Insertion points define where in the HTTP request payloads are injected. Each active profile specifies which insertion point types to test via the InsertionPointType array.
π Insertion Point Types
π Standard Parameters
ID
Type
Description
Example
0
URL parameter value
The value of a URL query parameter
?id=PAYLOAD
1
Body parameter value
The value of a POST body parameter
username=PAYLOAD
2
Cookie value
The value of a cookie
Cookie: session=PAYLOAD
3
URL parameter name
The name of a URL query parameter
?PAYLOAD=value
4
Body parameter name
The name of a POST body parameter
PAYLOAD=value
5
Entire body
The complete request body
Body: PAYLOAD
π URL Path
ID
Type
Description
Example
6
URL path folder
A folder segment in the URL path
/PAYLOAD/page.html
7
URL path filename
The filename in the URL path
/path/PAYLOAD
65
Entire URL query string
The complete query string
?PAYLOAD
66
URL path
The full URL path
/PAYLOAD
π¦ Structured Data
ID
Type
Description
Example
33
JSON value
A value in a JSON body
{"key": "PAYLOAD"}
34
JSON key
A key name in a JSON body
{"PAYLOAD": "value"}
35
AMF value
A value in AMF (Action Message Format) data
AMF parameter = PAYLOAD
36
XML value
An element value in XML body
<tag>PAYLOAD</tag>
37
XML attribute value
An attribute value in XML body
<tag attr="PAYLOAD">
38
Multipart parameter value
A value in multipart form data
Multipart field = PAYLOAD
π HTTP Headers
ID
Type
Description
64
Header
Generic header insertion (uses NewHeaders to specify which headers)
67
User-Agent
The User-Agent header value
68
Referer
The Referer header value
69
Host
The Host header value
70
Content-Type
The Content-Type header value
71
Accept
The Accept header value
72
Accept-Language
The Accept-Language header value
73
Accept-Encoding
The Accept-Encoding header value
74
Origin
The Origin header value
75
X-Forwarded-For
The X-Forwarded-For header value
76
X-Forwarded-Host
The X-Forwarded-Host header value
77
X-Custom-IP-Authorization
The X-Custom-IP-Authorization header value
78
Custom header
A custom header defined in NewHeaders
π Using Header Insertion Points
π Predefined Headers (IDs 67-77)
To inject payloads into specific HTTP headers, add the corresponding ID to InsertionPointType:
This tests: User-Agent, Referer, Origin, and X-Forwarded-For headers.
π§ Generic Header (ID 64)
Use ID 64 with the NewHeaders field to specify which headers to test:
NewHeaders lists the header names
isHeaderValue: true indicates the payload replaces the header's value
βοΈ Custom Header (ID 78)
Use ID 78 to define a completely custom header:
The payload is set as the value of the custom header.
π― Insertion Point Selection Guide
π XSS Testing
URL parameters, body parameters, path folders, JSON values.
ποΈ SQL Injection
URL parameters, body parameters, cookies, JSON values.
π SSRF / Open Redirect
URL parameters, body parameters, entire body, query string, headers.
URL parameters, body parameters, path folders, filename, full path.
π Broad Testing (All Common Points)
β‘ Performance Considerations
The number of insertion points directly affects scan time:
β¬οΈ Fewer insertion points = faster scans, less noise
β¬οΈ More insertion points = broader coverage, more requests
π‘ Best practice: Select only the insertion points relevant to the vulnerability you're testing. For example, XSS profiles don't need to test cookie values, and header injection profiles don't need to test URL parameters.
π JSON Format Example
This profile tests: entire query string, body parameter value, URL path folder, entire body, headers, URL parameter value, URL parameter name, body parameter name.
