OWASP Cheatsheet

Repository: https://github.com/vsang181/Web-Security/

What Is This Repository?

At its core, it is a structured collection of notes and write-ups covering web application vulnerability classes primarily sourced from PortSwigger's Web Security Academy, but synthesised into something more navigable. Think of it as someone's personal field manual: the kind of document you'd actually want open in a second monitor when you're sitting in front of Burp Suite at 11 PM.

The repository covers a range of vulnerability classes, each with explanations, exploitation methodology, and defensive countermeasures. It's not exhaustive in the "list every CVE ever" sense, it's surgical. The topics chosen are the ones that actually come up in real engagements and CTFs, and the depth on each one is enough to go from understanding to exploiting.

Web Security

1. Server-side (backend)

• SQL Injection

• Authentication issues

• Path Traversal

• Command Injection

• Business Logic Vulnerabilities

• Information Disclosure

• Access Control issues

• File Upload Vulnerabilities

• Race Conditions

• Server-Side Request Forgery (SSRF)

• XXE Injection

• NoSQL Injection

• API Testing

• Web Cache Deception

2. Client-side (browser)

• Cross-Site Scripting (XSS)

• Cross-Site Request Forgery (CSRF)

• Cross-Origin Resource Sharing (CORS)

• Clickjacking

• DOM-based vulnerabilities

• WebSockets

3. Advanced (modern + complex)

• Insecure Deserialization

• Web LLM Attacks

• GraphQL API vulnerabilities

• Server-Side Template Injection

• Web Cache Poisoning

• HTTP Host Header attacks

• HTTP Request Smuggling

• OAuth authentication issues

• JWT attacks

• Prototype Pollution

Essential Skills

How I'd Recommend Using This Repository

If you're new to web security: Work through the sections in the order they appear. Don't skip the fundamentals for example the JavaScript prototypes section isn't optional background reading, it's the foundation that makes prototype pollution make sense. The same applies to understanding the full JWT structure before diving into algorithm confusion.

If you're preparing for a CTF or exam: The repository is excellent for rapid revision of exploitation mechanics. Each vulnerability class has enough detail to remind you of the key steps without requiring you to re-read the full PortSwigger materials.

If you're doing bug bounty: Use the encoding obfuscation section as a reference when you hit a WAF. The context matrix approach is identifying which decoding passes your input goes through and is more reliable than trying random encodings and hoping something sticks.

Final Thoughts

What I have has built here is essentially the study notes you wish existed when you started. It's not trying to replace PortSwigger's labs or replace hands-on practice. It's the organised knowledge layer that sits between the lab exercises and real-world application.

The web security landscape moves fast, and vulnerabilities like prototype pollution and algorithm confusion are still routinely found in production systems not because developers are negligent, but because the specifications themselves are so flexible that secure implementation requires specific knowledge that isn't widely taught. Repositories like this one are part of how that knowledge spreads.

Worth bookmarking, worth reading properly, and worth contributing to if you find gaps.