TIL: Injection

Today I Learned:

I studied for over 10 hours today! I learned quite a bit, as well as a lot of review. One of the most fun things I learned at HackTheBox was this:

Using Burp Suite and the repeater (as one method, you could also use cURL, etc.) you can send the following:


Along with changing the content type to:


to attempt injection. It won’t work on most web servers because of the brackets, but if a REST API is active, it may work, effectively turning the request into JSON:

{ "username" : "admin", "password" : {"$ge":"0"} }

This won’t work every time as it really depends on the code, but it was something very cool to learn.

Today I also learned about Xmind and Obsidian. Check them out, they are pretty cool!