Test Data
XSS
- <script>alert(1)</script>
- " onload="alert(2)
- " onmouseover="alert(3)
- " onclick="alert(4)
- <script>window.location.replace("https://fakesite.com");</script>
- <script script src="localfile.js"></script>
- <script script src="http://www.remoteexample.com/remotefile.js"></script>
SQL
- test' -- comment
- test' OR 1>0 -- comment
- test', role = 'admin
Valid Inputs
- https://r-adams.co.uk/Flick.png
- https://r-adams.co.uk
- test', role = 'admin
Reference Sheet
Headers
OWASP Cheat Sheet
Good Headers
- Content-Security-Policy: script-src 'self' https://trusted-cdn.com;
- Content-Security-Policy: frame-src https://example.com/
- Permissions-Policy: geolocation=(), camera=(), microphone=()
- Set-Cookie: id=a3fWa; Expires=Wed, 13 May 2026 07:28:00 GMT; Secure; HttpOnly; SameSite=Strict
- X-Frame-Options: DENY
Insecure Headers
- Expect-CT
- X-AspNet-Version
- X-Powered-By
Chrome Dev Tools Features
- Application >> Cookies >> [Site under test] (can edit or delete a cookie)
- Application >> Local storage [Site under test]
- Network >> More filters >> 3rd-party requests
- Network >> More filters >> Hide extension URLs
- Network >> More network conditions (wifi icon with cog) >>User agent
- Network >> *Right click on request to modify* >> Copy >> Copy as fetch >> Console tab >> *Paste in request* >> *modify then hit ENTER*