Add ability to block all subdomains by adding root domain to block list

ssl / ezXSS

ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting.

https://ezxss.com

MIT License

1.87k stars 330 forks source link

Add ability to block all subdomains by adding root domain to block list #148

Closed geeknik closed 10 months ago

geeknik commented 10 months ago

Right now, adding example.com in v4.1 only blocks request from example.com, not a01.example.com or www.example.com. Adding example.com should block *.example.com unless one or more of the subdomains is in the whitelist.

GlitchWitch commented 10 months ago

I'd argue that it makes more sense to block example.com and *.example.com as separate entries rather then including all subdomains when blocking the parent domain and vice versa.

geeknik commented 10 months ago

Well, wildcard matching was added in 3.1, but didn't make it into 4.1 for some reason. When I try to add *.example.*, nothing is added.

ssl commented 10 months ago

Hey @geeknik,

I was about to say, I believe it is already possible to add *.example.com.

I will look into this. It might broke without me noticiing in some release.

ssl commented 10 months ago

Seems that only the input was not working correctly, thinking '*' can not be a valid character in a domain. Fixed it in https://github.com/ssl/ezXSS/commit/796222c2e2912da5794e9a7a82156e83c4d1f20c