loading
loading
Utilities
Accept URLs on stdin and replace every query-string value with a supplied value.
overview
qsreplace reads a list of URLs and rewrites every query-string value to a value you choose. That turns crawled URLs into ready-made injection candidates: swap each parameter value for a marker like FUZZ, an XSS probe, or a path-traversal string without hand-editing.
It collapses URLs that differ only in parameter values down to unique shapes worth testing. Append mode (-a) adds to existing values instead of overwriting them, which keeps context the application still expects while attaching a payload.
On Trickest it is a Utilities node that takes a URL list and a replacement value, and writes a file and a folder of results. Slot it between a URL-gathering stage and a vulnerability tester so the tester receives payload-injected, deduplicated URLs.
use cases
Replace each query-string value with an XSS or SQLi probe so crawled URLs arrive at the testing stage already carrying the payload.
Collapse URLs that differ only in their values down to the unique parameter sets, so a fuzzing run tests each shape once instead of thousands of near-duplicates.
Use -a to add a marker to current parameter values rather than overwriting them, preserving context the application expects.
Emit FUZZ (or a tool-specific marker) into every value, then hand the list to wfuzz, ffuf, or an XSS scanner.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url-list | FILE | · | File of URLs to rewrite (stdin equivalent on the CLI). |
| replace-query-param | STRING | · | User-supplied value that replaces every query-string value. |
| append-to-query-param | STRING | -a | Append to query-string values instead of replacing them (-a). |
| each-param-combination | BOOLEAN | -a | Only output each parameter combination. |
Showing key inputs. qsreplace exposes 4 inputs in total.
example
# replace every query value with an XSS probecat urls.txt | qsreplace '"><script>alert(1)</script>'https://example.com/search?q="><script>alert(1)</script>&lang="><script>alert(1)</script>https://example.com/product?id="><script>alert(1)</script>https://example.com/redirect?next="><script>alert(1)</script>https://app.example.com/api?user="><script>alert(1)</script>&ref="><script>alert(1)</script>https://example.com/login?returnUrl="><script>alert(1)</script>https://example.com/blog?page="><script>alert(1)</script>&sort="><script>alert(1)</script>guidance
Use qsreplace to prepare crawled URLs for injection testing by swapping every parameter value for a payload and deduplicating the result. It rewrites URLs, it does not test them, so feed its output to a tester like dalfox, kxss, or sqlmap.
Decomposes URLs into parts. Use it to extract or analyse components; qsreplace specifically rewrites values.
Greps URLs for interesting patterns. Run it before qsreplace to select the URLs worth injecting.
Appends only unique lines. Complements qsreplace's own deduplication when merging URL sets.
faq
related
Import, export, and link workflow data with Airtable.
Decode Android APK files into smali sources and resources.
Check a file's values against conditions and exit with a matching code.
Extract all hosted zones from AWS Route53.
Output file lines by batch size, given START_LINE and END_LINE.
Extract a batch range from a file's lines or a folder's files, with parallel processing.
Crawled URLs feed qsreplace, which injects a payload into every parameter and deduplicates them for dalfox to test before the findings land as output.
Facts on this page come from the live Trickest tool library.