Cats

All Tests / Test 4152

Test Id

Test 4152

Test Trace Id

5635c0d7-50de-491b-930e-c38b31352cc5

Timestamp

Tue, 23 Jun 2026 21:33:50 GMT

Scenario

Send SSTI injection payload in field [direction]: [<%= 83*97 %>]

Expected Result

Should return 4XX

Result

error

Result Details

The following keywords were detected in the response which might suggest an error details leak: [forbidden]

Contract Path

/api/alerts

Fuzzer

SstiInjectionInStringFields

Full Request Path

https://qa-api.puk3p.online/api/alerts?severity=HIGH&protocol=UDP&sourceIp=194.209.17.30&size=20&from=2026-06-23T21%3A31%3A10.004547973Z&sortBy=timestamp&to=2026-06-23T21%3A31%3A10.004711556Z&page=0&deviceId=LSACEB&direction=%3C%25%3D%2083*97%20%25%3E

Http Method

get

Request Details

Payload

{
  "severity": "HIGH",
  "protocol": "UDP",
  "sourceIp": "194.209.17.30",
  "size": 20,
  "from": "2026-06-23T21:31:10.004547973Z",
  "sortBy": "timestamp",
  "to": "2026-06-23T21:31:10.004711556Z",
  "page": 0,
  "deviceId": "LSACEB",
  "direction": "<%= 83*97 %>"
}

Request Details

Headers

[
  {
    "key": "Accept",
    "value": "application/json"
  },
  {
    "key": "Content-Type",
    "value": "application/json"
  },
  {
    "key": "User-Agent",
    "value": "cats/13.8.1-SNAPSHOT (Test 4152 - SstiInjectionInStringFields)"
  },
  {
    "key": "X-Cats-Trace-Id",
    "value": "5635c0d7-50de-491b-930e-c38b31352cc5"
  }
]

Request Details

cURL

curl  -X GET \
     -H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "User-Agent: cats/13.8.1-SNAPSHOT (Test 4152 - SstiInjectionInStringFields)" \
-H "X-Cats-Trace-Id: 5635c0d7-50de-491b-930e-c38b31352cc5" \
 \
      \
      https://qa-api.puk3p.online/api/alerts?severity=HIGH&protocol=UDP&sourceIp=194.209.17.30&size=20&from=2026-06-23T21%3A31%3A10.004547973Z&sortBy=timestamp&to=2026-06-23T21%3A31%3A10.004711556Z&page=0&deviceId=LSACEB&direction=%3C%25%3D%2083*97%20%25%3E

Response

{
  "responseCode": 403,
  "httpMethod": "GET",
  "responseTimeInMs": "174",
  "numberOfWordsInResponse": "1",
  "numberOfLinesInResponse": "1",
  "contentLengthInBytes": "94",
  "jsonBody": {
    "timestamp": "2026-06-23T21:33:50.300Z",
    "status": 403,
    "error": "Forbidden",
    "path": "/api/alerts"
  },
  "headers": [
    {
      "key": "cache-control",
      "value": "no-cache, no-store, max-age=0, must-revalidate"
    },
    {
      "key": "content-type",
      "value": "application/json"
    },
    {
      "key": "date",
      "value": "Tue, 23 Jun 2026 21:33:50 GMT"
    },
    {
      "key": "expires",
      "value": "0"
    },
    {
      "key": "pragma",
      "value": "no-cache"
    },
    {
      "key": "server",
      "value": "nginx/1.24.0 (Ubuntu)"
    },
    {
      "key": "strict-transport-security",
      "value": "max-age=31536000 ; includeSubDomains"
    },
    {
      "key": "vary",
      "value": "Origin"
    },
    {
      "key": "x-content-type-options",
      "value": "nosniff"
    },
    {
      "key": "x-frame-options",
      "value": "DENY"
    },
    {
      "key": "x-xss-protection",
      "value": "0"
    }
  ],
  "responseContentType": "application/json"
}

CATS Replay

cats replay Test4152