Reflected XSS Behind JavaScript untestable - piccheck.php not used

adamdoupe / WackoPicko

WackoPicko is a vulnerable web application used to test web application vulnerability scanners.

MIT License

328 stars 160 forks source link

Reflected XSS Behind JavaScript untestable - piccheck.php not used #3

Closed sebastiendamaye closed 13 years ago

sebastiendamaye commented 13 years ago

Hi, The reflected XSS behind JS is untestable. You say: "Reflected XSS Behind JavaScript - http://localhost/piccheck.php - The name parameter is vulnerable." But the source "piccheck.php" is meant to be included in another php source but it is not. Regards, Sébastien

adamdoupe commented 13 years ago

Sébastien, The Reflected XSS behind JavaScript is a two part process. The upload form on "index.php" that points to "piccheck.php" is dynamically written using JavaScript. For a crawler to the page "piccheck.php," it needs to either parse or execute JavaScript, as there are no other links to "piccheck.

Please let me know if this clears up your question.

Thanks!

sebastiendamaye commented 13 years ago

Cool. That works. I haven't seen there was a test upload form on the home page. Thx again