4.7 Input Validation Testing

4.7.1

• Identify variables/parameters that are reflected in responses.

(?:\?|&)(\w+)=

• Assess the input they accept and the encoding that gets applied on return (if any).

"><img src=1 onerror=alert(1)>
<script>alert(2)</script>"<

Evidence:

​

4.7.2

• Identify stored input that is reflected on the client-side.

• Assess the input they accept and the encoding that gets applied on return (if any).

• Check if the input is only sanitized on client or server side.

You can use the previous payloads.

Evidence:

​

Evidence:

​

• Identify any form or action that allows user-supplied input.

• Test for HPP vulnerabilities simply append the same parameter to the GET and POST data but with a different value assigned.

• Send a request with the same parameter repeated twice but with a different value, like page?par1=val1&par1=HPP_TEST1.

The results should be that the application takes the both parameters instead of only one of them.

Evidence:

​

• Identify any form or action that allows user-supplied input.

• Introduce SQL statements to trigger errors. If there are errors, try to exploit the vulnerability.

• Introduce SQL statements based on time and check if there are differences in the response time.

• Perform the same actions but with NoSQL statements.

Evidence:

​

• Identify any form or action that allows user-supplied input.

• Introduce LDAP statements to see how the application behaves.

Evidence:

​

• Identify XML injection points.

• Try to upload XML files.

Evidence:

​

• Check that the application contains .shtml files.

• Inject the payload <!--#exec cmd="nslookup <BURP_COLLAB>" --> in different inputs to see if it is executed. Also, try to inject it on headers like User-Agent or Referer.

• Try to upload files with SSI payloads.

Evidence:

​

• Check if the application uses XML queries.

• Perform XPath attacks

Evidence:

​

• Look for endpoints that triggers sending emails

• Understand the data flow and deployment structure of the system.

• Discover hidden parameters

• Try to inject IMAP text or HTML tags.

• Using webmail, check if the mails receive contains internal network information.

Evidence:

​

• Identify injection points where you can inject files or paths into the application. Here you have some examples:

• File Access parameters

[?&](file|filepath|filename|dir|folder|download|upload|doc|image|path|include|view|resource|asset|content|icon|logfile)=

• Website/URL Access Parameters

[?&](url|link|redirect|target|site|page|navigate|ref|callback|host|return|next)=

• Asses the injection points.

• UNIX FI & Windows FI

Evidence:

​

• Identify injection points where you can inject code into the application. Here you have some examples:

[?&](cmd|exec|action|run|query|operation|execute|task|process|shell|module|method|command|do)=

Evidence:

​

• This vulnerability is mainly oriented to a white box approach. However, you can tested by inserting the value %s on the input parameters of the application.

alice
%s%s%s%n
%p%p%p%p%p
{event.__init__.__globals__[CONFIG][SECRET_KEY]}

Evidence:

​

• Identify injections that are stored and require a recall step to the stored injection.

• Understand how a recall step could occur.

• Set listeners or activate the recall step if possible.

Evidence:

​

• Identify if there are are functions where user input gets reflected into HTTP response headers.

  • Inject %0d%0a, which represents the CRLF.

  • Try to inject headers like Location or Set-Cookie.

• Perform HTTP Smuggling attack based on the following PoCs

Evidence:

​

• Monitor all incoming and outgoing HTTP requests to the Web Server to inspect any suspicious requests.

Evidence:

​

• Try to inject %0d%0a, which represents the CRLF, in order to perform HTTP Splitting.

• Try to use custom host headers to check if it changes the contents on the application.

X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Forwarded-IP: 127.0.0.1
X-Forwarded-Server: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Host: 127.0.0.1
X-HTTP-Host-Override: 127.0.0.1
X-Client: 127.0.0.1
X-Host: 127.0.0.1

Evidence:

​

• Identify user input that gets reflected

• Insert SSTI polyglots ${{<%[%'"}}%\ or payloads.

a{{7*7}}b
a{{7*7}}
{7*7} 
${7*7} 
{{7*7}} 
<% 7*7 %> 
[% 7*7 %]

• Identify the templating engine.

• Build the exploit.

Evidence:

​

• Identify function in the application that performs requests to external or internal sources or third parties.

• Identify parameters with values that points to internal or external sources.

• Test if the injection points are exploitable as in the "4.7.11 Testing for Code Injection".

• Asses the severity of the vulnerability.

Evidence:

​