# 4.7 Input Validation Testing
## [Input Validation Testing](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/README)
## 4.7.1 [Testing for Reflected Cross Site Scripting](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting)
* [ ] Identify variables/parameters that are reflected in responses.
```regex
(?:\?|&)(\w+)=
```
* [ ] Assess the input they accept and the encoding that gets applied on return (if any).
```html
">
"<
```
**Evidence**:
```
```
## 4.7.2 [Testing for Stored Cross Site Scripting](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting)
* [ ] Identify stored input that is reflected on the client-side.
* [ ] Assess the input they accept and the encoding that gets applied on return (if any).
* [ ] Check if the input is only sanitized on client or server side.
> You can use the previous payloads.
**Evidence**:
```
```
## 4.7.3 [Testing for HTTP Verb Tampering](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/03-Testing_for_HTTP_Verb_Tampering)
This section has been merged into: [Test HTTP Methods](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods)
**Evidence**:
```
```
## 4.7.4 [Testing for HTTP Parameter Pollution](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution)
* [ ] Identify any form or action that allows user-supplied input.
* [ ] Test for HPP vulnerabilities simply append the same parameter to the GET and POST data but with a different value assigned.
* [ ] Send a request with the same parameter repeated twice but with a different value, like `page?par1=val1&par1=HPP_TEST1`.
The results should be that the application takes the both parameters instead of only one of them.
**Evidence**:
```
```
## 4.7.5 [Testing for SQL Injection](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection)
* [ ] Identify any form or action that allows user-supplied input.
* [ ] Introduce SQL statements to trigger errors. If there are errors, try to exploit the vulnerability.
* [ ] Introduce SQL statements based on time and check if there are differences in the response time.
* [ ] Perform the same actions but with NoSQL statements.
[SQL wordlist](https://raw.githubusercontent.com/Marmeus/Kali-Booster/refs/heads/main/Assets/Wordlists/SQLi_Auth_Bypass-Master_List.txt) & [NoSQL Payloads](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection).
**Evidence**:
```
```
## 4.7.6 [Testing for LDAP Injection](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/06-Testing_for_LDAP_Injection)
* [ ] Identify any form or action that allows user-supplied input.
* [ ] Introduce LDAP statements to see how the application behaves.
[LDAP Wordlist](https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Fuzzing/LDAP.Fuzzing.txt).
**Evidence**:
```
```
## 4.7.7 [Testing for XML Injection](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection)
* [ ] Identify XML injection points.
* [ ] Try to upload XML files.
* [ ] Try to exploit [XXE vulnerabilities](https://the-pentesting-guide.marmeus.com/web/xxe).
**Evidence**:
```
```
## 4.7.8 [Testing for SSI Injection](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/08-Testing_for_SSI_Injection)
* [ ] Check that the application contains `.shtml` files.
* [ ] Inject the payload `` in different inputs to see if it is executed. Also, try to inject it on headers like `User-Agent` or `Referer`.
* [ ] Try to upload files with SSI payloads.
**Evidence**:
```
```
## 4.7.9 [Testing for XPath Injection](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection)
* [ ] Check if the application uses XML queries.
* [ ] Perform XPath attacks
**Evidence**:
```
```
## 4.7.10 [Testing for IMAP SMTP Injection](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/10-Testing_for_IMAP_SMTP_Injection)
* [ ] Look for endpoints that triggers sending emails
* [ ] Understand the data flow and deployment structure of the system.
* [ ] Discover hidden parameters
* [ ] Try to inject IMAP text or HTML tags.
* [ ] Using webmail, check if the mails receive contains internal network information.
**Evidence**:
```
```
## 4.7.11 [Testing for Code Injection](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection)
* [ ] Identify injection points where you can inject files or paths into the application. Here you have some examples:
* [ ] File Access parameters
```regex
[?&](file|filepath|filename|dir|folder|download|upload|doc|image|path|include|view|resource|asset|content|icon|logfile)=
```
* Website/URL Access Parameters
```regex
[?&](url|link|redirect|target|site|page|navigate|ref|callback|host|return|next)=
```
* [ ] Asses the injection points.
