aravindkumarsvg / insecure_deserialization.md

Created February 2, 2026 02:39

Insecure Deserialization

Insecure Deserialization & Gadget Chains — Cheat Sheet

Core Concept

Insecure deserialization occurs when untrusted data is deserialized into objects, allowing attackers to abuse object lifecycle methods and existing code paths (gadgets) to trigger unintended behavior such as RCE.

Attackers inject object graphs, not code.

Key Terms

aravindkumarsvg / window_communication_cheatsheet.md

Last active November 8, 2025 09:32

Various functionalities used in web for communications between windows, documents, contexts

🧭 Communications Between Windows, Documents & Contexts

📘 Comprehensive Developer & Security Cheatsheet

🧩 1. Overview

Modern web applications often require communication between multiple browsing contexts — windows, iframes, tabs, popups, or even workers.
The browser provides several APIs for this, each suited for different scenarios.

aravindkumarsvg / iframe_cheatsheet.md

Last active November 25, 2025 16:49

Iframe Cheatsheet

Iframe Developer Cheatsheet

A complete reference for HTML <iframe> properties, attributes, methods, and events.

🧩 HTML Attributes

Attribute	Description

aravindkumarsvg / url_overriding_cheatsheet.md

Created November 2, 2025 14:06

URL overriding Headers

URL Override & Forwarded Headers — Cheatsheet

Purpose: Quick reference for headers that can override or indicate original request URL/path/host/proto. Useful for VAPT, debugging reverse proxies, and hardening.

Common headers

X-Original-URL — original path before rewrite (IIS, some middlewares)
X-Rewrite-URL — original path used by IIS/mod_rewrite

aravindkumarsvg / llm_vapt_cheatsheet.md

Created August 23, 2025 20:05

LLM VAPT Cheatsheet

LLM Security & VAPT Cheatsheet

APIs

Concept

APIs allow external applications or services to interact with the LLM, usually through REST or GraphQL endpoints.

aravindkumarsvg / javascript_quirks.md

Last active August 19, 2025 19:08

Javascript quirks

JavaScript Quirks Cheatsheet

This document collects quirks, odd behaviors, and security-relevant details in JavaScript useful for VAPT engineers.

1. Regex vs Division Ambiguity

throw/1/;

aravindkumarsvg / uri_schemes-quirks.md

Last active September 14, 2025 18:00

URI Schemes Quirks

📑 URI Schemes & Quirks Cheatsheet (for VAPT)

This cheatsheet summarizes URI schemes, their quirks, encoding tricks, and abuse potential.
Useful for a VAPT engineer’s quick recall.

1. Common Dangerous URI Schemes

| Scheme | Example | Quirks / Abuse Potential |

aravindkumarsvg / xml_cheatsheet.md

Last active August 19, 2025 08:14

XML Cheatsheet

XML Ecosystem: Cheatsheet & Quirks

This document provides a high-level overview of major XML technologies. It's designed for developers who need a quick refresher on core concepts, common quirks, and practical examples.

1. XML (eXtensible Markup Language)

The foundation. A markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.

Core Concepts

aravindkumarsvg / html_quirks_cheatsheet.md

Last active November 11, 2025 09:40

HTML Quirks and XSS Cheat Sheet

🛠️ HTML Quirks and XSS Cheat Sheet

A reference of quirks, behaviors, and security-relevant properties in HTML5 + SVG, useful for penetration testing, payload crafting, and filter bypass research.

HTML Elements Parsing quirks - link mXSS CheatSheet

aravindkumarsvg / svg_animate_cheatsheet.md

Created August 18, 2025 19:01

SVG animate SIML XSS cheatsheet

📌 SVG `<animate>` Cheat Sheet for XSS Payloads

🔹 What is `<animate>`?

The <animate> element in SVG is used to animate attributes of another SVG element.
Host element = the element whose attribute is being animated.
- If <animate> has no href, the parent element becomes the host.
- If <animate href="#id"> is present, the host = the element with that ID.

Aravind Kumar SVG aravindkumarsvg