search

M4cs / traxss

traxss | Automated XSS Vulnerability Scanner Currently In Development :snake: HACKTOBERFEST PROJECT 2019
MIT License
179 stars 49 forks source link

Diff raising UnexpectedAlertPresent Exception #21

Closed TotallyNotChase closed 5 years ago

TotallyNotChase commented 5 years ago

Right now, the program will raise an exception in run_on_url (in Scanner.py) if it encounters an alert. This is caused due toDiff being used while an alert is present on the page.

image

driver.get(target_url) raises an alert as soon as it is loaded (in case the payload works ofcourse). This might be a problem for differ. So we instead have to switch and close the alert before we differ :-

image

That's all well and good, but I don't know which source the diff_source = driver.page_source wants, I think the author of it would know more. For instance, which source does it need? the base URL given by the user? or the payload injected URL from run_on_url's target_url.

Please let me know about this!

P.S : Am I dumb or should this be difflib instead of .differ?

difflib

differ

M4cs commented 5 years ago

no there is a new differ class that @Chr0nicT implemented. We are using that to doff original source over the new results. If an unexpected alert arises we can assume it was triggered by a payload so we should keep that as a result. Maybe we need a way to parse the payload to see if its sending an alert and then match the content of the alert to the payload.

TotallyNotChase commented 5 years ago

@M4cs I see. I didn't notice the new Class before. Although are we really just comparing the pure source to the changed source? Isn't that rather in-effective? In complex websites many things could change on a form submit, not all of those will have anything to do with XSS success.

Back to the issue at hand, in case of URL Query scan, We can simply just switch to the alert text (if it pops up) to check if the payload worked. What else needs to be done, regarding differ?

M4cs commented 5 years ago

I was thinking if say a payload adds an unclosed bold tag. We should check somehow that text after whatever has been added is bold when it shouldn't be. That's what i meant my diffing

TotallyNotChase commented 5 years ago

Right, I see. I'm not entirely sure if that will work effectively with the current diff method but I'll leave that to Chronic. Right now, we need to fix this exception by addressing the alert PRIOR to using diff. This will ensure diff actually executes correctly. Someone still has to put the diff_source assignment line on the correct place afterwards as I don't know where it's supposed to be.

In the meantime, could you check my comment and tell me what you think? @M4cs