GBounty is a multi-step website vulnerability scanner developed in Golang designed to help companies, pentesters, and bug hunters identify potential vulnerabilities in web applications.
For instance, let's consider the following scenario:
An SPA, with a search feature, on the following endpoint: /#/search?q=<user-input>, that reflects the user input.
In such a case, the application could be vulnerable if there's no sanitization in place because the attacker could make the victim navigate to a URL like: /#/search?q=<iframe%20src%3D"javascript:alert(%60xss%60)">.
However, this is not discoverable through protocol-based (HTTP) scans, because whatever that's after the fragment identifier is only processed by the client (browser). Thus, the reason why such support would be great.
To add support for that, GBounty could slightly modify the current logic, so, in case it detects a URL that looks like a SPA (contains the aforementioned pattern -/#/-), it uses a browser-based Requester that navigates to the given URL and returns the loaded HTML as the response.
In the case of scanning a Single Page Application (SPA), the support for a headless browser. Otherwise, it's impossible to detect certain types of vulnerabilities.
For instance, let's consider the following scenario: An SPA, with a search feature, on the following endpoint:
/#/search?q=<user-input>
, that reflects the user input.In such a case, the application could be vulnerable if there's no sanitization in place because the attacker could make the victim navigate to a URL like:
/#/search?q=<iframe%20src%3D"javascript:alert(%60xss%60)">
.However, this is not discoverable through protocol-based (HTTP) scans, because whatever that's after the fragment identifier is only processed by the client (browser). Thus, the reason why such support would be great.
To add support for that, GBounty could slightly modify the current logic, so, in case it detects a URL that looks like a SPA (contains the aforementioned pattern -
/#/
-), it uses a browser-based Requester that navigates to the given URL and returns the loaded HTML as the response.References: