xss - Githubissues

dwisiswant0 / awesome-oneliner-bugbounty

A collection of awesome one-liner scripts especially for bug bounty tips.

MIT License

2.62k stars 571 forks source link

xss #15

Closed sabeesh03 closed 4 years ago

sabeesh03 commented 4 years ago

gospider -s "https://unilever.com" -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | qsreplace -a | dalfox pipe -o result.txt

_..._

.' .::::. __ : :::::::: | \ / \ | | | / \ V / : :::::::: | o ) o || | | ( o )) (
'. '::::::' |__/|n||__||| _//n\
'-.::''

Parameter Analysis and XSS Scanning tool based on golang Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul [] Using pipeline mode output file error (file) output file error (write) [] Loaded 18 target urls output file error (file) output file error (write) [] Target URL: https://www.unilever.com/search.html?search=ben+and+jerry%27s output file error (file) output file error (write) [E] not running Get https://www.unilever.com/search.html?search=ben+and+jerry%27s: dial tcp: lookup www.unilever.com on [::1]:53: dial udp [::1]:53: socket: permission denied output file error (file) output file error (write) [] Target URL: https://www.unilever.com/search.html?contenttype=&from=&global=false&id=&search=coupons&to= output file error (file) output file error (write) [E] not running Get https://www.unilever.com/search.html?contenttype=&from=&global=false&id=&search=coupons&to=: dial tcp: lookup www.unilever.com on [::1]:53: dial udp [::1]:53: socket: permission denied output file error (file) output file error (write) [] Target URL: https://www.unilever.com/?navids=tcm%3a244-67568-4%2ctcm%3a244-67577-4 output file error (file) output file error (write) [E] not running Get https://www.unilever.com/?navids=tcm%3a244-67568-4%2ctcm%3a244-67577-4: dial tcp: lookup www.unilever.com on [::1]:53: dial udp [::1]:53: socket: permission denied output file error (file) output file error (write) [] Target URL: https://twitter.com/share?text=sustainable+living&url=https%3a%2f%2fwww.unilever.com%2fsustainable-living%2foverview%2f output file error (file) output file error (write) [E] not running Get https://twitter.com/share?text=sustainable+living&url=https%3a%2f%2fwww.unilever.com%2fsustainable-living%2foverview%2f: dial tcp: lookup twitter.com on [::1]:53: dial udp [::1]:53: socket: permission denied output file error (file) output file error (write) [] Target URL: https://www.facebook.com/login.php?api_key=966242223397117&cancel_url=https%3a%2f%2fwww.facebook.com%2fdialog%2fclose_window%2f%3fapp_id%3d966242223397117%26connect%3d0%23_%3d_&display=popup&locale=en_us&next=https%3a%2f%2fwww.facebook.com%2fsharer%2fsharer.php%3fu%3dhttps%253a%252f%252fwww.unilever.com%252fsustainable-living%252foverview%252f&signed_next=1&skip_api_login=1 output file error (file) output file error (write) [E] not running Get https://www.facebook.com/login.php?api_key=966242223397117&cancel_url=https%3a%2f%2fwww.facebook.com%2fdialog%2fclose_window%2f%3fapp_id%3d966242223397117%26connect%3d0%23_%3d_&display=popup&locale=en_us&next=https%3a%2f%2fwww.facebook.com%2fsharer%2fsharer.php%3fu%3dhttps%253a%252f%252fwww.unilever.com%252fsustainable-living%252foverview%252f&signed_next=1&skip_api_login=1: dial tcp: lookup www.facebook.com on [::1]:53: dial udp [::1]:53: socket: permission denied output file error (file) output file error (write) [] Target URL: https://twitter.com/share?url=https%3a%2f%2fwww.unilever.com%2fsustainable-living%2foverview%2f output file error (file) output file error (write) [E] not running Get https://twitter.com/share?url=https%3a%2f%2fwww.unilever.com%2fsustainable-living%2foverview%2f: dial tcp: lookup twitter.com