- UNIX FI & Windows FI
**Evidence**:
```
```
## 4.7.12 [Testing for Command Injection](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection)
* [ ] Identify injection points where you can inject code into the application. Here you have some examples:
```regex
[?&](cmd|exec|action|run|query|operation|execute|task|process|shell|module|method|command|do)=
```
* [Windows RCE](https://raw.githubusercontent.com/Marmeus/Kali-Booster/refs/heads/main/Assets/Wordlists/windows_remote_command_injection.txt) & [UNIX RCE](https://raw.githubusercontent.com/Marmeus/Kali-Booster/refs/heads/main/Assets/Wordlists/unix_remote_command_injection.txt)
**Evidence**:
```
```
## 4.7.13 [Testing for Format String Injection](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/13-Testing_for_Format_String_Injection)
* [ ] This vulnerability is mainly oriented to a white box approach. However, you can tested by inserting the value `%s` on the input parameters of the application.
```bash
alice
%s%s%s%n
%p%p%p%p%p
{event.__init__.__globals__[CONFIG][SECRET_KEY]}
```
**Evidence**:
```
```
## 4.7.14 [Testing for Incubated Vulnerability](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/14-Testing_for_Incubated_Vulnerability)
* [ ] Identify injections that are stored and require a recall step to the stored injection.
* [ ] Understand how a recall step could occur.
* [ ] Set listeners or activate the recall step if possible.
**Evidence**:
```
```
## 4.7.15 [Testing for HTTP Splitting Smuggling](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling)
* [ ] Identify if there are are functions where user input gets reflected into HTTP response headers.
* [ ] Inject `%0d%0a`, which represents the CRLF.
* [ ] Try to inject headers like `Location` or `Set-Cookie`.
* [ ] Perform HTTP Smuggling attack based on the following PoCs
* [ ] [CT.TE.](https://the-pentesting-guide.marmeus.com/web/http_request_smuggling#cl.te)
* [ ] [TE.CL.](https://the-pentesting-guide.marmeus.com/web/http_request_smuggling#te.cl)
* [ ] [TE.TE.](https://the-pentesting-guide.marmeus.com/web/http_request_smuggling#te.te)
**Evidence**:
```
```
## 4.7.16 [Testing for HTTP Incoming Requests](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/16-Testing_for_HTTP_Incoming_Requests)
* [ ] Monitor all incoming and outgoing HTTP requests to the Web Server to inspect any suspicious requests.
**Evidence**:
```
```
## 4.7.17 [Testing for Host Header Injection](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection)
* [ ] [Modify the value](https://the-pentesting-guide.marmeus.com/web/host_header_injection#test-host-header-injection) of the `Host` header in different endpoints on the application.
* [ ] Try to inject `%0d%0a`, which represents the CRLF, in order to perform HTTP Splitting.
* [ ] Try to use custom host headers to check if it changes the contents on the application.
```http
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Forwarded-IP: 127.0.0.1
X-Forwarded-Server: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Host: 127.0.0.1
X-HTTP-Host-Override: 127.0.0.1
X-Client: 127.0.0.1
X-Host: 127.0.0.1
```
**Evidence**:
```
```
## 4.7.18 [Testing for Server-side Template Injection](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server-side_Template_Injection)
* [ ] Identify user input that gets reflected
* [ ] Insert SSTI polyglots `${{<%[%'"}}%\` or payloads.
```python
a{{7*7}}b
a{{7*7}}
{7*7}
${7*7}
{{7*7}}
<% 7*7 %>
[% 7*7 %]
```
* [ ] Identify the templating engine.
* [ ] Build the exploit.
**Evidence**:
```
```
## 4.7.19 [Testing for Server-Side Request Forgery](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/19-Testing_for_Server-Side_Request_Forgery)
* [ ] Identify function in the application that performs requests to external or internal sources or third parties.
* [ ] Identify parameters with values that points to internal or external sources.
* [ ] Test if the injection points are exploitable as in the "4.7.11 Testing for Code Injection".
* [ ] Asses the severity of the vulnerability.
**Evidence**:
```
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://the-pentesting-guide.marmeus.com/web-owasp-test-cases/4.7-input-validation-testing.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.