search

hahwul / dalfox

🌙🦊 Dalfox is a powerful open-source XSS scanner and utility focused on automation.
https://dalfox.hahwul.com
MIT License
3.46k stars 389 forks source link

Inconsistent output #469

Open ocervell opened 1 year ago

ocervell commented 1 year ago

Describe the bug

I've been running dalfox on the same URL over and over again, here are the results:

$ dalfox --silence url http://testphp.vulnweb.com/listproducts.php --format json --worker 50
[
{"type":"G","inject_type":"BUILTIN","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?pleasedonthaveanamelikethis_plz_plz=DalFox","param":"","payload":"DalFox","evidence":"","cwe":"","severity":"Low","message_id":3,"message_str":"Found dalfox-error-mysql2 via built-in grepping / payload: DalFox"},
{"type":"V","inject_type":"inHTML-none(1)-URL","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?cat=%3CdETAILS%250aopen%250aonToGgle%250a%3D%250aa%3Dprompt%2Ca%28%29+class%3Ddalfox%3E","param":"cat","payload":"\u003cdETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() class=dalfox\u003e","evidence":"48 line:  yntax to use near '=\u003cdETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() class=dalfox\u003e'","cwe":"CWE-79","severity":"High","message_id":219,"message_str":"Triggered XSS Payload (found DOM Object): cat=\u003cdETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() class=dalfox\u003e"},
{}]

$ dalfox --silence url http://testphp.vulnweb.com/listproducts.php --format json --worker 50
[
{"type":"G","inject_type":"BUILTIN","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php","param":"","payload":"","evidence":"","cwe":"","severity":"Low","message_id":2,"message_str":"Found dalfox-error-mysql2 via built-in grepping / original request"},
{"type":"R","inject_type":"inHTML-none(1)-URL","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?cat=%3CiFrAme%2Fsrc%3DjaVascRipt%3Aprint%281%29%3E%3C%2FiFramE%3E","param":"cat","payload":"\u003ciFrAme/src=jaVascRipt:print(1)\u003e\u003c/iFramE\u003e","evidence":"48 line:  yntax to use near '=\u003ciFrAme/src=jaVascRipt:print(1)\u003e\u003c/iFramE\u003e' at line 1","cwe":"CWE-79","severity":"Medium","message_id":351,"message_str":"Reflected Payload in HTML: cat=\u003ciFrAme/src=jaVascRipt:print(1)\u003e\u003c/iFramE\u003e"},
{"type":"V","inject_type":"inHTML-none(1)-URL","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?cat=%3CiFrAme%2Fsrc%3DjaVascRipt%3Aconfirm%281%29+class%3Ddalfox%3E%3C%2FiFramE%3E","param":"cat","payload":"\u003ciFrAme/src=jaVascRipt:confirm(1) class=dalfox\u003e\u003c/iFramE\u003e","evidence":"48 line:  yntax to use near '=\u003ciFrAme/src=jaVascRipt:confirm(1) class=dalfox\u003e\u003c/iFramE\u003e' at","cwe":"CWE-79","severity":"High","message_id":275,"message_str":"Triggered XSS Payload (found DOM Object): cat=\u003ciFrAme/src=jaVascRipt:confirm(1) class=dalfox\u003e\u003c/iFramE\u003e"},
{}]