on [::1]:53: dial udp [::1]:53: socket: permission denied output file error (file) output file error (write) [] Target URL: https://twitter.com/share?lang=de&url=https%3a%2f%2fwww.unilever.com%2fsustainable-living%2foverview%2f output file error (file) output file error (write) [E] not running Get https://twitter.com/share?lang=de&url=https%3a%2f%2fwww.unilever.com%2fsustainable-living%2foverview%2f: dial tcp: lookup twitter.com on [::1]:53: dial udp [::1]:53: socket: permission denied output file error (file) output file error (write) [] Target URL: https://www.unilever.com/sustainable-living/enhancing-livelihoods/fairness-in-the-workplace/advancing-human-rights-in-our-extended-supply-chain/?navids=tcm%3a244-50553-4 output file error (file) output file error (write) [E] not running Get https://www.unilever.com/sustainable-living/enhancing-livelihoods/fairness-in-the-workplace/advancing-human-rights-in-our-extended-supply-chain/?navids=tcm%3a244-50553-4: dial tcp: lookup www.unilever.com on [::1]:53: dial udp [::1]:53: socket: permission denied output file error (file) output file error (write) [] Target URL: https://www.unilever.com/about/suppliers-centre/terms-and-conditions/?navids=tcm%3a244-67568-4%2ctcm%3a244-67573-4 output file error (file) output file error (write) [E] not running Get https://www.unilever.com/about/suppliers-centre/terms-and-conditions/?navids=tcm%3a244-67568-4%2ctcm%3a244-67573-4: dial tcp: lookup www.unilever.com on [::1]:53: dial udp [::1]:53: socket: permission denied output file error (file) output file error (write) [] Target URL: https://www.unilever.com/sustainable-living/enhancing-livelihoods/fairness-in-the-workplace/advancing-human-rights-in-our-extended-supply-chain/our-responsible-sourcing-policy-in-action/?navids=tcm%3a244-67568-4%2ctcm%3a244-67571-4 output file error (file) output file error (write) [E] not running Get https://www.unilever.com/sustainable-living/enhancing-livelihoods/fairness-in-the-workplace/advancing-human-rights-in-our-extended-supply-chain/our-responsible-sourcing-policy-in-action/?navids=tcm%3a244-67568-4%2ctcm%3a244-67571-4: dial tcp: lookup www.unilever.com on [::1]:53: dial udp [::1]:53: socket: permission denied output file error (file) output file error (write) [] Target URL: https://www.unilever.com/investor-relations/debt-investors/unilever-us-shelf-registration/?navids=tcm%3a244-50553-4%2ctcm%3a244-50719-4 output file error (file) output file error (write) [E] not running Get https://www.unilever.com/investor-relations/debt-investors/unilever-us-shelf-registration/?navids=tcm%3a244-50553-4%2ctcm%3a244-50719-4: dial tcp: lookup www.unilever.com on [::1]:53: dial udp [::1]:53: socket: permission denied output file error (file) output file error (write) [] Target URL: https://www.unilever.com/brands/personal-care/glow-and-lovely.html?navids=tcm%3a244-67568-4%2ctcm%3a244-67574-4 output file error (file) output file error (write) [E] not running Get https://www.unilever.com/brands/personal-care/glow-and-lovely.html?navids=tcm%3a244-67568-4%2ctcm%3a244-67574-4: dial tcp: lookup www.unilever.com on [::1]:53: dial udp [::1]:53: socket: permission denied output file error (file) output file error (write) [] Target URL: https://www.unilever.com/brands/personal-care/glow-and-lovely.html?currentlocation=true output file error (file) output file error (write) [E] not running Get https://www.unilever.com/brands/personal-care/glow-and-lovely.html?currentlocation=true: dial tcp: lookup www.unilever.com on [::1]:53: dial udp [::1]:53: socket: permission denied output file error (file) output file error (write) [] Target URL: