Support for DELETE http method

[harshkolhatkar]

I want to test for nosql injection for a delete method to a specific endpoint. Since the delete request has no payload, nosqli exits as 'unexpected EOF' when I load the request template using -r flag. Here is the template that I'm using,

DELETE /path/to/endpoint/id HTTP/1.1
Host: my.hostname.com
Cookie: token=some_token
Sec-Ch-Ua: "Chromium";v="91", " Not;A Brand";v="99"
Accept: application/json
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Origin: my.hostname.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: my.hostname.com
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

I want to test for injection in /path/to/endpoint/payload.

Is this currently possible? If yes, how?

[Charlie-belmer]

This is an interesting use case I haven't tried yet. Will the DELETE method actually remove that ID?

It's likely that fuzzing this kind of endpoint will delete the ID in the case of no injection, and in the case of some tests, may delete all data (if we assume something like [$ne]/id works).

Two things:

• Try adding 2 blank lines at the end of the file
• I haven't written support for arguments written as paths (which is what this looks like, where the url is re-written from ?id=1 to path/id/1)

[harshkolhatkar]

Yeah with the DELETE method, the API deletes the resources from the database. I tried adding 2 blank lines at the end of the template, what nosqli does is appends payloads to the request. It does not tamper with the id in the URL.