qsinject on offsec.tools


Allows you to quickly substitute query string values with regex matches, one-at-a-time.

Injections are done one-at-a-time for URLs with multiple query strings to ensure requests aren't broken if certain parameters are relied on. URLs that don't have query strings will be ignored.

qsinject has 2 modes:
- Dumb mode will allow you to pass in a simple comma separated list of injections that will inject each query string value, one-at-a-time
- Regex mode will allow you to define rules and only replace a query string value if it matches the defined regex

As a side-benefit, qsinject does deduplication to remove duplicates of the same URL and query string keys (with only differing values)