XSS Not Detected
I cannot get the scanner to find the xss vulnerability we made on purpose. The code below will allow you to execute xss but I can't get the scanner to find it. Am I doing something wrong with the scanner profile? I have tried the default and xss profile and it doesn't find it. We are scanning this from a linux machine to an app server hosted on another machine.
Insert into DOM
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
1 Posted by JL on 20 May, 2015 09:17 PM
attached the example index.html file
2 Posted by JL on 20 May, 2015 09:20 PM
The index.html page attached above will allow you to type in script to create a popup, we thought the scanner would find this. Example script in attached screenshot.
Support Staff 3 Posted by Tasos Laskos on 21 May, 2015 04:25 AM
Hello,
Since these 2 elements don't have any clear association with each other the current checks don't audit them.
For example, if the button was a submit to a form or the
document.writewas triggered by an event on the input then the issue would be identified,Creating event permutations on the entire interface could very well result in an unworkable amount of operations.
Although, I suppose cases such as you describe do happen and operating on a best effort basis would be better than nothing, so I'll write a check to cover these as well as possible.
I'll let you know once I've got a nightly you can test.
Cheers
Support Staff 4 Posted by Tasos Laskos on 21 May, 2015 04:14 PM
Done: https://github.com/Arachni/arachni/commit/512ebfcbfd7844488ab3204e0...
You can try it in the nightlies: https://sourceforge.net/projects/arachni/files/nightlies/
Thanks for the feedback.
Cheers
Tasos Laskos closed this discussion on 21 May, 2015 04:14 PM.