I am testing my own flask application that should be vulnerable.
I am using this in SQlmap:
sqlmap -u "https://test.heroku.com/checkusername/student*"
but the requests with payloads I am receiving contain student+payload. I think it's not working for this reason.
sqlmap -u "https://test.heroku.com/checkusername/*"
but got 404 and the test ended.
Do you know how to deal with this?
Example of request I got
Sqlmap will deploy the payload on your custom marked location, so in your example, sqlmap performs as expected. According to the documentation, your first command seems correct for marking the URI injection point. It will attempt a lot of payloads, some of which will be added after 'student'. For SQL injection, this is generally not a problem.
It might be easier for your tests to let the application work with GET parameters, such sqlmap could be deployed without custom marker. For example:
sqlmap -u "https://test.heroku.com/checkusername?username=student"
External links referenced by this document: