Closed DEMON1A closed 3 years ago
Thank you for your first issue report :D
Hi @DEMON1A Thank you for submit issue! What are the contents of the file? unsupported protocol scheme errors are usually problems that occur when a string is not a protocol or URL that is not used on the web.
it's just a Wayback URLs with parameters and it's value is FUZZ. all of them are HTTP and HTTPs but not all of them are live URLs.
Here's an example from the real file.
[root@demonia]:~/tools/ParamSpider/output - cat hackerone.com.txt | head
https://hackerone.com/sirmatrix?disclosed=FUZZ
https://www.hackerone.com/sites/default/files/styles/large/public/hpsr-facts.png?itok=FUZZ
https://hackerone.com/mjangda?disclosed=FUZZ
https://hackerone.com/sanjogpanda?disclosed=FUZZ
https://hackerone.com/zerohat?disclosed=FUZZ
https://hackerone.com/todayisnew?sort_type=FUZZ
https://hackerone.com/monero/policy_versions?change=FUZZ
https://hackerone.com/laceratus?disclosed=FUZZ
https://hackerone.com/hacktivity?sort_type=FUZZ
https://www.hackerone.com/sites/default/files/styles/medium/public/unnamed-4.jpg?itok=FUZZ
Also, lol sorry. the test file on the second results was lol
but I changed it into test
on the issue and I forgot to edit lol
on the results. my bad.
@DEMON1A Oh, is that settled? That's a relief!
Oh. Sorry about that. you didn't really understand me. the lol
word on the results is the same as the file name. I just changed the filename from lol
into test
while adding the results into the issue. BTW. I downloaded the source code and I used go without building it. the tool seems to be working while using it via the source. but in the binary, it doesn't really handle it well. I don't really think it's your code issue. go is a new language it might contain a lot of issues. Here are the testing results.
[root@demonia]:~/Dief/Coding/dalfox - go run dalfox.go file test.txt
_..._
.' .::::. __ _ _ ___ _ __ __
: :::::::: | \ / \ | | | __/ \\ V /
: :::::::: | o ) o || |_ | _( o )) (
'. '::::::' |__/|_n_||___||_| \_//_n_\
'-.::''
Parameter Analysis and XSS Scanning tool based on golang
Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul
[*] Using file mode(targets list)
[*] Loaded 3 target urls
[*] Target URL: https://slack.com/
[*] Vaild target [ code:302 / size:0 ]
[*] Using dictionary mining option [list=GF-Patterns] πβ
[*] Using DOM mining option π¦β
[*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect] π
[*] Start static analysis.. π
[*] Start parameter analysis.. π
[*] BAV analysis done β
[I] Found 2 testing point in DOM Mining
[*] Static analysis done β routines
β€ URLs(1 / 3) :: Waiting routines ^Csignal: interrupt
[root@demonia-:~/Dief/Coding/dalfox - ^C
[root@demonia]:~/Dief/Coding/dalfox - dalfox file test.txt
_..._
.' .::::. __ _ _ ___ _ __ __
: :::::::: | \ / \ | | | __/ \\ V /
: :::::::: | o ) o || |_ | _( o )) (
'. '::::::' |__/|_n_||___||_| \_//_n_\
'-.::''
Parameter Analysis and XSS Scanning tool based on golang
Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul
[*] Using file mode(targets list)
[*] Loaded 0 target urls
[root@demonia]:~/Dief/Coding/dalfox -
I think as a quick fix I won't use the binary anymore. I will create a bash alias that runs dalfox from the source code itself on the ~/Tools
directory. I'm sorry for wasting your time with that I should test the source earlier.
Hi @DEMON1A Oh, I just triggered it too! Is it a binary installed with snapcraft?
$ dalfox file samples/sample_target.txt
and If it's snapcraft, it could be about permission. snapcraft is very strict about permission. I'll look for more! Thank you very much.
I installed the tool using go get
. with root
on my VPS. I didn't really use snapcraft.
@DEMON1A
It's weird... because it's all(go-get
/go-build
/go-run
/go-install
) in the same environment.
