runtime error: invalid memory address or nil pointer dereference

[ddervosj]

Hello,

Getting same error as with your other tool (s3reverse) when piping through other commands:

echo "redacted.com" | waybackurls | head -5 | egrep -o "http?.*" | grep "="| egrep -v ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt|js)" | qsreplace -a | dalfox pipe -blind https://xxx.xss.ht/

_..._

.' .::::. __ : :::::::: | \ / \ | | | / \ V / : :::::::: | o ) o || | | ( o )) (
'. '::::::' |__/|n||__||| _//n\
'-.::''

Parameter Analysis and XSS Scanning tool based on golang Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul [] Using pipeline mode [] Loaded 1 target urls [] Target URL: http://www.redacted.com?cmp=701j000000096imaai [] Vaild target [ code:200 / size:93822 ] [] Start static analysis.. 🔍 [] Start parameter analysis.. 🔍 ◓ Waiting routines.. panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0x78b7af]

goroutine 42 [running]: github.com/hahwul/dalfox/pkg/scanning.StaticAnalysis(0xc0000b40c0, 0x2c, 0xc0000a33e0, 0x1c) /home/xxx/go/src/github.com/hahwul/dalfox/pkg/scanning/scan.go:463 +0x8f github.com/hahwul/dalfox/pkg/scanning.Scan.func1(0xc00018c0b4, 0xc0000a33e0, 0xc0000b40c0, 0x2c, 0xc0000bc080) /home/xxx/go/src/github.com/hahwul/dalfox/pkg/scanning/scan.go:75 +0xb5 created by github.com/hahwul/dalfox/pkg/scanning.Scan /home/xxx/go/src/github.com/hahwul/dalfox/pkg/scanning/scan.go:72 +0x342

go version go1.13.5 linux/amd64

[hahwul]

Hi @ddervosj , thank you for submit issue! First of all, what is the version of dalfox? (last release is v1.0.1)

I tested the same URL, but there was nothing unusual. I think we need to find out the exact cause of the problem. (The code on the stackrace looks like it's on the http.client.)

dalfox url http://www.redacted.com\?cmp\=701j000000096imaai -b https://hahwul.xss.ht

    _..._
  .' .::::.   __   _   _    ___ _ __ __
 :  :::::::: |  \ / \ | |  | __/ \\ V /
 :  :::::::: | o ) o || |_ | _( o )) (
 '. '::::::' |__/|_n_||___||_| \_//_n_\
   '-.::''

Parameter Analysis and XSS Scanning tool based on golang
Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul
[*] Using single target mode
[*] Target URL: http://www.redacted.com?cmp=701j000000096imaai
[*] Vaild target [ code:200 / size:6576 ]
[*] Start static analysis.. 🔍
[*] Start parameter analysis.. 🔍
[I] Content-Type is text/html
[*] Generate XSS payload and optimization.Optimization.. 🛠
[*] Added your blind XSS (https://hahwul.xss.ht)
[*] Start XSS Scanning.. with 68 queries 🗡
[*] Finish :D

I tested it similarly with a pipeline, and it works. First, update to the latest version and try again. If the same problem occurs, I think we should find the exact cause.

[hahwul]

update go-install

$ git clone https://github.com/hahwul/dalfox
$ go install
$ ~/go/bin/dalfox version

or go-get

$ go get -u github/hahwul/dalfox

[ddervosj]

updated the tool to 1.0.1 (was 1.0.0). getting same error. however tested without qsreplace - dalfox seems to be working fine. I guess now i know where the issue is (:

thanks for looking into this though!

[hahwul]

@ddervosj Well, if there is a problem with the pipeline process, I think DalFox will also need an exception such as an abnormal URL. If you happen to knew the cause, share it with me! (I think there's an exception I've missed)

Enjoy the rest of your day :D

[sumgr0]

@hahwul Thanks for this amazing tool. I've been getting this error as well:

Running version 1.0.2 and also not using the qsreplace.

go version go1.14.2 linux/amd64

[hahwul]

@sumgr0 Thank you for your opinion. I think it's a problem caused by the lack of exceptions to the absence of response inside StaticAnalysis. Do you have any URL samples that I can test?

[hahwul]

Hi @ddervosj @sumgr0 First, I applied the error handling logic. It's version 1.0.3, and please test if the same problem occurs!

update cloned repo

git pull -v 
go install

use go-get

$ go get github.com/hahwul/dalfox

install release file https://github.com/hahwul/dalfox/releases/latest

[random-robbie]

i got the same issue.

v1.0.3

go version go1.12.6 darwin/amd64

Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul
[*] Using file mode(targets list)
[*] Loaded 1534 target urls
[*] Target URL: http://brutelogic.com.br/blog/?p=1020
[*] Vaild target [ code:200 / size:89550 ]
[*] Start parameter analysis.. 🔍
[*] Start static analysis.. 🔍
[*] Generate XSS payload and optimization.Optimization.. 🛠
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x60 pc=0x11e2173]

[sumgr0]

the latest update of dalfox 1.0.3 fixed the issue for me...

[hahwul]

@sumgr0 I'm so glad it's been modified! Tell me again if you have a problem!

@random-robbie Well, is there a stacktrace in the error? I need to know the error point of the code, so if you can share it, please send it to me :D

[random-robbie]

@hahwul unable to replicate at the moment will keep trying i think i had a custom payload list that might of caused it.

[ddervosj]

not crashing after 1.0.3 update.

Thanks for the fix!

[hahwul]

@random-robbie I'm on it. I'll check that part mainly +_+

@ddervosj That's a relief and cool. If you have another bug, please report it :D

[hahwul]

@random-robbie Hi bro! Could you give me some sample data? (scan query or flags data). I think I can correct it exactly after I check the crash.

I'm not being reoccur, so it's hard to solve.

[hahwul]

There is no additional information, so I will end the issue. If there is a problem, please register again. Thank you so much for the submit issue!