URI Encoding
I had a question based on some behavior I've seen in testing the scanner. I've noticed that it looks like in each of the attack requests that the URI is url-encoded. In some cases testing without this might be more preferable for some XSS attacks with some applications and from the code that I looked over, it does look like Form.encode is used. I was wondering if there had been any consideration into having a command line option for enabling/disabling url-encoding or trying attacks both ways during a scan? I could see where there would be situations in which trying both ways may be preferable in some application scenarios.
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
Support Staff 1 Posted by Tasos Laskos on 20 Oct, 2015 07:35 PM
It was considered in the past but I must have gotten sidetracked by other issues.
I did a quick test and it looks like it's possible (with a tiny patch to a dependency, but it works).
Would you like to open a feature request for this?
2 Posted by scott_c on 20 Oct, 2015 07:40 PM
Will do. Thank you.
scott_c closed this discussion on 20 Oct, 2015 07:41 PM.
Tasos Laskos closed this discussion on 20 Oct, 2015 09:28 PM.
Tasos Laskos closed this discussion on 03 Nov, 2015 06:39 PM.