3

I'm starting out as a bug bounty hunter and found a website that might have a problem yet I'm unsure if its exploitable or not.

When sending any payload that contains % I get an error:

Invalid query parameters: invalid %-encoding (21%)

And this is the response I get on Burp Suite:

HTTP/2 400 Bad Request Content-Type: text/html;charset=utf-8 Content-Length: 50 Server: nginx/1.18.0 (Ubuntu) Date: Tue, 11 Feb 2025 16:28:58 GMT X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Request-Id: 08d6829b-beee-4e0f-bae4-3a8e1e8374a4 X-Runtime: 0.002052 Strict-Transport-Security: max-age=31536000 X-Cache: Error from cloudfront Via: 1.1 fcd8545d1b62265bb65a45721c43e6ac.cloudfront.net (CloudFront) X-Amz-Cf-Pop: MXP63-P3 X-Amz-Cf-Id: Fj6KlznTqeUPJLt_tDcsb4D7nR2_rKOdPX36RcCodElr0e6Ld3EOQQ== Invalid query parameters: invalid %-encoding (21%)

Here is another example:

Invalid query parameters: invalid %-encoding (x'%20OR%20full_name%20LIKE%20'%Bob%)

where the payload is: x' OR full_name LIKE '%Bob%

these are some other payloads

Improve this question
4
  • 6
    Nothing here suggests that this is exploitable. This does not mean that it definitely isn't exploitable, only that the data you provide do not show any way to exploit it. Your attempt of an exploit does not even hit the database but is rejected due to wrong URL encoding.
    – Steffen Ullrich
    CommentedFeb 11 at 17:23
  • so to find something i need the error to be returned from the database like instad of wrong password and username i get something else?
    – Red Potato
    CommentedFeb 11 at 17:31
  • 3
    @RedPotato: Yes, you would need to see, e.g., an SQL syntax error which clearly shows that an input you've injected changes the structure of a query.
    – Ja1024
    CommentedFeb 12 at 5:23
  • 1
    Apparently, whatever generated that query string actually forgot to %-encode... % itself. It should encoded as %25.
    – jcaron
    CommentedFeb 12 at 15:27

1 Answer 1

Reset to default
16

You're confusing a URL query with a database query. The error message apparently comes from Ruby on Rails (see 1 and 2) and simply means that the URL query in your request isn't properly percent-encoded. This is because in a URL, a percent sign must be followed by two hexadecimal digits which specify a certain ASCII character. The error message doesn't refer to any database at all.

You generally have to be very careful about which layer of the application expects which input format. If you simply throw random SQL fragments at an application, this may very well trigger an error, but only because the input is malformed and therefore immediately gets rejected – not because you've found an SQL injection vulnerability. There may not even be an SQL database in the backend. To be sure you've found an SQL-related vulnerability, you'd have to see, e.g., an SQL syntax error which clearly shows that one of your input changes the structure of a query. But not every application gives obvious feedback. If there's a bug bounty, you can be pretty sure there are no longer any low-hanging fruit like this.

Improve this answer
6
  • 3
    To make it circle back to OPs initial question: Yes, if an URL can throw an actual SQL error it may be insecure and definitely should be looked at. Malformed URLs/queries should ideally be caught by the application before reaching the database itself. As this answer states though, you're not getting an SQL error because exactly this kind of filtering is happening, so it looks good.
    – QuestionablePresence
    CommentedFeb 12 at 10:06
  • 4
    @Hobbamok: This comment doesn’t make much sense. The syntax rules for URLs and database quries are completely unrelated. A perfectly valid URL can carry the payload for an SQL injection, and a hopelessly malformed URL poses no inherent threat to a database. This also means rejecting invalid URLs provides no protection against SQL injections – you need prepared statements or SQL-escaping for that. Nor does a lack of URL validation lead to an SQL-related vulnerability.
    – Ja1024
    CommentedFeb 12 at 10:49
  • 1
    @Hobbamok: So cannot say this looks good. All we know is that we know nothing about any application databases. The OP hasn’t even gotten to the point where the query data might have been passed to a db.
    – Ja1024
    CommentedFeb 12 at 10:50
  • 3
    you are deriving statements from my comment that I did not intend to make. My exclusive point was that if your URL results in an SQL error, definitely have a look because that is a red flag. Yes, the "it looks good" without further context was misleading. It looks good in the sense that it's not the blatant red flag OP thought it was, that is all. Since we can't see anything else, everything we see here looks good.
    – QuestionablePresence
    CommentedFeb 12 at 11:30
  • 2
    @Hobbamok: I wasn't trying to misrepresent your comment. It just seemed like an odd phrasing given that the OP hasn't really found out anything so far (in regards to how the application interacts with possible databases).
    – Ja1024
    CommentedFeb 12 at 13:43

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.