False positives

[ghost]

Hello again,

I know there has already been one open inquiry regarding false positives but I am quite more curious about the current situation. Have you personally stumbled upon any? Recently, for instance, I might have possibly got one positive for an XSS but am not sure about it because in browser (only tested in the latest Chromium) it doesn't trigger the alert on load. What do you think?

[V] Triggered XSS Payload (found DOM Object): callback='><sVg/onload=alert(45) class=dalfox> 1 line: FUZZ\'><sVg/onload=alert(45) class=dalfox>({"status":"ok","count":12,"count_tota

My question therefore is, how can we distinguish that? Is it dependent on anything?

Thank you very much in advance for your help and comment on this topic.

[0xspade]

if there is a way that can pipe it in aquatone then false positive will be lessen 👍

[hahwul]

@ZB83486 Hello again! Well, is the content-type json? If I remember correctly, I didn't check DOM Verify it when it was json. https://github.com/hahwul/dalfox/blob/c9666d4157628aa2182ea727c8efef5444af5ae8/pkg/scanning/ignore.go

Oh, now that I see it, some headers are missing. I'll add it!

I'm using the goquery of the DOM Parse for now, and I think I'll need an auxiliary code for a tighter inspection. I've been testing the requirements and thinking about it.

As @phspade say, it would be better to pipelining with additional tools.

[hahwul]

@phspade Thank you for the great idea 😍

[hahwul]

@ZB83486 Oh, and I'll consider the verify (choose between DOM parse and Headless) option, and if default to DOM, dalfox can keep the current speed.

[0xspade]

looking forward in your tool, man. I will update mine once there is a new version. Maybe, you can also get an idea here from this tool. :)

[ghost]

Thanks be to both of you! @phspade @hahwul

[hahwul]

@ZB83486 , Hello again :D

Is there anyway can you share to me some false positives sample? I'm thinking about cross-checking the headless browser and DOM parser. I'd need some of the original DOM parser false positives.

I've come up with a solution that has less impact on performance, but it still going to use more resources and time than before, so I'm going to test and apply how effective it is.

[ghost]

Sure, this might do.

https://poloniex.com/signup/?c=FUZZ%22+class%3Ddalfox+%22

Triggered XSS Payload (found DOM Object): callback='><sVg/onload=alert(45) class=dalfox>
    1 line:  FUZZ\'><sVg/onload=alert(45) class=dalfox>({"status":"ok","count":12,"count_tota
https://blog.bitmex.com/api/get_posts/?callback=FUZZ%27%3E%3CsVg%2Fonload%3Dalert%2845%29+class%3Ddalfox%3E&post_type=site_announcement

[hahwul]

@ZB83486
Thank you :D

[hahwul]

Um.. hey bro, i tested now. well, I think it's a valid attack query. Injected class attribute with c param

log

[V] Triggered XSS Payload (found DOM Object): c=" class=dalfox "
    534 line:  ralCode" value="FUZZ" class=dalfox "" id="referralCode" style="text-transform: u

response

<input type="text" name="referralCode" value="FUZZ" class=dalfox "" id="referralCode" style="text-transform: uppercase;"/>

PoC https://poloniex.com/signup/?c=FUZZ%22+class%3Ddalfox+onmouseleave=bypass_code_protection+%22 =>

[ghost]

Interesting. I already had it reported a few days ago but didn't consider it so serious. You think this would qualify at least as a P4 vulnerability? Also, do you have any BTC donation address? Thanks a lot. PS: the first one is though, right? As far as I know, there is some callback vulnerability but I am not sure if this would qualify or could be escalated. https://github.com/FriendsOfSymfony/FOSJsRoutingBundle/issues/112

[hahwul]

@ZB83486 It depends on the scope category of the target, but it is obviously a likely vector of Reflected XSS. Further research may lead to good results.

Um, that would be p3 by the standard here. https://bugcrowd.com/vulnerability-rating-taxonomy

[0xspade]

Um.. hey bro, i tested now. well, I think it's a valid attack query. Injected class attribute with c param

log

[V] Triggered XSS Payload (found DOM Object): c=" class=dalfox "
    534 line:  ralCode" value="FUZZ" class=dalfox "" id="referralCode" style="text-transform: u

response

<input type="text" name="referralCode" value="FUZZ" class=dalfox "" id="referralCode" style="text-transform: uppercase;"/>

PoC https://poloniex.com/signup/?c=FUZZ%22+class%3Ddalfox+onmouseleave=bypass_code_protection+%22 =>

right-click on the input and "Edit as HTML" you will see that it's being encode

[hahwul]

@phspade @ZB83486 Yaa, I think the page is patched. As @phspade said, the current result appears encoded, and dalfox is not detected either.

[0xspade]

If I am not mistaken, It can now pipe it to aquatone with the following command.

cat xss-links.txt | dalfox pipe <your other options> --output plain | aquatone -out ~/<your aquatone output>