Input & Protocol Manipulation

Activation Triggers (Positive)

• injection
• payload mutation
• parser confusion
• method tampering
• header smuggling
• deserialization
• request splitting

Exclusion Triggers (Negative)

• idor
• role escalation
• workflow bypass
• final reporting

Output Schema

• Test matrix: vector, payload class, expected secure behavior, observed behavior
• Validation state: hypothesis, confirmed, rejected
• Minimal reproducible request set

Instructions

1. Identify the parser or protocol boundary being tested before crafting payloads.
2. Start with low-noise capability checks, then increase payload complexity only when signal appears.
3. Compare positive and negative controls for every high-impact claim.
4. Separate parser anomalies from exploitable security outcomes.
5. Record exact request transformations required to reproduce behavior.
6. Escalate to exploit execution only after deterministic primitive confirmation.

Should Do

• Use structured payload families and deterministic sequencing.
• Preserve request/response evidence with context and timing.
• Keep tests bounded and reversible by default.

Should Not Do

• Do not treat status-code differences alone as confirmed vulnerabilities.
• Do not pivot into business logic or access-control verdicts without dedicated validation.
• Do not overfit payload strategy to one stack without cross-checking parser behavior.