking Series as it drops, and access to additional series too. No waiting. No separate purchases.
