search

hahwul / dalfox

🌙🦊 Dalfox is a powerful open-source XSS scanner and utility focused on automation.
https://dalfox.hahwul.com
MIT License
3.59k stars 402 forks source link

`file` mode with `--format json` produces invalid json #375

Closed kmcquade closed 2 years ago

kmcquade commented 2 years ago

Describe the bug

Love this tool! Currently running into one issue though. It appears that when you combine file mode with --format json it produces invalid output.

Example URLs file (urls.txt)

https://public-firing-range.appspot.com/reflected/parameter/attribute_unquoted?q=a
https://public-firing-range.appspot.com/reflected/parameter/attribute_singlequoted?q=a
https://public-firing-range.appspot.com/reflected/parameter/attribute_quoted?q=a
https://public-firing-range.appspot.com/reflected/parameter/attribute_name?q=a

Command to reproduce:

dalfox file urls.txt --format json --no-color --no-spinner --output-all --follow-redirects --silence

Example output:

[
{"type":"V","inject_type":"inATTR-none(1)-URL","poc_type":"plain","method":"GET","data":"https://public-firing-range.appspot.com/reflected/parameter/attribute_unquoted?q=a%22%3E%3CsVg%2Fonload%3Dprint%281%29+class%3Ddalfox%3E","param":"q","payload":"\"\u003e\u003csVg/onload=print(1) class=dalfox\u003e","evidence":"3 line:      \u003ctag attribute=a\"\u003e\u003csVg/onload=print(1) class=dalfox\u003e\u003e","cwe":"CWE-83","severity":"High"},
{}]
[
{"type":"V","inject_type":"inATTR-single(1)-URL","poc_type":"plain","method":"GET","data":"https://public-firing-range.appspot.com/reflected/parameter/attribute_singlequoted?q=a%27%26%23x27%3B%3E%3CScRipt+class%3Ddalfox%3Eprint%281%29%3C%2Fscript%3E","param":"q","payload":"'\u0026#x27;\u003e\u003cScRipt class=dalfox\u003eprint(1)\u003c/script\u003e","evidence":"3 line:      \u003ctag attribute='a'\u0026#x27;\u003e\u003cScRipt class=dalfox\u003eprint(1)\u003c/script\u003e'\u003e","cwe":"CWE-83","severity":"High"},
{}]
[
{"type":"R","inject_type":"inATTR-double(1)-URL","poc_type":"plain","method":"GET","data":"https://public-firing-range.appspot.com/reflected/parameter/attribute_quoted?q=a%22%26%2339%3B%3E%3CScRipt%3Eprompt.valueOf%28%29%281%29%3C%2Fscript%3E","param":"q","payload":"\"\u0026#39;\u003e\u003cScRipt\u003eprompt.valueOf()(1)\u003c/script\u003e","evidence":"3 line:      \u003ctag attribute=\"a\"\u0026#39;\u003e\u003cScRipt\u003eprompt.valueOf()(1)\u003c/script\u003e\"\u003e","cwe":"CWE-83","severity":"Medium"},
{"type":"R","inject_type":"inATTR-double(1)-URL","poc_type":"plain","method":"GET","data":"https://public-firing-range.appspot.com/reflected/parameter/attribute_quoted?q=a%22%27%22%3E%3CsVg%2Fonload%3Dconfirm%281%29%3E","param":"q","payload":"\"'\"\u003e\u003csVg/onload=confirm(1)\u003e","evidence":"3 line:      \u003ctag attribute=\"a\"'\"\u003e\u003csVg/onload=confirm(1)\u003e\"\u003e","cwe":"CWE-83","severity":"Medium"},
{"type":"R","inject_type":"inATTR-double(1)-URL","poc_type":"plain","method":"GET","data":"https://public-firing-range.appspot.com/reflected/parameter/attribute_quoted?q=a%22%26%2339%3B%3E%3CsVg%2Fonload%3Dprint%281%29%3E","param":"q","payload":"\"\u0026#39;\u003e\u003csVg/onload=print(1)\u003e","evidence":"3 line:      \u003ctag attribute=\"a\"\u0026#39;\u003e\u003csVg/onload=print(1)\u003e\"\u003e","cwe":"CWE-83","severity":"Medium"},
{"type":"V","inject_type":"inATTR-double(1)-URL","poc_type":"plain","method":"GET","data":"https://public-firing-range.appspot.com/reflected/parameter/attribute_quoted?q=a%22onpointerover%3Dalert.apply%28null%2C1%29+class%3Ddalfox+","param":"q","payload":"\"onpointerover=alert.apply(null,1) class=dalfox ","evidence":"3 line:      \u003ctag attribute=\"a\"onpointerover=alert.apply(null,1) class=dalfox \"\u003e","cwe":"CWE-83","severity":"High"},
{}]
[
{"type":"V","inject_type":"inATTR-none(1)-URL","poc_type":"plain","method":"GET","data":"https://public-firing-range.appspot.com/reflected/parameter/attribute_name?q=aonpointerdown%3Dalert.call%28null%2C1%29+class%3Ddalfox+","param":"q","payload":"onpointerdown=alert.call(null,1) class=dalfox ","evidence":"3 line:      \u003ctag aonpointerdown=alert.call(null,1) class=dalfox =\"\"/\u003e","cwe":"CWE-83","severity":"High"},
{}]

Environment

hahwul commented 2 years ago

@kmcquade Thank you for submit issue! I'll check it

hahwul commented 2 years ago

@kmcquade Hello again :D First, I checked the section with a bug and fixed it, and some additional improvement! It will now appear in a normal JSON format.

The patch will be included in the next release version(v2.8.0), and if you want to apply it first, you can install it as go-install or build it yourself. 

go install github.com/hahwul/dalfox/v2@latest

Um.. JSON results are also using a slightly strange format for real-time output, but in v2.8, we will add a function so that users can choose whether to use real-time output or a stable format after completion.

Close the issue because fixed it! If you have a problem, please re-open it! Have a good rest of the day 😊

Test

./dalfox file 1 --format json --no-color --no-spinner --output-all --follow-redirects --silence | jq
./dalfox file 1 --format json --no-color --no-spinner --output-all --follow-redirects --silence --mass | jq
cat 1 | ./dalfox pipe --format json --no-color --no-spinner --output-all --follow-redirects --silence | jq 
cat 1 | ./dalfox pipe --format json --no-color --no-spinner --output-all --follow-redirects --silence --mass | jq

스크린샷 2022-06-03 오후 11 18 10

kmcquade commented 2 years ago

Great! Thanks so much.