CTF challenges put the vulnerable input on a giant neon sign. Real bug bounty targets hide it in search fields, sort columns, JSON path filters, admin panels, and forgotten legacy endpoints. This lesson is about how a hunter thinks - not how a CTF player thinks.
- L4Authentication bypass
- L5Comment injection
- L6UNION-based extraction
- L7Error-based extraction
- L8Blind injection overview
- Map the high-value endpoints before sending a single payload.
- Pick the right probe for the right field type (string, integer, enum, JSON).
- Distinguish a real signal from application noise.
- Use Burp Repeater and Intruder to systematically test endpoints.
- Recon
- Mapping every endpoint, parameter, and field type that crosses a trust boundary. The first phase of any SQLi hunt - without a map, payloads are wasted.
- Oracle
- Any deterministic, externally-observable difference between two requests. Status code, response length, content, timing, headers, cookies, redirects.
- False positive
- A signal that looks like SQLi but is not. The most common is a length delta caused by a 404 page template that does not include the user's name.
- Burp Suite
- The de-facto web proxy used by hunters. Repeater for manual probing, Intruder for parallel fuzzing, Scanner for automated coverage.
The 30-second checklist
Before sending a payload, a hunter builds a list of every input that reaches a SQL query. The categories that show up in 80% of real findings:
- Search fields. Every product search, user search, log search eventually reaches a
LIKE '%…%'clause. Apostrophe at the end of the search term is the first probe. - Sort and order parameters. The sort column is often concatenated directly because most ORMs cannot bind an identifier. The classic payload is
?sort=name; --. - JSON path filters. Many APIs accept
filter[email]=…and pass the key directly into a SQLWHERE. The key is the attack surface. - Login, password reset, OTP verification. All three reach user lookups. They are also the highest-impact targets - successful injection here typically yields admin access.
- Hidden admin panels and forgotten legacy endpoints. The /admin/legacy/ folder from the 2014 rewrite is still on the server. The scanner does not know about it; the hunter does.
Probe five endpoints
The sandbox fakes five endpoints. Four are vulnerable; one is hardened. Pick an endpoint, send a probe, and read the oracle signal. The endpoint that returns no signal across all four payloads is the one to leave alone.
Search box. A trailing apostrophe causes a 500 - the dev server reflects the error.
How a hunter triages a 50-finding recon
A single 24-hour recon of a mid-size SaaS produces 50 to 200 parameters. A hunter does not probe them all manually - the loop is automated. Burp Intruder with a small wordlist (apostrophe,' OR 1=1 --, boolean probes, time probes) goes out in parallel; the hunter then triages the responses that differ from the baseline.
The triage is the hard part. A 200→200 with a 12-byte length difference could be SQLi, or it could be the 404 template removing the user's name. The hunter confirms by sending the same payload twice and checking the response is identical (a true oracle is deterministic), and by sending a payload thatshould not trigger the signal (a 5-second sleep that returns instantly) to rule out application noise.
What makes an endpoint hard to find
Two patterns make SQLi much harder to discover. First, the application-level logging of every request - hunters that find a probe usually back off when their scanner IPs start appearing in the WAF dashboard. Second, the response is byte-for-byte identical between true and false predicates (a fully generic error page, no length delta, no status change). Time-based extraction is the only remaining oracle, and it is the slowest by an order of magnitude.
// Every parameter the application accepts is logged server-side
// with a hash of the value. A 4xx status and a sudden spike in
// distinct value hashes is a high-confidence SQLi probe signature.
app.use((req, res, next) => {
const valueHashes = Object.values(req.query).map(v => hash(String(v)));
log.info({ ip: req.ip, path: req.path, hashes: valueHashes });
next();
});What to remember
- Recon first. A SQLi hunt without an endpoint map is a coin flip.
- Pick the right probe for the right field type - string, integer, enum, JSON path.
- Confirm every signal is deterministic and not application noise. A 12-byte length delta is not enough on its own.
- Logging and byte-identical error responses are the two patterns that make a SQLi hard to find.
Knowledge check
0/3 answered · 0 correct1.A sort parameter ?sort=name returns 200 with a 1,240-byte response. ?sort=name;-- returns 200 with a 1,240-byte response. Is this SQLi?
2.You find a parameter that takes an integer. You send ?id=1 AND 1=1 and get 200. You send ?id=1 AND 1=2 and get 404. What is the next step?
3.Why is "no signal" often a more important finding than a confirmed SQLi?