search

hahwul / dalfox

๐ŸŒ™๐ŸฆŠ Dalfox is a powerful open-source XSS scanner and utility focused on automation.
https://dalfox.hahwul.com
MIT License
3.74k stars 414 forks source link

Can parameters such as cookies be passed in in Server Mode? #163

Closed Threezh1 closed 3 years ago

Threezh1 commented 3 years ago

Hello, I would like to ask: In Server Mode, is there a way to pass in cookies through API.

If you already have this function, can you update the usage in the document?

Thank you very much for this tool, it works very well.

github-actions[bot] commented 3 years ago

Thank you for your first issue report :D

hahwul commented 3 years ago

Hi @Threezh1 I checked about it, and you can request a scan including cookies in the way below. Please refer to the code below for information on the column (where json is written can be used as a value)

However, there is a bug that works abnormally, so I fixed it, so I would appreciate it if you proceed with the latest version. And I'll add the document! There were some things I was missing, and thank you so much for reminding me!

< req >

curl -X POST "http://localhost:6664/scan" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-d "{\"url\": \"https://www.hahwul.com\", \"options\":{\"cookie\":\"testz=11\",\"worker\":1}}"

< res >

{"code":200,"msg":"0462c53f75a528d263787af314f90e58016d693554216b9a4e34b50ad92da9ba","data":null}

< server log >

[*] Starting API Server
[*] Listen 0.0.0.0:6664
[*] Target URL: https://www.hahwul.com
{"time":"2021-01-11T00:01:55.712571+09:00","id":"","remote_ip":"::1","host":"localhost:6664","method":"POST","uri":"/scan","status":200,"error":"","latency":369889,"latency_human":"369.889ยตs","bytes_in":77,"bytes_out":98}
[*] Vaild target [ code:200 / size:74398 ]
[*] Start static analysis.. ๐Ÿ”
[*] Start parameter analysis.. ๐Ÿ”
[*] Parameter analysis  done โœ“
[*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect]  ๐Ÿ”
[*] BAV analysis done โœ“
[*] Static analysis done โœ“
[I] Content-Type is text/html; charset=utf-8
[I] Access-Control-Allow-Origin is *
[*] Generate XSS payload and optimization.Optimization.. ๐Ÿ› 
[*] Start XSS Scanning.. with 33 queries ๐Ÿ—ก
[*] Finish :D

1414 default worker is 100

hahwul commented 3 years ago

@Threezh1 The document was also updated. closed this issue. https://dalfox.hahwul.com/docs/modes/server-mode/

and please reopen it if you have any problems or need help ๐Ÿ˜Ž