# Insertion Points Insertion points define **where** in the HTTP request payloads are injected. Each active profile specifies which insertion point types to test via the `InsertionPointType` array. ## 📊 Insertion Point Types ### 🔗 Standard Parameters | ID | Type | Description | Example | | -- | ------------------------ | ---------------------------------- | ------------------------- | | 0 | **URL parameter value** | The value of a URL query parameter | `?id=PAYLOAD` | | 1 | **Body parameter value** | The value of a POST body parameter | `username=PAYLOAD` | | 2 | **Cookie value** | The value of a cookie | `Cookie: session=PAYLOAD` | | 3 | **URL parameter name** | The name of a URL query parameter | `?PAYLOAD=value` | | 4 | **Body parameter name** | The name of a POST body parameter | `PAYLOAD=value` | | 5 | **Entire body** | The complete request body | Body: `PAYLOAD` | ### 🔗 URL Path | ID | Type | Description | Example | | -- | --------------------------- | -------------------------------- | -------------------- | | 6 | **URL path folder** | A folder segment in the URL path | `/PAYLOAD/page.html` | | 7 | **URL path filename** | The filename in the URL path | `/path/PAYLOAD` | | 65 | **Entire URL query string** | The complete query string | `?PAYLOAD` | | 66 | **URL path** | The full URL path | `/PAYLOAD` | ### đŸ“Ļ Structured Data | ID | Type | Description | Example | | -- | ----------------------------- | ------------------------------------------- | --------------------------- | | 33 | **JSON value** | A value in a JSON body | `{"key": "PAYLOAD"}` | | 34 | **JSON key** | A key name in a JSON body | `{"PAYLOAD": "value"}` | | 35 | **AMF value** | A value in AMF (Action Message Format) data | AMF parameter = `PAYLOAD` | | 36 | **XML value** | An element value in XML body | `PAYLOAD` | | 37 | **XML attribute value** | An attribute value in XML body | `` | | 38 | **Multipart parameter value** | A value in multipart form data | Multipart field = `PAYLOAD` | ### 📋 HTTP Headers | ID | Type | Description | | -- | ----------------------------- | --------------------------------------------------------------------- | | 64 | **Header** | Generic header insertion (uses `NewHeaders` to specify which headers) | | 67 | **User-Agent** | The `User-Agent` header value | | 68 | **Referer** | The `Referer` header value | | 69 | **Host** | The `Host` header value | | 70 | **Content-Type** | The `Content-Type` header value | | 71 | **Accept** | The `Accept` header value | | 72 | **Accept-Language** | The `Accept-Language` header value | | 73 | **Accept-Encoding** | The `Accept-Encoding` header value | | 74 | **Origin** | The `Origin` header value | | 75 | **X-Forwarded-For** | The `X-Forwarded-For` header value | | 76 | **X-Forwarded-Host** | The `X-Forwarded-Host` header value | | 77 | **X-Custom-IP-Authorization** | The `X-Custom-IP-Authorization` header value | | 78 | **Custom header** | A custom header defined in `NewHeaders` | ## 📋 Using Header Insertion Points ### 🔖 Predefined Headers (IDs 67-77) To inject payloads into specific HTTP headers, add the corresponding ID to `InsertionPointType`: ```json { "InsertionPointType": [67, 68, 74, 75] } ``` This tests: User-Agent, Referer, Origin, and X-Forwarded-For headers. ### 🔧 Generic Header (ID 64) Use ID `64` with the `NewHeaders` field to specify which headers to test: ```json { "InsertionPointType": [64], "NewHeaders": ["Origin", "X-Forwarded-For"], "isHeaderValue": true } ``` * `NewHeaders` lists the header names * `isHeaderValue: true` indicates the payload replaces the header's **value** ### ✏ī¸ Custom Header (ID 78) Use ID `78` to define a completely custom header: ```json { "InsertionPointType": [78], "NewHeaders": ["X-Custom-Header"] } ``` The payload is set as the value of the custom header. ## đŸŽ¯ Insertion Point Selection Guide ### 💉 XSS Testing ```json "InsertionPointType": [0, 1, 6, 33] ``` URL parameters, body parameters, path folders, JSON values. ### 🗄ī¸ SQL Injection ```json "InsertionPointType": [0, 1, 2, 33] ``` URL parameters, body parameters, cookies, JSON values. ### 🌐 SSRF / Open Redirect ```json "InsertionPointType": [0, 1, 5, 65, 64] ``` URL parameters, body parameters, entire body, query string, headers. ### 📋 Header Injection / Host Header Attacks ```json "InsertionPointType": [69, 74, 75, 76, 77] ``` Host, Origin, X-Forwarded-For, X-Forwarded-Host, X-Custom-IP-Authorization. ### ↩ī¸ CRLF Injection ```json "InsertionPointType": [0, 1, 6, 7, 65, 66] ``` URL parameters, body parameters, path components. ### 📂 Path Traversal ```json "InsertionPointType": [0, 1, 6, 7, 66] ``` URL parameters, body parameters, path folders, filename, full path. ### 🌐 Broad Testing (All Common Points) ```json "InsertionPointType": [0, 1, 2, 3, 4, 5, 6, 7, 33, 64, 65, 66] ``` ## ⚡ Performance Considerations The number of insertion points directly affects scan time: ``` Total requests = Profiles × Insertion Points × Payloads ``` * âŦ‡ī¸ **Fewer insertion points** = faster scans, less noise * âŦ†ī¸ **More insertion points** = broader coverage, more requests > 💡 **Best practice:** Select only the insertion points relevant to the vulnerability you're testing. For example, XSS profiles don't need to test cookie values, and header injection profiles don't need to test URL parameters. ## 📝 JSON Format Example ```json { "ProfileName": "Open Redirect", "InsertionPointType": [ 65, 1, 6, 5, 64, 0, 3, 4 ], "NewHeaders": [], "isHeaderValue": false } ``` This profile tests: entire query string, body parameter value, URL path folder, entire body, headers, URL parameter value, URL parameter name, body parameter name.