Goal:
Test if login forms can be exploited via tampered inputs (SQLi, XSS, long strings).
Steps:
Open the login page: https://www.drishya.fun
Open DevTools → Network tab (Right-click → Inspect)
Submit the login form with dummy credentials (e.g., fake email and password)
Find the login request in the Network tab (likely named signin)
Right-click → Copy → Copy as cURL
Open your terminal and paste the copied curl command
Modify the -d (data) field to test different inputs. For example:
(Do not paste this into a browser)
1curl -X POST https://www.drishya.fun/api/auth/signin -H "Content-Type: application/json" -d '{"email":"admin@drishya.fun","password":"123456"}'Now Test These Inputs:
Long string:
"password": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
SQL Injection:
"password": "' OR '1'='1"
XSS Payload:
"email": "<script>alert('XSS')</script>"
Observe the Server Response:
Any error messages?
Any JavaScript executed?
Was the login accepted despite the payload?