Module 07 — Data Manipulation & Input Validation

Icon: Document   |   Colour: Pink

Overview

Tests for NoSQL injection, mass assignment, HTTP parameter pollution, dangerous file uploads, and path traversal / local file inclusion (LFI).

How It Works

1. NoSQL injection — sends MongoDB operator payloads ($gt, $ne, $or, etc.) to detected form fields and API parameters.
2. Mass assignment — adds privilege-elevating fields (role, is_admin, permissions) to form and API submissions to test for improper attribute filtering.
3. HTTP parameter pollution (HPP) — duplicates request parameters to test for inconsistent server-side handling.
4. Dangerous file upload — sends seven crafted payloads including PHP shells, polyglot files, and path-traversal filenames to file upload endpoints.
5. Path traversal / LFI — sends eight traversal payloads (e.g. ../../etc/passwd) to URL and form parameters.

Expected Findings

Finding	Severity
NoSQL injection	Critical
Path traversal / LFI	Critical
Upload path traversal	Critical
Dangerous file upload accepted	High
Mass assignment	High
HTTP parameter pollution	Medium

Related CWEs

• CWE-943: NoSQL Injection
• CWE-915: Mass Assignment
• CWE-235: HTTP Parameter Pollution
• CWE-434: Unrestricted File Upload
• CWE-22: Path Traversal