False negative report

[Hipapheralkus]

Hi,
I wanted to use XSStrike on XSS I found, but it didn't recognize it. As you can see on the piucture, it's a very simple GET with a single parameter returned in the response. No WAF, no output encoding, no session required.

[s0md3v]

Hi there,

This seems like a serious bug.
I know I am asking for too much but can you mail me the website you are testing so I can see what's wrong?
Thanks.

[Hipapheralkus]

I'm afraid I can't do that, as it is an internal application without access to the internet

[s0md3v]

Ah alright, do you have a twitter or telegram? I need some debugging output from your side to figure out what's wrong.

[s0md3v]

This issue will be closed after 24 hours due to inactivity :)

[s0md3v]

Time's up :)

[gauravlinux]

if ( /world101.cfr.org/.test(window.location.href) ) {

[-] WAF detected: CloudFlare Web Application Firewall (CloudFlare)
[!] Testing parameter: keywords
[!] Reflections found: 2
[] Analysing reflections
[] Generating payloads
[!] Payloads generated: 5
~] Progress: 5/5
payload ?????