https://www.unilever.com/investor-relations/agm-and-corporate-governance/other-governance-information/?navids=tcm%3a244-50553-4 output file error (file) output file error (write) [E] not running Get https://www.unilever.com/investor-relations/agm-and-corporate-governance/other-governance-information/?navids=tcm%3a244-50553-4: dial tcp: lookup www.unilever.com on [::1]:53: dial udp [::1]:53: socket: permission denied output file error (file) output file error (write) [] Target URL: https://www.unilever.com/investor-relations/agm-and-corporate-governance/agm-and-voting/agm-archive/?navids=tcm%3a244-50553-4%2ctcm%3a244-50554-4 output file error (file) output file error (write) [E] not running Get https://www.unilever.com/investor-relations/agm-and-corporate-governance/agm-and-voting/agm-archive/?navids=tcm%3a244-50553-4%2ctcm%3a244-50554-4: dial tcp: lookup www.unilever.com on [::1]:53: dial udp [::1]:53: socket: permission denied output file error (file) output file error (write) [] Target URL: https://www.unilever.com/investor-relations/agm-and-corporate-governance/agm-and-voting/agm-archive/?page=3 output file error (file) output file error (write) [E] not running Get https://www.unilever.com/investor-relations/agm-and-corporate-governance/agm-and-voting/agm-archive/?page=3: dial tcp: lookup www.unilever.com on [::1]:53: dial udp [::1]:53: socket: permission denied output file error (file) output file error (write) [] Target URL: https://www.unilever.com/investor-relations/agm-and-corporate-governance/other-governance-information/directors-sharedealings/?navids=tcm%3a244-67568-4%2ctcm%3a244-67577-4 output file error (file) output file error (write) [E] not running Get https://www.unilever.com/investor-relations/agm-and-corporate-governance/other-governance-information/directors-sharedealings/?navids=tcm%3a244-67568-4%2ctcm%3a244-67577-4: dial tcp: lookup www.unilever.com on [::1]:53: dial udp [::1]:53: socket: permission denied output file error (file) output file error (write) [] Target URL: https://www.unilever.com/investor-relations/agm-and-corporate-governance/other-governance-information/remuneration/?navids=tcm%3a244-67568-4%2ctcm%3a244-67574-4 output file error (file) output file error (write) [E] not running Get https://www.unilever.com/investor-relations/agm-and-corporate-governance/other-governance-information/remuneration/?navids=tcm%3a244-67568-4%2ctcm%3a244-67574-4: dial tcp: lookup www.unilever.com on [::1]:53: dial udp [::1]:53: socket: permission denied output file error (file) output file error (write)

cant figure where it went wrong

hahwul commented 4 years ago

Hi @sabeesh03 , Did you install dalfox as snapcraft? It seems to be a problem caused by snapcraft sandbox policy. try it install using go get!

$ sudo snap remove dalfox
$ go get -u github.com/hahwul/dalfox

hahwul commented 4 years ago

@sabeesh03 Although it is not accurate, snapcraft policy is involved in file i/o, network, etc. I'm also doing testing on it, so please refer to it :D

hahwul commented 4 years ago

@sabeesh03 And I just changed it to comply with snapcraft sandbox policy with the release of dalfox v2.1.2. If you still use the snap version, please update it to v2.1.2.

$ sudo snap refresh dalfox

@dwisiswant0 In oneline, I'll change to pipe instead of -o option. In the case of snapcraft, the file i/o policy is very strict, but it seems that this is not a part that I can correct by modifying. (You have to specify the directory to use, because this can be different for each user..)

I'll send a PR soon.😁

dwisiswant0 commented 4 years ago

With pleasure, @hahwul.

dwisiswant0 commented 4 years ago

This bug has been fixed as of PR #16. Kudos to @hahwul!