search

hahwul / dalfox

πŸŒ™πŸ¦Š Dalfox is a powerful open-source XSS scanner and utility focused on automation.
https://dalfox.hahwul.com
MIT License
3.73k stars 414 forks source link

Dalfox uses the filename instead of it's content on the file mode #134

Closed DEMON1A closed 3 years ago

DEMON1A commented 3 years ago

the tools seem to be loading the filename instead of its real content using the file mode. I'm using dalfox latest version. here are the commands I used:

Command

dalfox -b username.xss.ht file ~/tools/ParamSpider/output/target.com.txt

Results:


    _..._
  .' .::::.   __   _   _    ___ _ __ __ 
 :  :::::::: |  \ / \ | |  | __/ \\ V / 
 :  :::::::: | o ) o || |_ | _( o )) (  
 '. '::::::' |__/|_n_||___||_| \_//_n_\                           
   '-.::''

Parameter Analysis and XSS Scanning tool based on golang
Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul
[*] Using file mode(targets list)
[*] Loaded 0 target urls

Second Command:

dalfox -b username.xss.ht file test

Results:


    _..._
  .' .::::.   __   _   _    ___ _ __ __ 
 :  :::::::: |  \ / \ | |  | __/ \\ V / 
 :  :::::::: | o ) o || |_ | _( o )) (  
 '. '::::::' |__/|_n_||___||_| \_//_n_\                           
   '-.::''

Parameter Analysis and XSS Scanning tool based on golang
Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul
[*] Using file mode(targets list)
[*] Loaded 1 target urls
[*] Target URL: test
[E] not running Get lol: unsupported protocol scheme ""
github-actions[bot] commented 3 years ago

Thank you for your first issue report :D

hahwul commented 3 years ago

Hi @DEMON1A Thank you for submit issue! What are the contents of the file? unsupported protocol scheme errors are usually problems that occur when a string is not a protocol or URL that is not used on the web.

DEMON1A commented 3 years ago

it's just a Wayback URLs with parameters and it's value is FUZZ. all of them are HTTP and HTTPs but not all of them are live URLs.

DEMON1A commented 3 years ago

Here's an example from the real file.

[root@demonia]:~/tools/ParamSpider/output - cat hackerone.com.txt | head
https://hackerone.com/sirmatrix?disclosed=FUZZ
https://www.hackerone.com/sites/default/files/styles/large/public/hpsr-facts.png?itok=FUZZ
https://hackerone.com/mjangda?disclosed=FUZZ
https://hackerone.com/sanjogpanda?disclosed=FUZZ
https://hackerone.com/zerohat?disclosed=FUZZ
https://hackerone.com/todayisnew?sort_type=FUZZ
https://hackerone.com/monero/policy_versions?change=FUZZ
https://hackerone.com/laceratus?disclosed=FUZZ
https://hackerone.com/hacktivity?sort_type=FUZZ
https://www.hackerone.com/sites/default/files/styles/medium/public/unnamed-4.jpg?itok=FUZZ
DEMON1A commented 3 years ago

Also, lol sorry. the test file on the second results was lol but I changed it into test on the issue and I forgot to edit lol on the results. my bad.

hahwul commented 3 years ago

@DEMON1A Oh, is that settled? That's a relief!

DEMON1A commented 3 years ago

Oh. Sorry about that. you didn't really understand me. the lol word on the results is the same as the file name. I just changed the filename from lol into test while adding the results into the issue. BTW. I downloaded the source code and I used go without building it. the tool seems to be working while using it via the source. but in the binary, it doesn't really handle it well. I don't really think it's your code issue. go is a new language it might contain a lot of issues. Here are the testing results.

[root@demonia]:~/Dief/Coding/dalfox - go run dalfox.go file test.txt

    _..._
  .' .::::.   __   _   _    ___ _ __ __ 
 :  :::::::: |  \ / \ | |  | __/ \\ V / 
 :  :::::::: | o ) o || |_ | _( o )) (  
 '. '::::::' |__/|_n_||___||_| \_//_n_\                           
   '-.::''

Parameter Analysis and XSS Scanning tool based on golang
Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul
[*] Using file mode(targets list)
[*] Loaded 3 target urls
[*] Target URL: https://slack.com/
[*] Vaild target [ code:302 / size:0 ]
[*] Using dictionary mining option [list=GF-Patterns] πŸ“šβ›
[*] Using DOM mining option πŸ“¦β›
[*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect]  πŸ”
[*] Start static analysis.. πŸ”
[*] Start parameter analysis.. πŸ”
[*] BAV analysis done βœ“
[I] Found 2 testing point in DOM Mining
[*] Static analysis done βœ“ routines 
 β—€  URLs(1 / 3) :: Waiting routines ^Csignal: interrupt
[root@demonia-:~/Dief/Coding/dalfox - ^C
[root@demonia]:~/Dief/Coding/dalfox - dalfox file test.txt 

    _..._
  .' .::::.   __   _   _    ___ _ __ __ 
 :  :::::::: |  \ / \ | |  | __/ \\ V / 
 :  :::::::: | o ) o || |_ | _( o )) (  
 '. '::::::' |__/|_n_||___||_| \_//_n_\                           
   '-.::''

Parameter Analysis and XSS Scanning tool based on golang
Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul
[*] Using file mode(targets list)
[*] Loaded 0 target urls
[root@demonia]:~/Dief/Coding/dalfox -

I think as a quick fix I won't use the binary anymore. I will create a bash alias that runs dalfox from the source code itself on the ~/Tools directory. I'm sorry for wasting your time with that I should test the source earlier.

hahwul commented 3 years ago

Hi @DEMON1A Oh, I just triggered it too! Is it a binary installed with snapcraft?

my test log

$ dalfox file samples/sample_target.txt

and If it's snapcraft, it could be about permission. snapcraft is very strict about permission. I'll look for more! Thank you very much.

