-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FEEDBACK: Include More Payloads #18
Comments
Hi @Nishantbhagat57,
This tool was created for my own research and use cases in the first place. I felt like the approach of taking the console output into account when searching for client-side vulnerabilities would be of interesting to others, which led me to the decision to publish this tool. It is by no means "production-ready". This is v0.0.1 - the very first "useful" version.
As outlined in the README, the tool comes with a basic set of payloads. Feel free to add your own! For instance, when adding the following payload to the [
"\"/autofocus/onfocus=\"alert``"
]
This is a good hint. I will consider adding more payloads and test them against test benches such as sudo.co.il/xss/.
Again, this partly depends on the payloads you use. But I agree, maybe it would be useful to hook another additional function within DOM that could be used to identify XSS. At the moment, I explicitly hook [...]
// Hook the alert() function within the page and expose helper function
await page.exposeFunction('alert', (message) => {
printColorful('turquoise', `[+] alert() triggered for Payload ${currentPayload}: ${message}`)
})
[...] I will look into this, too, next week. Best regards, Lauritz |
Hi there! I added a custom |
Before making a tool first do some research, Will this be better than any other tools available?
I really had huge hopes with this tool as this one is made using nodejs. But it can't even detect a simple XSS.
For your proof:
domscan.MP4
The XSS was: http://sudo.co.il/xss/level4.php?email=%22autofocus/onfocus=javascript:window.onerror=prompt;throw[1]%20c=%22
At least it should pass all the XSS challenges of http://sudo.co.il/xss/ only then I can think of using this one over the others.
And please understand, most of the modern websites have XSS mechanism in place that automatically blocks alert keyword.
prompt is the new alert :)
Please take my words as a valuable feedback and I will be waiting for the next release :)
The text was updated successfully, but these errors were encountered: