Open ChillVibesMushroom opened 1 year ago
To achieve your desired action, there are three specific flags that you can try.
--custom-alert-type
and --custom-alert-value
--custom-payload
If you want to test with a custom payload, you can use the --custom-payload
flag. The other flags are related to functions, such as alert. Currently, there is no direct way to modify the function, but you can achieve a similar effect with a simple trick (with --custom-alert-value
).
dalfox url https://xss-game.appspot.com/level1/frame \
--custom-alert-value "1);your_payload;console.log("
# [POC][R][GET][inHTML-none(1)-URL] https://xss-game.appspot.com/level1/frame?query=%3CsVg%2Fonload%3Dprompt%281%29%3Byour_payload%3Bconsole.log%28%29%3E
# https://xss-game.appspot.com/level1/frame?query=%3CsVg%2Fonload%3Dprompt%281%29%3Byour_payload%3Bconsole.log%28%29%3E
If you're interested, I can write some code and create a new flag that modifies the function.
(e.g --custom-func
)
dalfox url https://xss-game.appspot.com/level1/frame \ --custom-payload /home/scripts/JavaScript.js
Would that input be right ?
@ChillVibesMushroom The use of flag is correct. However, I think it may differ from the desired behavior depending on what the file means and the purpose.
Could you show me an example of the .js file? I don't understand exactly what kind of action you want. 😭
@ChillVibesMushroom The use of flag is correct. However, I think it may differ from the desired behavior depending on what the file means and the purpose.
Could you show me an example of the .js file? I don't understand exactly what kind of action you want. 😭
@ChillVibesMushroom
I think that would be suitable for --custom-payload
flag.
Ill give it a shot right now Im looking into different frameworks I just remembered I actually do have to install Dalfox you know what I realized though that the tool is pretty powerful it doesn't automatically go incognito mode it just gets straight too it and alongside other tools like hakrawler its powerful.
I was going to ask you but I never got the chance what tools would you use alongside dalfox when scanning a website for vulnerabilities.
Question
Your questions Is it possible to test my personal Js script for injection using dalfox