Closed f4cknet closed 4 years ago
@M1nzhi You are right!
python3.8 xsser -u "https://demo.owasp-juice.shop/#/search?q=XSS" --payload="%3Ciframe%20src%3D%22javascript:alert('XSS')%22%3E"
I think it is because that '#' on the url. The parser is interpreting it as a parameter keyword at this point:
target_params = parse_qs(urlparse(target_url).query, keep_blank_values=True)
because of that, even "Trying" url is wrong:
https://demo.owasp-juice.shop/%3Ciframe%20src%3D%22javascript:alert('c4c5678cc32589b9cce6037bd4865a74')%22%3E
Let me check it
related: https://bugs.python.org/issue18140
This OWASP-Juice shop is a very "happy idea" created by security devs and not related to "real world" scenarios.
For example, they have used character "#", described in RFC1783 as a special character dedicated to "fragments":
_All unsafe characters must always be encoded within a URL. For
example, the character "#" must be encoded within URLs even in
systems that do not normally deal with fragment or anchor
identifiers, so that if the URL is copied into another system that
does use them, it will not be necessary to change the URL encoding._
And after that, they have parsed it on server-side to avoid the use of other related standard encodings, such as decimal (%23) or hexadecimal (%35), plus, the "exploiting" of an issue in python3-urllib3, described https://bugs.python.org/issue23328, here or even here.
1.25.7 (2019-11-11)
Fix issue where URL fragment was sent within the request target. (Pull #1732)
So if you haven't an updated urllib3, downloaded from pip, you will face always with this problem on any other python3 tool (not only XSSer).
Using python3-request may solve this issue. But that means to re-factor a bunch of code (not my mod right now).
So, I will try to make some workaround/hack to try to bypass this special stuff, but, I recommend you to learn about XSS in another kind of app, more realistic.
I tried to modify the code, request instead of urlparse
xsser -u "target" -g "search?q=XSS" --payload='xsspayload'
xsser -u "https://demo.owasp-juice.shop/" -g "/#/search?q=XSS" below result ,did it work? [*] Trying: https://demo.owasp-juice.shop/">e70fad24d664200ac1de09caa1901ae8 , it seems not work successful