As you can see from the above commit, I did find a problem with snapcraft. So I just proceeded with an additional patch.
First of all, if you had installed it with go get, it would have been built on the path ~/go/bin/dalfox, so please test it again with the tool of that path.
@DEMON1A First of all, I just released the revised v2.2.1 (fixed similar issue to this, only snapcraft). The snap version of dalfox may have been installed due to other tools, so please check it with a light heart!
if your not installed
$ sudo snap refresh dalfox
snap "dalfox" is not installed
if you insatlled
$ sudo snap refresh dalfox
updating...
Hi @hahwul
I just tested it with snap now on the new version. it works fine now without any problems and it loads the file content.
[root@demonia]:~ - echo "https://slack.com/" > test.txt
[root@demonia]:~ - dalfox file test.txt
_..._
.' .::::. __ _ _ ___ _ __ __
: :::::::: | \ / \ | | | __/ \\ V /
: :::::::: | o ) o || |_ | _( o )) (
'. '::::::' |__/|_n_||___||_| \_//_n_\
'-.::''
Parameter Analysis and XSS Scanning tool based on golang
Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul
[*] Using file mode(targets list)
[*] Loaded 1 target urls
[*] Target URL: https://slack.com/
[*] Vaild target [ code:302 / size:0 ]
[*] Using dictionary mining option [list=GF-Patterns] πβ
[*] Using DOM mining option π¦β
[*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect] π
[*] Start static analysis.. π
[*] Start parameter analysis.. π
[*] BAV analysis done β
[I] Found 2 testing point in DOM Mining
Bless up βπΎ On 31 Oct 2020, 00:51 +0000, Mohamed Dief notifications@github.com, wrote:
Hi @hahwul I just tested it with snap now on the new version. it works fine now without any problems and it loads the file content. [root@demonia]:~ - echo "https://slack.com/" > test.txt
[root@demonia]:~ - dalfox file test.txt
...
.' .::::. __ __
: :::::::: | \ / \ | | | __/ \ V /
: :::::::: | o ) o || | | ( o )) (
'. '::::::' |__/|n||__||| _//n\
'-.::''
Parameter Analysis and XSS Scanning tool based on golang
Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul
[*] Using file mode(targets list)
[*] Loaded 1 target urls
[*] Target URL: https://slack.com/
[*] Vaild target [ code:302 / size:0 ]
[*] Using dictionary mining option [list=GF-Patterns] πβ
[*] Using DOM mining option π¦β
[*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect] π
[*] Start static analysis.. π
[*] Start parameter analysis.. π
[*] BAV analysis done β
[I] Found 2 testing point in DOM Mining
β You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.
Just another update here.
go get
was working. but the problem here was that dalfox binary was already on my VPS snap directory and i didn't notice it. so when i installed dalfox using go get
the system didn't use the go binary. but it used the snap one instead. there's really no problem with the go binary. sorry about that. i didn't actually know that someone installed dalfox on the VPS before.
@DEMON1A I don't think there's anything special, so I'll close the issue! If you have a problem, please open it again! Cheers :D
Ok thanks
Get Outlook for iOShttps://aka.ms/o0ukef
From: HAHWUL notifications@github.com Sent: Wednesday, November 18, 2020 2:32:11 PM To: hahwul/dalfox dalfox@noreply.github.com Cc: spook95 spook95@msn.com; Comment comment@noreply.github.com Subject: Re: [hahwul/dalfox] Dalfox uses the filename instead of it's content on the file mode (#134)
Closed #134https://github.com/hahwul/dalfox/issues/134.
β You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/hahwul/dalfox/issues/134#event-4010977645, or unsubscribehttps://github.com/notifications/unsubscribe-auth/APH5BTNDU62LPIPQKVJ2P4DSQPLGXANCNFSM4TB4YI2A.
the tools seem to be loading the filename instead of its real content using the file mode. I'm using dalfox latest version. here are the commands I used:
Command
Results:
Second Command:
Results: