ALL XSS Checks Missing this vulnerable issue

kxcode's Avatar


29 Nov, 2016 07:15 AM

arachni cant find a xss like this:

print '<>'.@$_GET['test'];

maybe some exception occured in Arachni::Parser ?

  1. Support Staff 1 Posted by Tasos Laskos on 29 Nov, 2016 02:49 PM

    Tasos Laskos's Avatar

    Which version are you using?

  2. Support Staff 2 Posted by Tasos Laskos on 29 Nov, 2016 02:57 PM

    Tasos Laskos's Avatar

    Nevermind, I'm guessing the nightlies.
    The issue has been forwarded to the relevant dependency:

  3. 3 Posted by kxcode on 30 Nov, 2016 02:02 AM

    kxcode's Avatar

    im using nightlies.

    the find_spoof part in xss checks sourcecode like this:

    def self.find_proof( resource )
        return if !resource.body.has_html_tag?( self.tag_name )
        proof_nodes = Arachni::Parser.parse(
            whitelist:     [self.tag_name, 'textarea'],
            stop_on_first: [self.tag_name]
        ).nodes_by_name( self.tag_name )
        return if proof_nodes.empty?
        proof = proof_nodes.find do |e|
   != :textarea
        return if !proof

    And I wonder that why cant Arachni recognize this XSS issue with
    " return if !resource.body.has_html_tag?( self.tag_name )". this XSS case is quite simple i think, even dont need to parse the response html document with ox, just use regex doesnt work?

  4. Support Staff 4 Posted by Tasos Laskos on 01 Dec, 2016 11:18 AM

    Tasos Laskos's Avatar

    Regexps only work as a first-state optimization to see if the node as a substring is at least in the HTML code, to verify the existence of the node you need to properly parse the document.

  5. 5 Posted by kxcode on 02 Dec, 2016 09:18 AM

    kxcode's Avatar

    it may missing some issue where the Parser parsed different from the browsers.
    I guess ox sax_html() may have some other bugs like this : /

  6. Support Staff 6 Posted by Tasos Laskos on 02 Dec, 2016 01:46 PM

    Tasos Laskos's Avatar

    Not in this test, browsers will behave identically.
    As for bugs, everything has them, Ox parsing has less than most alternatives and is faster than all of them.

  7. 7 Posted by kxcode on 05 Dec, 2016 03:24 AM

    kxcode's Avatar

    all right , As for bugs, everything has them. : P

  8. Support Staff 8 Posted by Tasos Laskos on 29 Dec, 2016 08:16 AM

    Tasos Laskos's Avatar

    Fixed in the nightlies.

  9. Tasos Laskos closed this discussion on 29 Dec, 2016 08:16 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac