search

πŸ“Insertion Points

Insertion points define where in the HTTP request payloads are injected. Each active profile specifies which insertion point types to test via the InsertionPointType array.

hashtag
πŸ“Š Insertion Point Types

hashtag
πŸ”— Standard Parameters

ID
Type
Description
Example

0

URL parameter value

The value of a URL query parameter

?id=PAYLOAD

1

Body parameter value

The value of a POST body parameter

username=PAYLOAD

2

Cookie value

The value of a cookie

Cookie: session=PAYLOAD

3

URL parameter name

The name of a URL query parameter

?PAYLOAD=value

4

Body parameter name

The name of a POST body parameter

PAYLOAD=value

5

Entire body

The complete request body

Body: PAYLOAD

hashtag
πŸ”— URL Path

ID
Type
Description
Example

6

URL path folder

A folder segment in the URL path

/PAYLOAD/page.html

7

URL path filename

The filename in the URL path

/path/PAYLOAD

65

Entire URL query string

The complete query string

?PAYLOAD

66

URL path

The full URL path

/PAYLOAD

hashtag
πŸ“¦ Structured Data

ID
Type
Description
Example

33

JSON value

A value in a JSON body

{"key": "PAYLOAD"}

34

JSON key

A key name in a JSON body

{"PAYLOAD": "value"}

35

AMF value

A value in AMF (Action Message Format) data

AMF parameter = PAYLOAD

36

XML value

An element value in XML body

<tag>PAYLOAD</tag>

37

XML attribute value

An attribute value in XML body

<tag attr="PAYLOAD">

38

Multipart parameter value

A value in multipart form data

Multipart field = PAYLOAD

hashtag
πŸ“‹ HTTP Headers

ID
Type
Description

64

Header

Generic header insertion (uses NewHeaders to specify which headers)

67

User-Agent

The User-Agent header value

68

Referer

The Referer header value

69

Host

The Host header value

70

Content-Type

The Content-Type header value

71

Accept

The Accept header value

72

Accept-Language

The Accept-Language header value

73

Accept-Encoding

The Accept-Encoding header value

74

Origin

The Origin header value

75

X-Forwarded-For

The X-Forwarded-For header value

76

X-Forwarded-Host

The X-Forwarded-Host header value

77

X-Custom-IP-Authorization

The X-Custom-IP-Authorization header value

78

Custom header

A custom header defined in NewHeaders

hashtag
πŸ“‹ Using Header Insertion Points

hashtag
πŸ”– Predefined Headers (IDs 67-77)

To inject payloads into specific HTTP headers, add the corresponding ID to InsertionPointType:

This tests: User-Agent, Referer, Origin, and X-Forwarded-For headers.

hashtag
πŸ”§ Generic Header (ID 64)

Use ID 64 with the NewHeaders field to specify which headers to test:

  • NewHeaders lists the header names

  • isHeaderValue: true indicates the payload replaces the header's value

hashtag
✏️ Custom Header (ID 78)

Use ID 78 to define a completely custom header:

The payload is set as the value of the custom header.

hashtag
🎯 Insertion Point Selection Guide

hashtag
πŸ’‰ XSS Testing

URL parameters, body parameters, path folders, JSON values.

hashtag
πŸ—„οΈ SQL Injection

URL parameters, body parameters, cookies, JSON values.

hashtag
🌐 SSRF / Open Redirect

URL parameters, body parameters, entire body, query string, headers.

hashtag
πŸ“‹ Header Injection / Host Header Attacks

Host, Origin, X-Forwarded-For, X-Forwarded-Host, X-Custom-IP-Authorization.

hashtag
↩️ CRLF Injection

URL parameters, body parameters, path components.

hashtag
πŸ“‚ Path Traversal

URL parameters, body parameters, path folders, filename, full path.

hashtag
🌐 Broad Testing (All Common Points)

hashtag
⚑ Performance Considerations

The number of insertion points directly affects scan time:

  • ⬇️ Fewer insertion points = faster scans, less noise

  • ⬆️ More insertion points = broader coverage, more requests

πŸ’‘ Best practice: Select only the insertion points relevant to the vulnerability you're testing. For example, XSS profiles don't need to test cookie values, and header injection profiles don't need to test URL parameters.

hashtag
πŸ“ JSON Format Example

This profile tests: entire query string, body parameter value, URL path folder, entire body, headers, URL parameter value, URL parameter name, body parameter name.

PreviousPayloadsNextMatch Types

Last updated