/ Uncategorized, Web-Pentesting / By

🔹 1. Query String Parameters (GET)

Used in URLs, sent via the query string after a ?.

Example:

https://example.com/search?query=admin
  • query is the parameter name
  • admin is the value
  • Attack surface: XSS, SQLi, IDOR, command injection, etc.

🔹 2. Form Parameters (POST)

Sent in the request body, often in login or contact forms.

Example:

POST /login HTTP/1.1
Content-Type: application/x-www-form-urlencoded

username=admin&password=123456
  • Parameters: username, password
  • Attack surface: SQLi, brute force, logic flaws

🔹 3. URL Path Parameters

Some apps use REST-style URLs where the parameter is embedded in the path.

Example:

https://example.com/user/12345
  • 12345 is a path parameter (likely a user ID)
  • Attack surface: IDOR (Insecure Direct Object Reference), access control bypass

🔹 4. Headers as Parameters

Headers can carry sensitive data or influence logic.

Examples:

X-Forwarded-For: 127.0.0.1
Authorization: Bearer eyJhbGciOi...
Cookie: sessionid=abc123
  • Attack surface: Header injection, auth bypass, SSRF, privilege escalation

🔹 5. Hidden Fields in HTML Forms

These don’t show up in the UI but are still sent in requests.

<input type="hidden" name="role" value="user">
  • Fuzzing role=admin might escalate privileges if not validated server-side

🔹 6. JSON/XML Parameters

APIs often use structured formats like JSON or XML.

JSON Example:

{
  "email": "test@example.com",
  "admin": false
}
  • Attack surface: Logic abuse, broken object-level authorization, prototype pollution

XML Example (danger zone for XXE):

<user><id>5</id></user>

🔹 7. Cookie Parameters

Stored in the browser and sent with each request.

Example:

Cookie: auth=admin; userid=5
  • Attack surface: Privilege escalation, session fixation, insecure direct access

🔹 8. JavaScript-Based Parameters

Values in JS variables or calls, e.g.:

fetch("/api/profile?id=5")
  • Can be found by parsing JS files or browser DevTools
  • Attack surface: IDOR, XSS, parameter tampering

🔹 9. Multipart/Form-Data Parameters

Used for file uploads and complex form submissions.

Example:

Content-Disposition: form-data; name="file"; filename="shell.php"
  • Attack surface: File upload vulnerabilities, web shells

Pro Tip for Pentesters

When you’re hunting, try fuzzing:

  • Parameter names (FUZZ=admin)
  • Parameter values (user=FUZZ)
  • Adding new unexpected parameters
  • Changing data types (user_id=abc instead of 123)

Tools like ffuf, Burp Intruder, ParamSpider, and Arjun can help automate this.

Related Posts

Scroll to Top