search

hahwul / dalfox

🌙🦊 Dalfox is a powerful open-source XSS scanner and utility focused on automation.
https://dalfox.hahwul.com
MIT License
3.55k stars 397 forks source link

Request send to https by default when using --rawdata #452

Closed darshanpjpt closed 1 year ago

darshanpjpt commented 1 year ago

Describe the bug

when I use the raw request of http://testphp.vulnweb.com in dalfox, it sends request to https://testphp.vulnweb.com by default.

image (1)

image

rudSarkar commented 1 year ago

This is not a bug because there is an option to "force http on rawdata mode". Find the below reference the HTTP by default is set to false, If you need to send the HTTP request please use --http so you can send a request via HTTP.

Command for force HTTP on rawdata mode

dalfox file --rawdata raw_request.txt --http --poc-type=http-request

Output

Screenshot 2023-03-04 at 5 16 51 AM

Reference

https://github.com/hahwul/dalfox/blob/efcef0ffbf0fe775d8722940cce02069d7b51fdb/cmd/file.go#L267

Please @hahwul close this issue.

hahwul commented 1 year ago

Hi @darshanpjpt As @rudSarkar explained, when using rawdata, it is basically recognized as HTTPS and can be fixed as HTTP through flag. This is because you cannot identify whether HTTP or HTTPS was used in the Raw HTTP request.

As it is not a bug, I will close the issue. If there's a problem, please re-open it again :D