Incubated Vulnerability

Check List

Methodology

Black Box

s

Navigate to the target web application and identify all possible user input points such as profile fields, comments, feedback forms, or file uploads where user-supplied data may be stored by the application

POST /profile/update HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

Bio=Unk9vvN

Using Burp Suite, intercept the request and modify the user-supplied input by injecting a test payload

POST /profile/update HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

bio=<script>alert(1)</script>

Send the request and ensure that the application stores the injected payload without immediate execution

Then navigate to all possible functionalities that may process or display the stored data such as admin panels, reports, or email notifications

GET /admin/viewProfile?id=123 HTTP/1.1
Host: target.com

Observe the server response and check whether the previously injected payload is executed when the stored data is processed by another functionality

If the injected payload executes in a different context or at a later time, the vulnerability is confirmed

White Box

Cheat Sheet

PreviousFormat String Injection NextHTTP Splitting Smuggling

Last updated 1 month ago

hashtagCheck List

hashtagMethodology

hashtagBlack Box

hashtags

hashtagWhite Box

hashtagCheat Sheet

Check List

Methodology

Black Box

s

White Box

Cheat Sheet