Mutators¶
Request Body JSON Mutator¶
key: request.body.json
Use this mutator to transform the JSON body of the request using JQ queries.
Transformation Language: JQ (see https://stedolan.github.io/jq/manual/)
Basic Transformation¶
transform:
trigger:
- if: request.body.json
jq: '.role != null'
mutate:
- key: request.body.json
jq: '. | .role = "admin"'
Add/Modify Fields¶
Remove Fields¶
Extract/Restructure¶
Common Use Cases¶
- Inject privileged flags (is_admin, role)
- Remove authentication tokens
- Modify user IDs for IDOR testing
- Transform nested structures
- Add/remove fields for validation bypass
Typical Pattern: Privilege Injection¶
transform:
trigger:
- if: request.body.json
jq: '.role == "user"'
- if: helpers.response.is_successful
is: true
mutate:
- key: request.body.json
jq: '. | .role = "admin" | .is_superuser = true'
detect:
- if: helpers.response.is_successful
is: true
alert:
name: Privilege Escalation via JSON Injection
severity: HIGH
Tip: Test your JQ queries at https://jqplay.org/ before using them.
Properties¶
use_extraction: If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing.jq: JQ query to apply to the JSON body. See https://stedolan.github.io/jq/manual/
Request Body Text Mutator¶
key: request.body.text
You can use this mutator to change the body (as text) of the request before resending it.
Example¶
transform:
trigger:
- if: request.body.text
contains: 'hello'
mutate:
- key: request.body.text
values:
- 'injection 1'
- 'injection 2'
- 'injection 3'
Properties¶
use_extraction: If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing.value: The value to set.values: The values to set, generates multiple queries.regex_replace: Regex replace pattern.
Request Headers Mutator¶
key: request.headers
You can use this mutator to change the headers of the request before resending it.
Example¶
transform:
trigger:
- if: schema.url
is: '/api/v1/tested/route'
mutate:
- key: request.headers
name: X-API-version
value: 'APIV2'
Properties¶
use_extraction: If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing.value: The value to set.values: The values to set, generates multiple queries.regex_replace: Regex replace pattern.name: The header name to match, supports regex.delete: Delete the matched headers.
Request Object Mutator¶
key: request.object
The detected object scalars (including custom scalars) in the request, with their kind, name and value.
Example¶
transform:
trigger:
- if: schema.url
is: '/api/v1/tested/route'
mutate:
- key: request.object
select:
type:
is: email
name:
is: 'admin_email'
value:
regex: .*@escape.tech
mutate:
regex_replace:
pattern: (.*)@escape.tech
replacement: \1@attacker.com
Request User Mutator¶
key: request.user
Use this mutator to change the authenticated user of the request before resending it.
User Values: Must match user names from your scan authentication configuration.
Change User¶
Remove Authentication¶
transform:
trigger:
- if: request.is_authenticated
is: true
mutate:
- key: request.user
drop_user: true
Test Multiple Users (Fuzzing)¶
transform:
trigger:
- if: helpers.response.is_successful
is: true
mutate:
- key: request.user
values: [admin, moderator, superuser]
Common Use Cases¶
- Test privilege escalation vulnerabilities
- Verify authorization checks are enforced
- Test horizontal authorization (user A accessing user B's data)
- Remove authentication to test unauthenticated access
Typical Pattern: Privilege Escalation Test¶
transform:
trigger:
- if: request.user
is: regular_user
- if: helpers.response.is_successful
is: true
mutate:
- key: request.user
value: admin
detect:
- if: helpers.response.is_successful
is: true
- if: helpers.fingerprints.same
is: false # Response changed with admin
alert:
name: Privilege Escalation
context: Regular user got different response when replayed as admin
severity: CRITICAL
Properties¶
use_extraction: If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing.value: The value to set.values: The values to set, generates multiple queries.regex_replace: Regex replace pattern.drop_user: Remove the user authentication from the request.
Schema URL Mutator¶
key: schema.url
You can use this mutator to change the URL of the request before resending it.
Example¶
transform:
trigger:
- if: schema.url
is: '/api/v1/tested/route'
mutate:
- key: schema.url
mutate:
value: '/api/v2/'
Properties¶
use_extraction: If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing.value: The value to set.values: The values to set, generates multiple queries.regex_replace: Regex replace pattern.
Schema Path Reference Mutator¶
key: schema.path_ref
You can use this mutator to change the operation name in GraphQL or the path in REST (keeping the domain) before resending it.
Example¶
transform:
trigger:
- if: schema.path_ref
is: '/api/v1/tested/route'
mutate:
- key: schema.path_ref
mutate:
value: '/api/v2/tested/route'
Properties¶
use_extraction: If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing.value: The value to set.values: The values to set, generates multiple queries.regex_replace: Regex replace pattern.