Merge branch 'master' of https://github.com/carlospolop/hacktricks

Author: carlospolop

src/pentesting-web/rsql-injection.md

@@ -460,9 +460,14 @@ Access-Control-Allow-Origin: *
             "translationKey": "general.configuration",
             "type": "FunctionalityPermissionDTO"
         }, {
-            .......
+            ....
+        }]
+    }
+}
 ```
 
+
+
 ## Impersonate or Insecure Direct Object References (IDOR)
 In addition to the use of the `filter` parameter, it is possible to use other parameters such as `include` which allows to include in the result certain parameters (e.g. language, country, password...).
 
@@ -476,7 +481,7 @@ Accept: application/vnd.api+json
 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate, br, zstd
 Content-Type: application/vnd.api+json
-Authorization: Bearer eyJ......
+Authorization: Bearer eyJ...
 Origin: https://localhost:3000
 Connection: keep-alive
 Referer: https://localhost:3000/
@@ -531,7 +536,7 @@ Accept: application/vnd.api+json
 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate, br, zstd
 Content-Type: application/vnd.api+json
-Authorization: Bearer eyJ....
+Authorization: Bearer eyJ...
 Origin: https://localhost:3000
 Connection: keep-alive
 Referer: https://localhost:3000/
@@ -576,8 +581,31 @@ Access-Control-Allow-Origin: *
 }
 ```
 
+
+## Detection & fuzzing quickwins
+- Check for RSQL support by sending harmless probes like `?filter=id==test`, `?q==test` or malformed operators `=foo=`; verbose APIs often leak parser errors ("Unknown operator" / "Unknown property").
+- Many implementations double-parse URL parameters; try double-encoding `(`, `)`, `*`, `;` (e.g., `%2528admin%2529`) to bypass naive blocklists and WAFs.
+- Boolean exfil with wildcards: `filter[users]=email==*%@example.com;status==ACTIVE` and flip logic with `,` (OR) to compare response sizes.
+- Range/proximity leaks: `filter[users]=createdAt=rng=(2024-01-01,2025-01-01)` quickly enumerates by year without knowing exact IDs.
+
+## Framework-specific abuse (Elide / JPA Specification / JSON:API)
+- Elide and many Spring Data REST projects translate RSQL directly to JPA Criteria. When developers add custom operators (e.g., `=ilike=`) and build predicates via string concatenation instead of prepared parameters, you can pivot to SQLi (classic payload: `name=ilike='%%' OR 1=1--'`).
+- Elide analytic data store accepts parameterized columns; combining user-controlled analytic params with RSQL filters was the root cause of SQLi in CVE-2022-24827. Even if patched versions parameterize correctly, similar bespoke code often remains—hunt for `@JoinFilter`/`@ReadPermission` SpEL expressions containing `${}` and try injecting `';sleep(5);'` or logical tautologies.
+- JSON:API backends commonly expose both `include` and `filter`. Filtering on related resources `filter[orders]=customer.email==*admin*` may bypass top-level ACLs because relation-level filters execute before ownership checks.
+
+## Automation helpers
+- **rsql-parser CLI (Java)**: `java -jar rsql-parser.jar "name=='*admin*';status==ACTIVE"` validates payloads locally and shows the abstract syntax tree—useful to craft balanced parentheses and custom operators.
+- **Python quick builder**: 
+```python
+from pyrsql import RSQL
+payload = RSQL().and_("email==*admin*", "status==ACTIVE").or_("role=in=(owner,admin)")
+print(str(payload))
+```
+- Pair with HTTP fuzzer (ffuf, turbo-intruder) by iterating wildcard positions `*a*`, `*e*`, etc., inside `=in=` lists to enumerate IDs and emails quickly.
+
 ## References
 - [RSQL Injection](https://owasp.org/www-community/attacks/RSQL_Injection)
 - [RSQL Injection Exploitation](https://m3n0sd0n4ld.github.io/patoHackventuras/rsql_injection_exploitation)
+- [Elide filtering & security considerations](https://elide.io/pages/guide/03-analytics.html)
 
 {{#include ../banners/hacktricks-training.md}}