tag:support.arachni-scanner.com,2012-07-01:/discussions/questions/13343-reflected-xss-not-detectedArachni: Discussion 2017-06-16T02:41:42Ztag:support.arachni-scanner.com,2012-07-01:Comment/425777002017-05-17T15:19:31Z2017-05-17T15:19:32ZReflected XSS not detected<div><p>Hello,</p>
<p>I had a normal (form based) POST request and the response is a json object. Content-type in response is set to text/html. One parameter in request is vulnerable to reflected XSS. Although arachni did right XSS testing and input was reflected back in response but it didn't report any issue. I believe this is due to the fact that pop-up is not generated in the browser. Can you confirm if this is indeed the case.</p></div>Piyush Mittaltag:support.arachni-scanner.com,2012-07-01:Comment/425777002017-05-17T15:44:38Z2017-05-17T15:44:38ZReflected XSS not detected<div><p>It's hard to tell without a test case, could I be allowed access to that site to see what's going on?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/425777002017-05-18T09:06:20Z2017-05-18T09:06:24ZReflected XSS not detected<div><p>Unfortunately, I can't give you access. However, I will try to provide as much info as possible. Attached is a redacted request and response as sent by Arachni scanner. XSS is not reported.<br>
​</p></div>Piyush Mittaltag:support.arachni-scanner.com,2012-07-01:Comment/425777002017-05-18T13:17:21Z2017-05-18T13:17:21ZReflected XSS not detected<div><p>The JSON by itself is useless, you don't know where it'll end up, so auditing the POST vector itself doesn't do much good.</p>
<p>The way this should have been identified would be as a DOM XSS, by inputing the payload in some page input (or textarea etc.) and then triggering a submission of the payload by some DOM event (clicking a button or something) and then, if via whatever way (AJAX for example), the payload ends up in the DOM tree the issue should have been logged.</p>
<p>If the XSS is in a pop-up that could be why it's missed, I'll try some tests and let you know.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/425777002017-05-23T02:18:41Z2017-05-23T02:18:42ZReflected XSS not detected<div><p>Can't Arachni report such cases as input reflected back in response if not XSS. Currently, this all is going unnoticed.</p>
<p>I don't think this could have been identified via DOM XSS. I captured request using Burp, enter payload. It was reflected back; however, payload didn't execute.</p>
<p>The way I see it getting exploited is via HTML form. If you create a HTML form & because the response is text/HTML; XSS is executed.</p></div>Piyushtag:support.arachni-scanner.com,2012-07-01:Comment/425777002017-05-25T09:54:54Z2017-05-25T09:54:54ZReflected XSS not detected<div><p>I don't think it works like that, the JSON needs to be parsed and its data placed in the DOM via JS, just being returned as HTML doesn't do anything.</p>
<p>This would be a DOM XSS case but without a test case I can't see what went wrong.</p>
<p>As for simply identifying sinks for taints, that could be useful, I'll keep it in mind for a future check of maybe plugin.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/425777002017-06-15T00:26:39Z2017-06-16T02:41:42ZReflected XSS not detected<div><p>Looking at Piyush's HTTP request example.. should be an executable XSS as is without needing to be read by the DOM due to the text/html response content type. This is something that arachni should be flagging.. its a pretty generic xss.</p></div>rgutie01tag:support.arachni-scanner.com,2012-07-01:Comment/425777002017-06-15T05:09:56Z2017-06-15T05:09:59ZReflected XSS not detected<div><p>Exactly, my point. I would say to flag even if content type is not html with low risk. I have seen XSS in case of application/json content-type too whereby client side JS did parsing in insecure manner.</p></div>Piyush Mittaltag:support.arachni-scanner.com,2012-07-01:Comment/425777002017-06-15T08:51:43Z2017-06-15T08:51:43ZReflected XSS not detected<div><p>And what happens when the client gets the response, encodes it in JS and then places it in the DOM? Or if it truncates the response and uses only part of it? Or it performs some other computation and ignores it? etc.</p>
<p>It's not that simple.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/425777002017-06-15T13:52:10Z2017-06-15T13:52:11ZReflected XSS not detected<div><p>attacker can simple use HTML form for exploitation. You are looking more from developer perspective. It is very easy to exploit XSS for an attacker. Why not flag XSS if input is reflected back as it is.</p></div>Piyush Mittaltag:support.arachni-scanner.com,2012-07-01:Comment/425777002017-06-15T14:28:15Z2017-06-15T14:28:15ZReflected XSS not detected<div><p>I replicated your request and response and it turns out that Arachni detects the issue just fine.</p>
<pre>
<code>POST / HTTP/1.1
Host: zonster:4567
Authorization: Basic Og==
Accept-Encoding: gzip, deflate
User-Agent: Arachni/v2.0dev
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.8,he;q=0.6
X-Arachni-Scan-Seed: 67a6143fbaa23d582db14891567f5b87
Content-Length: 51
Content-Type: application/x-www-form-urlencoded
vuln=1%3Cxss_67a6143fbaa23d582db14891567f5b87%2F%3E
HTTP/1.1 200 OK
Content-Type: text/html;charset=utf-8
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Length: 86
{
"errorMsg":"Error when submitting 1<xss_67a6143fbaa23d582db14891567f5b87/>"
}{}</code>
</pre>
<p>Like I said, I need a test-case to see what went wrong.</p></div>Tasos Laskos