DEMON1A commented 3 years ago

I installed the tool using go get. with root on my VPS. I didn't really use snapcraft.

hahwul commented 3 years ago

https://snapcraft.io/docs/home-interface

hahwul commented 3 years ago

@DEMON1A It's weird... because it's all(go-get/go-build/go-run/go-install) in the same environment.

As you can see from the above commit, I did find a problem with snapcraft. So I just proceeded with an additional patch.

First of all, if you had installed it with go get, it would have been built on the path ~/go/bin/dalfox, so please test it again with the tool of that path.

hahwul commented 3 years ago

@DEMON1A First of all, I just released the revised v2.2.1 (fixed similar issue to this, only snapcraft). The snap version of dalfox may have been installed due to other tools, so please check it with a light heart!

if your not installed

$ sudo snap refresh dalfox
snap "dalfox" is not installed

if you insatlled

$ sudo snap refresh dalfox

updating...
DEMON1A commented 3 years ago

Hi @hahwul

I just tested it with snap now on the new version. it works fine now without any problems and it loads the file content. 

[root@demonia]:~ - echo "https://slack.com/" > test.txt
[root@demonia]:~ - dalfox file test.txt 

    _..._
  .' .::::.   __   _   _    ___ _ __ __ 
 :  :::::::: |  \ / \ | |  | __/ \\ V / 
 :  :::::::: | o ) o || |_ | _( o )) (  
 '. '::::::' |__/|_n_||___||_| \_//_n_\                           
   '-.::''

Parameter Analysis and XSS Scanning tool based on golang
Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul
[*] Using file mode(targets list)
[*] Loaded 1 target urls
[*] Target URL: https://slack.com/
[*] Vaild target [ code:302 / size:0 ]
[*] Using dictionary mining option [list=GF-Patterns] πŸ“šβ›
[*] Using DOM mining option πŸ“¦β›
[*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect]  πŸ”
[*] Start static analysis.. πŸ”
[*] Start parameter analysis.. πŸ”
[*] BAV analysis done βœ“
[I] Found 2 testing point in DOM Mining
spook95 commented 3 years ago

Bless up ☝🏾 On 31 Oct 2020, 00:51 +0000, Mohamed Dief notifications@github.com, wrote:

Hi @hahwul I just tested it with snap now on the new version. it works fine now without any problems and it loads the file content. [root@demonia]:~ - echo "https://slack.com/" > test.txt

[root@demonia]:~ - dalfox file test.txt

...

.' .::::. __ __

: :::::::: | \ / \ | | | __/ \ V /

: :::::::: | o ) o || | | ( o )) (

'. '::::::' |__/|n||__||| _//n\

'-.::''

Parameter Analysis and XSS Scanning tool based on golang

Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul

[*] Using file mode(targets list)

[*] Loaded 1 target urls

[*] Target URL: https://slack.com/

[*] Vaild target [ code:302 / size:0 ]

[*] Using dictionary mining option [list=GF-Patterns] πŸ“šβ›

[*] Using DOM mining option πŸ“¦β›

[*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect] πŸ”

[*] Start static analysis.. πŸ”

[*] Start parameter analysis.. πŸ”

[*] BAV analysis done βœ“

[I] Found 2 testing point in DOM Mining

β€” You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

DEMON1A commented 3 years ago

Just another update here.

go get was working. but the problem here was that dalfox binary was already on my VPS snap directory and i didn't notice it. so when i installed dalfox using go get the system didn't use the go binary. but it used the snap one instead. there's really no problem with the go binary. sorry about that. i didn't actually know that someone installed dalfox on the VPS before.

hahwul commented 3 years ago

@DEMON1A I don't think there's anything special, so I'll close the issue! If you have a problem, please open it again! Cheers :D

spook95 commented 3 years ago

Ok thanks

Get Outlook for iOShttps://aka.ms/o0ukef

From: HAHWUL notifications@github.com Sent: Wednesday, November 18, 2020 2:32:11 PM To: hahwul/dalfox dalfox@noreply.github.com Cc: spook95 spook95@msn.com; Comment comment@noreply.github.com Subject: Re: [hahwul/dalfox] Dalfox uses the filename instead of it's content on the file mode (#134)

Closed #134https://github.com/hahwul/dalfox/issues/134.

β€” You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/hahwul/dalfox/issues/134#event-4010977645, or unsubscribehttps://github.com/notifications/unsubscribe-auth/APH5BTNDU62LPIPQKVJ2P4DSQPLGXANCNFSM4TB4YI2A.