search

tijme / angularjs-csti-scanner

Automated client-side template injection (sandbox escape/bypass) detection for AngularJS v1.x.
MIT License
291 stars 86 forks source link

Unable to scan POST requests #17

Closed yogendra1911 closed 3 years ago

yogendra1911 commented 4 years ago

Using extended.py with Scope options with request method option throws following error.

Actual behavior

Version 3.0.6 - Copyright 2017 Tijme Gommers <tijme@finnwea.com>

Traceback (most recent call last):
  File "extended.py", line 168, in <module>
    main()
  File "extended.py", line 69, in main
    Request.METHOD_GET,
NameError: global name 'Request' is not defined

Steps to reproduce the behavior

Added following scope options to the request.py main() method

options.scope.request_methods = [
    Request.METHOD_GET,
    Request.METHOD_POST
    ]

Running default scan runs only on GET requests. Also - Since I could not find the answer in README, asking here: Will it be possible to scan POST request and inject in specific parameter?

tijme commented 4 years ago

Hey @yogendra1911 ,

Could you try to add from nyawc.http.Request import Request? I think it will resolve the issue.

The FormDataAction.py class will be used and automatically inserts the payload in <form>'s that are found on the website.