search

xnl-h4ck3r / knoxnl

This is a python wrapper around the amazing KNOXSS API by Brute Logic
MIT License
207 stars 32 forks source link

local variable 'resp' referenced before assignment #18

Closed 0xPugal closed 4 months ago

0xPugal commented 4 months ago 
[ SAFE ] - (GET)  https://www.example.org/path/test-probability?ref=FUZZ [98/5000]
:( There was a problem calling KNOXSS API: local variable 'resp' referenced before assignment
:( There was a problem calling KNOXSS API: local variable 'resp' referenced before assignment
xnl-h4ck3r commented 4 months ago

Hi @0xPugal. Is it possible to send me the exact command you are using, including the URL? I understand if you don't want to share that here, but you can DM that on twitter. I can't seem to reproduce that issue. Also, you shouldn't be using FUZZ in any URLs you send to KNOXSS... it might not work as expected without the default value. You shouldn't use FUZZ, have any existing payloads in the URL, etc. just pass the URL's as the originally come, or you reduce your chances of it working properly

xnl-h4ck3r commented 4 months ago

Hi @0xPugal. I've been looking into this and the only way I could see that this error could happen is with these lines:

session = requests.Session()
session.mount('https://', HTTP_ADAPTER)

This implies it could be a network issue on your side that caused the issue. Do you get the error consistently with the same URL, or does it work next time? I will put a separate try catch around that anyway, but not 100% sure if that is the issue right now without being able to reproduce. Thanks Xnl

0xPugal commented 4 months ago

~ knoxnl -i https://www.coursera.org/browse?source=deprecated_spark_cdp&journalid=1021

Current knoxnl version 4.2 (latest)

Selected config and settings:
Config file path: /home/pugal/.config/knoxnl/config.yml
KNOXSS API Url: https://api.knoxss.pro
KNOXSS API Key: e7c913af-a648-418b-xxxx-yyyyy
Discord Webhook: https://discord.com/api/webhooks/10101010110/7jyBOiPc5Y_kzOSp2wdo6pdfVps9FnvBQvRHNqt4luF00f-zzzzzzzzzzzzzzzzzzzzz
-i: https://www.coursera.org/browse?source=deprecated_spark_cdp&journalid=1021 The URL to check with KNOXSS API.
-X: GET The HTTP method checked by KNOXSS API.
-afb: False Whether the Advanced Filter Bypass option is passed to KNOXSS API.
-t: 600 The number of seconds to wait for KNOXSS API to respond.
-r: 3 The number of times to retry when having issues connecting to the KNOXSS API.
-ri: 30 How many seconds to wait before retrying when having issues connecting to the KNOXSS API.
-rb: 1.5 The backoff factor used when retrying when having issues connecting to the KNOXSS API.

Calling KNOXSS API...

KNOXSS API request:
     Data: target=https://www.coursera.org/browse?source=deprecated_spark_cdp%26journalid=1021
KNOXSS API response:

:( There was a problem calling KNOXSS API: local variable 'resp' referenced before assignment

API calls made so far today - Unknown

when using cURL its working

➜  curl https://api.knoxss.pro -d target="https://www.coursera.org/browse?source=deprecated_spark_cdp%26journalid=1021" -H 'X-API-KEY: e7c913af-a648-418b-xxxx-yyyyy' -s

{
    "XSS": "false",
    "PoC": "none",
    "Target": "https://www.coursera.org/browse?source=deprecated_spark_cdp&journalid=1021",
    "POST Data": "none",
    "Error": "none",
    "API Call": "15/5000",
    "Time Elapsed": "521.11s",
    "Timestamp": "Thu, 25 Apr 2024 12:25:05 +0000",
    "Version": "3.6.5"
}
xnl-h4ck3r commented 4 months ago

https://www.coursera.org/browse?journalid=FUZZ&source=Gxss

Hi @0xPugal. I'm confused by this screen shot. According to the conifg info shown with -v at the start, the -i value passed was https://www.coursera.org/browse?journalid=FUZZ&source=Gxss. But in the resonse from KNOXSS after that, it shows https://www.coursera.org/browse?source=deprecated_spark_cdp%26journalid=1021 as the URL is processed. What was the exact command you used that produced that output?

xnl-h4ck3r commented 4 months ago

I don't get that error for either of those URLs though. It does seem to be related to how you are calling knoxnl I think. If you could share that, it should help. You did put knoxnl -i https://www.coursera.org/browse?source=deprecated_spark_cdp&journalid=1021, but I don't think that was what was run for that output, because -v was used to get that output. Also, you should really include the URL in quotes if you manually pass it, because the & in the URL can ber intrepretted by the environment as running the command in the backgorund.

xnl-h4ck3r commented 4 months ago

Hi @0xPugal . I have released v4.5. Can you run pip install --upgrade knoxnl and let me know if it resolves your issue? Thanks

0xPugal commented 4 months ago

Hey @xnl-h4ck3r, The issue is now fixed. Thanks for your continuous support in fixing this issue. So I'm closing this issue for now.