aravindkumarsvg

LLM Security & VAPT Cheatsheet

---

APIs

Concept

APIs allow external applications or services to interact with the LLM, usually through REST or GraphQL endpoints.

aravindkumarsvg

JavaScript Quirks Cheatsheet

This document collects quirks, odd behaviors, and security-relevant details in JavaScript useful for VAPT engineers.

---

1. Regex vs Division Ambiguity

throw/1/;

aravindkumarsvg

📑 URI Schemes & Quirks Cheatsheet (for VAPT)

This cheatsheet summarizes URI schemes, their quirks, encoding tricks, and abuse potential.
Useful for a VAPT engineer’s quick recall.

---

1. Common Dangerous URI Schemes

| Scheme | Example | Quirks / Abuse Potential |

aravindkumarsvg

XML Ecosystem: Cheatsheet & Quirks

This document provides a high-level overview of major XML technologies. It's designed for developers who need a quick refresher on core concepts, common quirks, and practical examples.

1. XML (eXtensible Markup Language)

The foundation. A markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.

Core Concepts

aravindkumarsvg

🛠️ HTML Quirks and XSS Cheat Sheet

A reference of quirks, behaviors, and security-relevant properties in HTML5 + SVG, useful for penetration testing, payload crafting, and filter bypass research.

---

📌 1. Event Handler Quirks

| Event | Elements Allowed | Notes |

aravindkumarsvg

📌 SVG <animate> Cheat Sheet for XSS Payloads

🔹 What is <animate>?

• The <animate> element in SVG is used to animate attributes of another SVG element.
• Host element = the element whose attribute is being animated.
  • If <animate> has no href, the parent element becomes the host.
  • If <animate href="#id"> is present, the host = the element with that ID.

---

aravindkumarsvg

Writing JavaScript Entirely with Unicode (Escapes & Homoglyphs)

JavaScript can technically be written using only Unicode escape sequences or Unicode homoglyphs. This makes code valid to the JS engine but unreadable or misleading to humans. It is often used in obfuscation, XSS payloads, or supply chain attacks.

---

1. Unicode Escapes in Identifiers

aravindkumarsvg

HTTP Method Spoofing Cheatsheet

Overview

HTTP Method Spoofing is when a client sends a request that appears to be a safe or allowed HTTP method (POST, GET), but actually instructs the server-side framework to treat it as a different method (PUT, PATCH, DELETE) via a hidden parameter or HTTP header.

Purpose:

• Originally added to support RESTful routes when HTML forms only supported GET and POST.
• Can be abused if access control is weak.

---

aravindkumarsvg

🔐 GraphQL VAPT Checklist: Core Concepts & Attack Surface

This checklist covers key GraphQL concepts such as queries, mutations, subscriptions, introspection, variables, fields, types, and arguments, along with related vulnerability assessment and penetration testing pointers.

---

🧠 GraphQL Core Concepts

1. 🔍 Queries

Standard read operations used to fetch data.

aravindkumarsvg

🛡️ SAML SSO - Flow, Parameters, and VAPT Checklist

SAML is primarily used for single sign-on (SSO) and authentication within enterprise environments

🔄 SAML SSO Flow – SP-Initiated (Typical)

1. User Requests Resource (SP)

• User tries to access a protected page.
• SP generates a SAMLRequest and redirects to IdP.