The website lands us on an upload functionality: Let’s create a PDF file and try to upload it: Let’s create a different PDF file and try: ...

The website lands us on a secure login portal: If we view the page’s source code, we will notice a function called verify that has everything we need:

The website looks like this: As the title suggests, there must be a /robots.txt directory: Visiting the listed directory:

Server-side parameter pollution (SSPP) Some systems contain internal APIs that aren’t directly accessible from the internet. SSPP, aka HTTP parameter pollution, occurs when a website embeds user i...

Mass assignment vulnerabilities Mass assignment, aka auto-binding, can inadvertently create hidden parameters. It occurs when software frameworks automatically bind request parameters to fields on...

Identifying API endpoints We can gather a lot of info by browsing apps that use the API. This is often worth doing even if we have access to API documentation, as sometimes it may be inaccurate or...

API recon To start API testing, we first need to find out as much info about the API as possible, to discover its attack surface. To begin, we should identify API endpoints. These are locations wh...

How to prevent SQLi We can prevent most instances of SQLi using parameterized queries instead of string concatenation within the query. These parameterized queries are also known as prepared state...

Second-order SQLi First-order SQLi occurs when the app processes user input from an HTTP request and incorporates the input into a SQL query in an unsafe way. Second-order SQLi occurs when the ap...

SQLi in different contexts So far, we have used the query string to inject our malicious SQL payload. However, we can perform SQLi attacks using any controllable input that is processed as a SQL q...