Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dalfox uses the filename instead of it's content on the file mode #134

Closed
DEMON1A opened this issue Oct 28, 2020 · 17 comments
Closed

Dalfox uses the filename instead of it's content on the file mode #134

DEMON1A opened this issue Oct 28, 2020 · 17 comments

Comments

@DEMON1A
Copy link

DEMON1A commented Oct 28, 2020

the tools seem to be loading the filename instead of its real content using the file mode. I'm using dalfox latest version.
here are the commands I used:

Command

dalfox -b username.xss.ht file ~/tools/ParamSpider/output/target.com.txt

Results:


    _..._
  .' .::::.   __   _   _    ___ _ __ __ 
 :  :::::::: |  \ / \ | |  | __/ \\ V / 
 :  :::::::: | o ) o || |_ | _( o )) (  
 '. '::::::' |__/|_n_||___||_| \_//_n_\                           
   '-.::''

Parameter Analysis and XSS Scanning tool based on golang
Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul
[*] Using file mode(targets list)
[*] Loaded 0 target urls

Second Command:

dalfox -b username.xss.ht file test

Results:


    _..._
  .' .::::.   __   _   _    ___ _ __ __ 
 :  :::::::: |  \ / \ | |  | __/ \\ V / 
 :  :::::::: | o ) o || |_ | _( o )) (  
 '. '::::::' |__/|_n_||___||_| \_//_n_\                           
   '-.::''

Parameter Analysis and XSS Scanning tool based on golang
Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul
[*] Using file mode(targets list)
[*] Loaded 1 target urls
[*] Target URL: test
[E] not running Get lol: unsupported protocol scheme ""
@github-actions
Copy link
Contributor

Thank you for your first issue report :D

@hahwul
Copy link
Owner

hahwul commented Oct 28, 2020

Hi @DEMON1A
Thank you for submit issue!
What are the contents of the file? unsupported protocol scheme errors are usually problems that occur when a string is not a protocol or URL that is not used on the web.

@DEMON1A
Copy link
Author

DEMON1A commented Oct 28, 2020

it's just a Wayback URLs with parameters and it's value is FUZZ. all of them are HTTP and HTTPs but not all of them are live URLs.

@DEMON1A
Copy link
Author

DEMON1A commented Oct 28, 2020

Here's an example from the real file.

[root@demonia]:~/tools/ParamSpider/output - cat hackerone.com.txt | head
https://hackerone.com/sirmatrix?disclosed=FUZZ
https://www.hackerone.com/sites/default/files/styles/large/public/hpsr-facts.png?itok=FUZZ
https://hackerone.com/mjangda?disclosed=FUZZ
https://hackerone.com/sanjogpanda?disclosed=FUZZ
https://hackerone.com/zerohat?disclosed=FUZZ
https://hackerone.com/todayisnew?sort_type=FUZZ
https://hackerone.com/monero/policy_versions?change=FUZZ
https://hackerone.com/laceratus?disclosed=FUZZ
https://hackerone.com/hacktivity?sort_type=FUZZ
https://www.hackerone.com/sites/default/files/styles/medium/public/unnamed-4.jpg?itok=FUZZ

@DEMON1A
Copy link
Author

DEMON1A commented Oct 28, 2020

Also, lol sorry. the test file on the second results was lol but I changed it into test on the issue and I forgot to edit lol on the results. my bad.

@hahwul
Copy link
Owner

hahwul commented Oct 29, 2020

@DEMON1A
Oh, is that settled? That's a relief!

@DEMON1A
Copy link
Author

DEMON1A commented Oct 29, 2020
edited

Oh. Sorry about that. you didn't really understand me. the lol word on the results is the same as the file name. I just changed the filename from lol into test while adding the results into the issue. BTW. I downloaded the source code and I used go without building it. the tool seems to be working while using it via the source. but in the binary, it doesn't really handle it well. I don't really think it's your code issue. go is a new language it might contain a lot of issues. Here are the testing results.

[root@demonia]:~/Dief/Coding/dalfox - go run dalfox.go file test.txt

    _..._
  .' .::::.   __   _   _    ___ _ __ __ 
 :  :::::::: |  \ / \ | |  | __/ \\ V / 
 :  :::::::: | o ) o || |_ | _( o )) (  
 '. '::::::' |__/|_n_||___||_| \_//_n_\                           
   '-.::''

Parameter Analysis and XSS Scanning tool based on golang
Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul
[*] Using file mode(targets list)
[*] Loaded 3 target urls
[*] Target URL: https://slack.com/
[*] Vaild target [ code:302 / size:0 ]
[*] Using dictionary mining option [list=GF-Patterns] 📚⛏
[*] Using DOM mining option 📦⛏
[*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect]  🔍
[*] Start static analysis.. 🔍
[*] Start parameter analysis.. 🔍
[*] BAV analysis done ✓
[I] Found 2 testing point in DOM Mining
[*] Static analysis done ✓ routines 
 ◤  URLs(1 / 3) :: Waiting routines ^Csignal: interrupt
[root@demonia-:~/Dief/Coding/dalfox - ^C
[root@demonia]:~/Dief/Coding/dalfox - dalfox file test.txt 

