search

hahwul / XSpear

🔱 Powerfull XSS Scanning and Parameter analysis tool&gem
MIT License
1.19k stars 224 forks source link

reflected xss bug #43

Closed sk3lk0 closed 4 years ago

sk3lk0 commented 4 years ago

im trying using xspear on dvwa (Damn Vulnerable Web Application), but it not working XSpear 1.3.1 (ubuntu)

XSpear -u "http://localhost/vulnerabilities/xss_r/?name="

    )  (
 ( /(  )\ )
 )\())(()/(          (     )  (
((_)\  /(_))`  )    ))\ ( /(  )(
__((_)(_))  /(/(   /((_))(_))(()\
\ \/ // __|((_)_\ (_)) ((_)_  ((_)
 >  < \__ \| '_ \)/ -_)/ _` || '_|
/_/\_\|___/| .__/ \___|\__,_||_|    />
           |_|                   \ /<
{\\\\\\\\\\\\\BYHAHWUL\\\\\\\\\\\(0):::<======================-
                                 / \<
                                    \>       [ v1.3.1 ]
[*] analysis request..
[*] used test-reflected-params mode(default)
[*] creating a test query [for reflected 0 param + blind XSS ]
[*] test query generation is complete. [32 query]
[*] starting XSS Scanning. [10 threads]
[##########################################################################################################################] [32/32] [100.00%] [00:00] [00:00] [92.51/s][*] finish scan. the report is being generated..
+----+-------+-----------------+--------+-------+------------------+---------------------------------------+
|                                            [ XSpear report ]                                             |
|                             http://localhost/vulnerabilities/xss_r/?name=123                             |
|                  2020-01-06 13:37:13 +0200 ~ 2020-01-06 13:37:14 +0200 Found 5 issues.                   |
+----+-------+-----------------+--------+-------+------------------+---------------------------------------+
| NO | TYPE  | ISSUE           | METHOD | PARAM | PAYLOAD          | DESCRIPTION                           |
+----+-------+-----------------+--------+-------+------------------+---------------------------------------+
| 0  | INFO  | STATIC ANALYSIS | GET    | -     | <original query> | Found Server: Apache/2.4.25 (Debian)  |
| 1  | INFO  | STATIC ANALYSIS | GET    | -     | <original query> | Not set HSTS                          |
| 2  | INFO  | STATIC ANALYSIS | GET    | -     | <original query> | Content-Type: text/html;charset=utf-8 |
| 3  | LOW   | STATIC ANALYSIS | GET    | -     | <original query> | Not Set X-Frame-Options               |
| 4  | MIDUM | STATIC ANALYSIS | GET    | -     | <original query> | Not Set CSP                           |
+----+-------+-----------------+--------+-------+------------------+---------------------------------------+
< Available Objects >
Not found

< Raw Query >
[0] http://localhost/vulnerabilities/xss_r/?-
[1] http://localhost/vulnerabilities/xss_r/?-
[2] http://localhost/vulnerabilities/xss_r/?-
[3] http://localhost/vulnerabilities/xss_r/?-
[4] http://localhost/vulnerabilities/xss_r/?-
sk3lk0 commented 4 years ago

you can run dvwa via using this command docker run -it -p 80:80 vulnerables/web-dvwa then go to localhost:80

hahwul commented 4 years ago

Hi @sk3lk0 , Thank you for issue. When I look at the your scanning log, it's not reflected parameter(name). but I'll test it and write you back.

If it is a reflected param and it is not recognized properly, it is considered a bug. for all param test, you can ignore whether or not the reflected parameter(-a option)

e.g

$ xspear -u "http://localhost/vulnerabilities/xss_r/?name= -a "
sk3lk0 commented 4 years ago

image

cihanmehmet commented 4 years ago

@sk3lk0 You should add a cookie while scanning.

hahwul commented 4 years ago

@sk3lk0 I checked it again just in case. As @cihanmehmet said, it happened because there was no authentication information. It's possible if you add some cookies. (--cookie, --headers option)

        --headers=HEADERS            [optional] Add HTTP Headers
        --cookie=COOKIE              [optional] Add Cookie