Support for DELETE http method #8
Comments
|
This is an interesting use case I haven't tried yet. Will the DELETE method actually remove that ID? It's likely that fuzzing this kind of endpoint will delete the ID in the case of no injection, and in the case of some tests, may delete all data (if we assume something like [$ne]/id works). Two things:
|
|
Yeah with the DELETE method, the API deletes the resources from the database. I tried adding 2 blank lines at the end of the template, what nosqli does is appends payloads to the request. It does not tamper with the id in the URL. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I want to test for nosql injection for a delete method to a specific endpoint. Since the delete request has no payload, nosqli exits as 'unexpected EOF' when I load the request template using -r flag. Here is the template that I'm using,
DELETE /path/to/endpoint/id HTTP/1.1
Host: my.hostname.com
Cookie: token=some_token
Sec-Ch-Ua: "Chromium";v="91", " Not;A Brand";v="99"
Accept: application/json
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Origin: my.hostname.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: my.hostname.com
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
I want to test for injection in /path/to/endpoint/payload.
Is this currently possible? If yes, how?
The text was updated successfully, but these errors were encountered: