dalfox not able to detect input xss injection

[SergejFrank4242]

Describe the bug

Hey there! First of all, thanks for this great tool.

When testing dalfox against a known xss vulnerability within an input field, the scan unfortunately returned no result

<input type="email" id="email" name="email" value="FUZZ HERE" placeholder="E-Mail">

Known Working Payload

"onfocus=alert(1) autofocus="

Am i doing something wrong? Or why does dalfox not finding this for me :(

Environment

• Dalfox Version: v2.7.5
• Installed from: go-get

[hahwul]

Hi @SergejFrank4242 Thank you for submit issue!

First of all, it is normal to detect the pattern from Injected Attribute, but it is a pity that it could not be detected. I think we need to know the cause. is it possible to share log this part?

The dalfox may be not detect if the Reflection not found or Reflection has a Invalid Badchar pattern.

[SergejFrank4242]

[I] Reflected email param => PTYPE: URL Injected: /inATTR-double(1) { ; ` : + $ - , [ } = ) ] . \ ( | 901 line: me="email" value="DalFox"placeholder="E-Mail" /><

it looks like dalfox does not detect that " would be allowed

[hahwul]

@SergejFrank4242 From the log alone, I think dalfox decided there's no ". I think, this is bug, I'll check it 🚀