Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/JoshuaProvoste/URL-Encode-Injection

URL Encode Injection List
https://github.com/JoshuaProvoste/URL-Encode-Injection

Last synced: 21 days ago
JSON representation

URL Encode Injection List

Host: GitHub
URL: https://github.com/JoshuaProvoste/URL-Encode-Injection
Owner: JoshuaProvoste
Created: 2021-09-18T05:30:14.000Z (about 3 years ago)
Default Branch: main
Last Pushed: 2021-09-20T02:06:25.000Z (about 3 years ago)
Last Synced: 2024-02-11T21:19:30.700Z (10 months ago)
Size: 8.79 KB
Stars: 8
Watchers: 2
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-hacking-lists - JoshuaProvoste/URL-Encode-Injection - URL Encode Injection List (Others)

README

### URL Encode Injection (UTF-8)

Basic list of URL encoded UTF-8 characters for injection attacks. These types of attacks allows get bypass of login screens, database dumps, generation of custom payloads URL encode based, and many others results.

* %00
* %01
* %02
* %03
...

### Scope

With this basic list is possible make injections of special characters on web apps, API endpoints, and many other technologies. The purpose of these injections is to intentionally cause errors to obtain unexpected behaviors.

### References

Nowadays, there are no public references because is my own idea to bring Null Byte Injection to the category of brute force or fuzzing process.

However, you can read more about Null Byte Injection and URL encoded attacks:

* https://owasp.org/www-community/Double_Encoding
* https://en.wikipedia.org/wiki/Null_character
* https://www.cgisecurity.com/lib/URLEmbeddedAttacks.html
* https://owasp.org/www-community/attacks/Embedding_Null_Code
* https://book.hacktricks.xyz/pentesting-web/file-inclusion#basic-lfi-and-bypasses

### Example

If you have an API endpoint like this /v1/product/some-id/price or whatever similar, you can send the endpoint to Burp Suite Intruder and pass your URL encode dictionary in order to replace §some-id§, and inspect the responses.

§some-id§ can be a uuid, hash or whatever are used insted of "id".

Like Null Byte Injection, the URL Encode Injection can be passed at the beginning or the end of your target entry point:

* /v1/product/§dictionary§/price
* /v1/product/some-id§dictionary§/price
* /v1/product/§dictionary§some-id/price

### Custom & Advanced Dictionaries

If you want make your own dictionary and delve into the subject, i recommend the following character collection:

* https://www.fileformat.info/info/charset/index.htm