Case substitution: This payload source takes a preset list of payload items, and produces one or more payloads from each item by adjusting the case of characters within each item. This payload source may be useful in password guessing attacks, e.g. for producing case variations on dictionary words. Recursive grep: This payload set works together with the extract grep function. It allows payloads to be generated recursively on the basis of responses to earlier requests. The “extract grep” function captures a portion of a server response following a matched regular expression. With “recursive grep” payloads, the captured text from the previous server response is used as the payload for the subsequent request. Illegal unicode: This payload source takes a preset list of payload items, and produces a number of payloads from each item by replacing a specified character within each item with illegal Unicode-encodings of a specified character. This payload source may be useful in attempting to circumvent input validation based on pattern-matching, for example defences against path traversal attacks which match on expected encodings of the ../ and ..\\ sequences. Character blocks: This payload source generates character blocks of specific sizes using a given input string. It can be useful in detecting buffer overflow and other boundary condition vulnerabilities in software running in a native (unmanaged) context. Numbers: This payload source generates numbers, either sequentially or at random, in a specified format. Dates: This payload source generates dates between a specified range, at a specified interval, in a specified format. This payload source may be useful during data mining (e.g. trawling an order book for entries placed on different days) or brute forcing (e.g. guessing the date of birth component of a user’s credentials). Brute forcer: This payload source generates a set of payloads of specified lengths which contain all possible permutations of a specified character set. Null payloads: This payload source generates “null” payloads – i.e. zero-length strings. It can generate a specified number of null payloads, or continue indefinitely. Char frobber: This operates on the existing base value of each payload position, or on a specified string. It cycles through the base string one character at a time, incrementing the ASCII code of that character by one. This payload source is useful when you are testing which parts of parameter’s values have an effect on the application’s response (such as portions of complex session tokens). Bit flipper: This operates on the existing base value of each payload position, or on a specified string. It cycles through the base string one character at a time, flipping each bit in turn. You can configure which bits are to be flipped. You can configure the bit flipper either to operate on the literal base value, or to treat the base value as an ASCII hex string. This payload source can be useful in similar situations to the character frobber but where you need finer-grained control. For example, if session tokens or other parameter values contain meaningful data encrypted with a block cipher in CBC mode, it may be possible to change parts of the decrypted data systematically by modifying bits within the preceding cipher block. In this situation, you can use the bit flipper payload source to determine the effects of modifying individual bits within the encrypted value, and understand whether the application may be vulnerable. Username generator: This payload source takes human names as input, and generates potential usernames using various common schemes. We are going to use a predefined list of inputs for our testing:
The payloads can be modified using the processing rules in the payload processing rules section of the payloads tab. The payload processing rules almost need a blog post to themselves so I’d encourage you to test them out yourself. The rules that you can apply to your payloads are: (definitions taken from: ): Add prefix: Adds a prefix value to the payload Add suffix: Adds a suffix value to the payload Match/replace: Define a regular expression and a value to replace regular expression matches with. Substring: From a specified offset up to a specified length Reverse substring: As substring, but indexed from the end of the payload Modify case: Same options as for the case substitution payload source Encode: As URL, HTML, Base64, ASCII hex and constructed strings for various platforms Decode: As URL, HTML, Base64 and ASCII hex Hash: Create a hash, multiple hashing algorithms available (SHA-512, MD5 etc) Add raw payload: this can be useful if you need to include the same payload in both raw and hashed form Configuring intruder options |
 |
