DEFINITELY DEFINITELY DEFINITELY recommend installing a local copy of whatever you find and testing your own payloads on it. (as some others have mentioned)
Also helps to read what the bad characters are (I think I wasted an hour or two wonderin…
Any decent medium/large wordlist will probably work. The key is knowing how to arrange your testing so that you can differentiate between normal activity and any filtering that occurs when the appropriate parameter is sent.
And I learned the hard way that a script I wrote as a workaround to the msf/ruby issue was also giving false negatives :angry: (meaning correct credentials didn't read correctly)
So, compound issues for myself. More pain = best learning.
So far the biggest takeaway from this one and a few other is: If I find myself really going down the rabbit hole searching for the answer...I'm probably being snagged on something minute or minor in the process of doing something. In my circumstan…