Web cheatsheet

A collection of notes for everything related to web pentesting.

Requests that don't care about CORS

Always look for missing CSRF tokens no matter if CORS is well-implemented or not. For instance, the following requests don't care about CORS:

CORS doesn't shield you from all cross-origin requests, plain and simple.

Mix things up

Don't forget about some JS weaknesses

Tilde convention for backups

File names with a tilde appended (like_this.txt~) are a convention for backups. Be sure to check them out if you find a browsable file somewhere.