DOM-XSS Detection

ShaunS's Avatar

ShaunS

25 May, 2016 07:10 PM

Hi,
Firslty thanks for the great scanner, clearly lots of effort has gone into it's design.

I am evaluating it's DOM-XSS scanning ability and was wondering if it's exspected behaviour not to detect dom xss with the following js on a web page:

<script>
  document.write(location.hash.substring(1));
</script>

If this is expected behaviour is there anything I can configure to enable the detection?

The command I am using to run the scanner is :

./arachni http://192.168.13.135/xsstest.php --checks=xss*

Thanks,

Shaun

  1. 1 Posted by ShaunS on 25 May, 2016 07:12 PM

    ShaunS's Avatar

    Ah looks like js got stripped, here is the code again:
    document.write(location.hash.substring(1));

  2. Support Staff 2 Posted by Tasos Laskos on 25 May, 2016 07:57 PM

    Tasos Laskos's Avatar

    Hello,

    There's no direct input vector for the location hash in Arachni.
    That issue would only be detected if it could somehow get triggered by interacting with the webapp's interface.

    Let's say for example that the hash value was set to the value of a text input after clicking a button.
    Then the text input would be logged as vulnerable.

    Cheers

  3. 3 Posted by ShaunS on 25 May, 2016 08:51 PM

    ShaunS's Avatar

    Hi Tasos,

    Thanks for the quick response.

    I added another page with a link to the xsstest.php which contained the location.hash:
    Link to xss

    The scanner was still unable to find the xss?

  4. Support Staff 4 Posted by Tasos Laskos on 25 May, 2016 08:59 PM

    Tasos Laskos's Avatar

    For that case you'll need to specify a link template.

    By default the system can only deal with hashes that look like:

    http://example.com/#/?param=val&param2=val2
    
  5. Tasos Laskos closed this discussion on 03 Aug, 2016 02:27 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac