Closed 0xInfection closed 5 years ago
Post the latest update, the scan runs further now, but when doing the Cookie Persistence Validation throws this error. Tested this for 2/3 websites to scan:
Traceback (most recent call last):
File "xsrfprobe.py", line 13, in <module>
main.Engine() # start the Scanner Engine ;)
File "/root/PenTest/Audit/XSRFProbe/core/main.py", line 143, in Engine
Cookie(url, r1)
File "/root/PenTest/Audit/XSRFProbe/modules/Cookie.py", line 33, in Cookie
Persistence(url, request)
File "/root/PenTest/Audit/XSRFProbe/modules/Persistence.py", line 122, in Persistence
VulnLogger(url, 'Persistent Session Cookies Found.', '[i] Cookie: '+req.headers.get('Set-Cookie'))
TypeError: must be str, not NoneType
Not sure, if this is a separate issue or related.
Hi there, can you give me the sites you used? Cause I am really not able to reproduce the error. If it's sensitive, email me via the email address on my profile. :)
Oh and btw, please open another issue for this, since it is some website specific issue, some users might find it helpful as another issue.
Hi there, can you give me the sites you used? Cause I am really not able to reproduce the error. If it's sensitive, email me via the email address on my profile. :)
Won't be able to share the sites as they are my clients and it'll not be ethical.
Alright. If you are unable to give the site, its fine. However then I'd have to pass this as not-applicable
and non-reproducible
, since I am unable to reproduce the error.
However from the looks of the error, I can pretty much say your target isn't responding well. The function Persistence()
calls the Get()
function which makes a GET
request to the site. It returns with a valid set of headers if the target responds or with NoneType
if the target response is blank. That's all I can tell you about this.
Let me know if you have any other queries.
Won't be able to share the sites as they are my clients and it'll not be ethical.
@sumgro do you think open-source developers like @0xInfection would unethically abuse your client site? You're running a toolkit entirely developed by him and only himself. Look at his contributions! He is contributing tools that help in idenitfying bugs and securing websites and here you're afraid that he'll unethically abuse your site! Your concept is entirely lame and pathetic, isn't it?
Plus he is so considerate that he even asked you to share your testing site privately via his email. Afaik, other devs won't even care to lend you an ear.
@iDuronto the reason for not sharing the client's website is not about me trusting @0xInfection, its more about my client's trust in me to share his details without his approval. I would not want to give out details since they are not part of the agreement with the client.
I really appreciate @0xInfection for his contributions and dedication without any doubts.
Hope you'd understand my point...
Describe the bug
Connection Aborted/ Connection Refused.
Command You Used
It can be reproduced by any command when site is un-responsive.
Full Stack Trace Error
Potential cause or fix
PR #21 fixes it.
Environment:
Some Questions
pip3
instead ofpip
.Other stuff
The site is unresponsive, however the bug should be handled properly which it isn't. So this is a bug as pointed out by @sumgro in #17.