    _..._
  .' .::::.   __   _   _    ___ _ __ __ 
 :  :::::::: |  \ / \ | |  | __/ \\ V / 
 :  :::::::: | o ) o || |_ | _( o )) (  
 '. '::::::' |__/|_n_||___||_| \_//_n_\                           
   '-.::''

Parameter Analysis and XSS Scanning tool based on golang
Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul
[*] Using file mode(targets list)
[*] Loaded 0 target urls
[root@demonia]:~/Dief/Coding/dalfox -

I think as a quick fix I won't use the binary anymore. I will create a bash alias that runs dalfox from the source code itself on the ~/Tools directory. I'm sorry for wasting your time with that I should test the source earlier.

@hahwul
Copy link
Owner

hahwul commented Oct 29, 2020

Hi @DEMON1A
Oh, I just triggered it too! Is it a binary installed with snapcraft?

my test log

$ dalfox file samples/sample_target.txt
  • builded binary (go build)
  • builded binary (go get / go install)
  • from snapcraft
  • from homebrew

and If it's snapcraft, it could be about permission. snapcraft is very strict about permission. I'll look for more! Thank you very much.

@DEMON1A
Copy link
Author

DEMON1A commented Oct 29, 2020

I installed the tool using go get. with root on my VPS. I didn't really use snapcraft.

hahwul added a commit that referenced this issue Oct 29, 2020
@hahwul
Add home plug for home permission / #134
85cb3ab
@hahwul
Copy link
Owner

hahwul commented Oct 30, 2020

https://snapcraft.io/docs/home-interface

@hahwul hahwul mentioned this issue Oct 30, 2020
Open
@hahwul
Copy link
Owner

hahwul commented Oct 30, 2020

@DEMON1A
It's weird... because it's all(go-get/go-build/go-run/go-install) in the same environment.

As you can see from the above commit, I did find a problem with snapcraft. So I just proceeded with an additional patch.

First of all, if you had installed it with go get, it would have been built on the path ~/go/bin/dalfox, so please test it again with the tool of that path.

@hahwul
Copy link
Owner

hahwul commented Oct 30, 2020

@DEMON1A
First of all, I just released the revised v2.2.1 (fixed similar issue to this, only snapcraft). The snap version of dalfox may have been installed due to other tools, so please check it with a light heart!

if your not installed

$ sudo snap refresh dalfox
snap "dalfox" is not installed

if you insatlled

$ sudo snap refresh dalfox

updating...

@hahwul hahwul mentioned this issue Oct 31, 2020
Closed
@DEMON1A
Copy link
Author

DEMON1A commented Oct 31, 2020

Hi @hahwul

I just tested it with snap now on the new version. it works fine now without any problems and it loads the file content.

[root@demonia]:~ - echo "https://slack.com/" > test.txt
[root@demonia]:~ - dalfox file test.txt 

    _..._
  .' .::::.   __   _   _    ___ _ __ __ 
 :  :::::::: |  \ / \ | |  | __/ \\ V / 
 :  :::::::: | o ) o || |_ | _( o )) (  
 '. '::::::' |__/|_n_||___||_| \_//_n_\                           
   '-.::''

Parameter Analysis and XSS Scanning tool based on golang
Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul
[*] Using file mode(targets list)
[*] Loaded 1 target urls
[*] Target URL: https://slack.com/
[*] Vaild target [ code:302 / size:0 ]
[*] Using dictionary mining option [list=GF-Patterns] 📚⛏
[*] Using DOM mining option 📦⛏
[*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect]  🔍
[*] Start static analysis.. 🔍
[*] Start parameter analysis.. 🔍
[*] BAV analysis done ✓
[I] Found 2 testing point in DOM Mining

@spook95
Copy link

spook95 commented Oct 31, 2020 via email

@DEMON1A
Copy link
Author

DEMON1A commented Nov 3, 2020

Just another update here.

go get was working. but the problem here was that dalfox binary was already on my VPS snap directory and i didn't notice it. so when i installed dalfox using go get the system didn't use the go binary. but it used the snap one instead. there's really no problem with the go binary. sorry about that. i didn't actually know that someone installed dalfox on the VPS before.

@hahwul
Copy link
Owner

hahwul commented Nov 18, 2020

@DEMON1A
I don't think there's anything special, so I'll close the issue! If you have a problem, please open it again!
Cheers :D

@hahwul hahwul closed this as completed Nov 18, 2020
@spook95
Copy link

spook95 commented Nov 18, 2020 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hahwul @DEMON1A @spook95