At times you may see the request body show up with =N/A= under the HTTP Info tab of a vulnerability. This can happen if the body of the request is obfuscated to our agent.
(example)
SQL Injection from Request Body on "/test/user/api/vulnEndpoint page
POST /test/user/api/vulnEndpoint HTTP/1.0
X-Ws-Instance: routing_local
X-Forwarded-Proto: https
Host: localhost
X-Api-Token: 34567890poiuytdsdrtyuiopnbfer56uiokjhgfdrtyuiolkhgr567ujhfr56
X-Forwarded-Port: 443
Content-Type: application/json
X-Forwarded-For: 127.0.0.1
Content-Length: 105
X-Ruxit-Apache-Servernameports: localhost:443
Tracestate: a4067583-f1d1k1k1h1s2=az=cid-v1:326c1b24-cd4d-4cf9-b53a-53c85ec7549e
=N/A=
This is expected when the body comes from any object without strictly defined contents such as a String
. In the above example, the body would be derived from an InputStream
, notably the ServletInputStream
, and until read exhibits no contents.
[Creation] javax.servlet.ServletInputStream org.apache.catalina.connector.RequestFacade.getInputStream() --> org.apache.catalina.connector.CoyoteInputStream@at1232
[P2O] void org.glassfish.jersey.message.internal.EntityInputStream.<init>("org.apache.catalina.connector.CoyoteInputStream@at1232") --> org.glassfish.jersey.message.internal.EntityInputStream@6a123
[P2O] void org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$UnCloseableInputStream.<init>("org.glassfish.jersey.message.internal.EntityInputStream@6a123","com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider@e5f2ef09") --> org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$UnCloseableInputStream@abc123
[P2O] void org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$UnCloseableInputStream.<init>("org.glassfish.jersey.message.internal.EntityInputStream@6a123","com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider@e5f2ef09","null") --> org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$UnCloseableInputStream@abc123
[P2R] com.fasterxml.jackson.core.JsonParser com.fasterxml.jackson.core.JsonFactory.createParser("org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$UnCloseableInputStream@6a123") --> com.fasterxml.jackson.core.json.UTF8StreamJsonParser@abc123
[O2R] java.lang.String com.fasterxml.jackson.core.json.UTF8StreamJsonParser.getText() --> groupLabel
As the InputStream
is unread, we have no context as to the contents of the stream. We cannot read the stream as InputStream
’s in Java and may only be read once. Any attempt to do so would block the application under instrumentation from reading the stream itself.
It's best to use the Details tab to see what data was passed in and used without proper sanitation in these situations.