false positives

[wilson9x1]

good project!! but, I find this rule will cause false positives:

(r"<[^>]*'[^>']*%(chars)s[^>']*'[^>]*>", ('\'',), "\"<.'.xss.'.>\", inside the tag, inside single-quotes, %(filtering)s filtering", r"(?s)<script.+?</script>|<!--.*?-->") 

egg: demo.php:

<?php
$input= str_replace("\"", "&quot;" ,$_GET['xss']);
$input=str_replace(">","&lt;",$input);
$input=str_replace("<","&gt;",$input);
echo '<meta name="description" content="';
print($input);
echo '#23578';
print($input);
echo '#23578';
print($input);
echo '#23578"/>';
?>

for help～

[wilson9x1]

Another false positives:

demo.php:

</main><script>
    var jobs = {
        log: {
            pj: 'jobs-social',
            qid: '',
            pn: 0
        },
        common: {
        query:'',
            cookieStr: 'iurl',
         selected : {"city":"<?php echo str_replace("\"", "\\\"" ,$_GET['xss']);?>"}
       }
    };
</script>

change regrex:

<script[^>]*>[^<]*?'[^<'\"]*%(chars)s|%(chars)s[^<']*'[^<]*</script>
<script[^>]*>[^<]*?"[^<"\']*%(chars)s|%(chars)s[^<"]*"[^<]*</script>

maybe work...

[stamparm]

This is a project under 100 lines which should cover majority of XSS vulnerabilities. It doesn't have a true-positive or false-positive detection mechanism, neither it could be implemented into such restricted code environment.

I've personally made another detection mechanism which is more complex than this one and I am aware that DSXS has its quirks. Though, as a PoC I would say that it works pretty fine. It is up to the tester to test the positiveness of the results (as in any scanner/tool)

[stamparm]

With the latest patch problem related to the https://github.com/stamparm/DSXS/issues/5#issuecomment-356805571 should be gone

[stamparm]

With the latest patch problem related to the https://github.com/stamparm/DSXS/issues/5#issue-286990471 should be gone, though...

Now the new problem arise where another rule is being triggered because the original content is actually being reflected in an invalid matter (unclosed double quotes) which is something unexpected. It causes (minor) problem where everything that looks like a quoted string is being prefiltered (before the rule is being triggered).

[wilson9x1]

oooo..... thank you for answer~~

but , I can't understand why replace r"\'" in content??

(r"(?s)<script[^>]*>[^<]*?'[^<']*%(chars)s|%(chars)s[^<']*'[^<]*</script>", ('\'', ';'), "\"<script>.'.xss.'.</script>\", enclosed by <script> tags, inside single-quotes, %(filtering)s filtering", r"\\'"),

dsxs still think demo.php is Githubissues.

Githubissues is a development platform for aggregating issues.