hahwul
commented
2 years ago @HarryJohnAsir Thank you for your opinion! Dalfox is mostly for checking XSS, so I'm not sure if I can set and include the Severity, but I'll give it a try :D
Closed HarryJohnAsir closed 2 years ago
hahwul
commented
2 years ago @HarryJohnAsir Thank you for your opinion! Dalfox is mostly for checking XSS, so I'm not sure if I can set and include the Severity, but I'll give it a try :D
hahwul
commented
2 years ago In order to simplify and output Severity, I would like to mark it as Low/Medium/High by referring to the OWASP Risk Rating and CVSSv3.
| Severity | Attribute |
|---|---|
| Low | - BuiltIn-Grep |
| Medium | - XSS (Reflected payload) - BAV-CRLF - BAV-SQLi (SQL Error) - BAV-OpenRedirect |
| High | * XSS (Verified payload) - BAV-SSTI |
Dalfox's severity (not fixed yet.)
In fact, XSS is not reported critically in CVSS, etc. In particular, I think there is a limitation in the risk grade because the a scanner cannot create an Exploit chain.
HarryJohnAsir
commented
2 years ago Thank you.
hahwul
commented
2 years ago 
hahwul
commented
2 years ago @HarryJohnAsir Close the issue by adding the function. It's going to be released on v2.6.3. If there's nothing special, I think it'll be released this weekend!
Thank you :D
HarryJohnAsir
commented
2 years ago Thank you
It would be really helpful if we could have "Severity" added to the JSON output.
Based on the issue severity, Severity field can have value as below.
Reference: JSON Output additions #261