$ dalfox --silence url http://testphp.vulnweb.com/listproducts.php --format json --worker 50
[
{"type":"G","inject_type":"BUILTIN","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php","param":"","payload":"","evidence":"","cwe":"","severity":"Low","message_id":2,"message_str":"Found dalfox-error-mysql2 via built-in grepping / original request"},
{"type":"R","inject_type":"inHTML-URL","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?cat=%22%3E%3CSvg%2Fonload%3Dalert%281%29+class%3Ddlafox%3E","param":"cat","payload":"\"\u003e\u003cSvg/onload=alert(1) class=dlafox\u003e","evidence":"48 line:  syntax to use near '\"\u003e\u003cSvg/onload=alert(1) class=dlafox\u003e' at line 1","cwe":"CWE-79","severity":"Medium","message_id":435,"message_str":"Reflected Payload in HTML: cat=\"\u003e\u003cSvg/onload=alert(1) class=dlafox\u003e"},
{"type":"V","inject_type":"inHTML-none(1)-URL","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?cat=%3CScRipt+class%3Ddalfox%3Eprompt.valueOf%28%29%281%29%3C%2Fscript%3E","param":"cat","payload":"\u003cScRipt class=dalfox\u003eprompt.valueOf()(1)\u003c/script\u003e","evidence":"48 line:  yntax to use near '=\u003cScRipt class=dalfox\u003eprompt.valueOf()(1)\u003c/script\u003e' at line 1","cwe":"CWE-79","severity":"High","message_id":187,"message_str":"Triggered XSS Payload (found DOM Object): cat=\u003cScRipt class=dalfox\u003eprompt.valueOf()(1)\u003c/script\u003e"},
{}]

$ dalfox --silence url http://testphp.vulnweb.com/listproducts.php --format json --worker 50
[
{"type":"G","inject_type":"BUILTIN","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php","param":"","payload":"","evidence":"","cwe":"","severity":"Low","message_id":2,"message_str":"Found dalfox-error-mysql2 via built-in grepping / original request"},
{"type":"R","inject_type":"inHTML-none(1)-URL","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?cat=%3CiFrAme%2Fsrc%3DjaVascRipt%3Aalert.bind%28%29%281%29%3E%3C%2FiFramE%3E","param":"cat","payload":"\u003ciFrAme/src=jaVascRipt:alert.bind()(1)\u003e\u003c/iFramE\u003e","evidence":"48 line:  yntax to use near '=\u003ciFrAme/src=jaVascRipt:alert.bind()(1)\u003e\u003c/iFramE\u003e' at line 1","cwe":"CWE-79","severity":"Medium","message_id":343,"message_str":"Reflected Payload in HTML: cat=\u003ciFrAme/src=jaVascRipt:alert.bind()(1)\u003e\u003c/iFramE\u003e"},
{"type":"V","inject_type":"inHTML-none(1)-URL","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?cat=%3CsVg%2Fonload%3Dprompt.valueOf%28%29%281%29+class%3Ddalfox%3E","param":"cat","payload":"\u003csVg/onload=prompt.valueOf()(1) class=dalfox\u003e","evidence":"48 line:  yntax to use near '=\u003csVg/onload=prompt.valueOf()(1) class=dalfox\u003e' at line 1","cwe":"CWE-79","severity":"High","message_id":163,"message_str":"Triggered XSS Payload (found DOM Object): cat=\u003csVg/onload=prompt.valueOf()(1) class=dalfox\u003e"},
{}]

$ dalfox --silence url http://testphp.vulnweb.com/listproducts.php --format json --worker 50
[
{"type":"G","inject_type":"BUILTIN","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php","param":"","payload":"","evidence":"","cwe":"","severity":"Low","message_id":2,"message_str":"Found dalfox-error-mysql2 via built-in grepping / original request"},
{"type":"V","inject_type":"inHTML-none(1)-URL","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?cat=%3CScRipt+class%3Ddalfox%3Econfirm%281%29%3C%2Fscript%3E","param":"cat","payload":"\u003cScRipt class=dalfox\u003econfirm(1)\u003c/script\u003e","evidence":"48 line:  yntax to use near '=\u003cScRipt class=dalfox\u003econfirm(1)\u003c/script\u003e' at line 1","cwe":"CWE-79","severity":"High","message_id":175,"message_str":"Triggered XSS Payload (found DOM Object): cat=\u003cScRipt class=dalfox\u003econfirm(1)\u003c/script\u003e"},
{}]

As you can see, the reflected XSS does not show up across all the runs. Any ideas why ?

Environment

hahwul commented 1 year ago

Hi @ocervell Dalfox does not output R type if the vulnerability is identified as V type. Looking at the information you sent, it seems that all V types are included.

The reason why the R type is not printed when checking with V type is to prevent indiscriminate R output. Sometimes, Although it is a V type, the R output is caused by fast concurrency processing.