stamparm / dsxs Goto Github PK

Hi Miroslav @stamparm, it would be great if you can join to developers of https://github.com/s0md3v/XSStrike
It use some code of sqlmap and will be great if xsstrike will be develop amazing pro coder like you

Hello stamparm! I have some questions when I read your project.

1. Why you using LARGER_CHAR_POOL&SMALLER_CHAR_POOL? why not just one larger pool?
2. In line 63&64, why adding a single quote before the prefix when using LARGER_CHAR_POOL?

that's all, look forward to your reply, thanks.

File "dsxs.py", line 66, in scan_page
for regex, condition, info, content_removal_regex in XSS_PATTERNS:
NameError: global name 'XSS_PATTERNS' is not define

can you support find xss in href?

egg:

<?php
$input= str_replace("\"", "&quot;" ,$_GET['xss']);
$input=str_replace(">","&lt;",$input);
$input=str_replace("<","&gt;",$input);
echo '<a href="';
print($input);
echo '">click<a/>';
?>

http://127.0.0.1/2.php?xss=javascript:alert(1) when click it will has xss vuls。

but DSXS can't find this。

Hello, hope you're well, i would like to discuss about one case that is not triggered by DSXS. Example of php code:

<?php
	echo "<input type=\"text\" name=\"test\" name=\"".str_replace('"','\\"',$_GET['param'])."\"></input>";
?>

The backslash is not interpreted as an escape character in this html context and leads to XSS. Do you agree that this kind of pattern deals with the following regexp in your code:

    (r"<[^>]*=\s*'[^>']*%(chars)s[^>']*'[^>]*>", ('\'',), "\"<.'.xss.'.>\", inside the tag, inside single-quotes, %(filtering)s filtering", r"(?s)<script.+?</script>|<!--.*?-->"),
    (r'<[^>]*=\s*"[^>"]*%(chars)s[^>"]*"[^>]*>', ('"',), "'<.\".xss.\".>', inside the tag, inside double-quotes, %(filtering)s filtering", r"(?s)<script.+?</script>|<!--.*?-->"),

If you confirm i can pull request to avoid the mandatory chars to go through the re.sub function for these cases (N.B: _contains function).

Cheers mate.

for example, when using <!--[^>]*%abc|abc[^<]*--> to search <!-- abc--> xxxabc-->
, this regex can capture the last abc--> , but abc--> is not in comment.

root@kali:~/DSXS# python dsxs.py -u "http://www.ccjt.net/search/tosearch.aspx?searchname=hiyoufu&searchtype=1"

Damn Small XSS Scanner (DSXS) < 100 LoC (Lines of Code) #v0.2e
by: Miroslav Stampar (@stamparm)

• scanning GET parameter 'searchname'
• scanning GET parameter 'searchtype'

scan results: no vulnerabilities found

root@kali:~/DSXS# python dsxs.py -u "http://www.ccjt.net/search/tosearch.aspx?searchname=hiyouf&searchtype=1"

Damn Small XSS Scanner (DSXS) < 100 LoC (Lines of Code) #v0.2e
by: Miroslav Stampar (@stamparm)

• scanning GET parameter 'searchname'
  (i) GET parameter 'searchname' appears to be XSS vulnerable ('<.".xss.".>', inside the tag, inside double-quotes, some filtering)
• scanning GET parameter 'searchtype'

scan results: possible vulnerabilities found

good project!!
but, I find this rule will cause false positives:

(r"<[^>]*'[^>']*%(chars)s[^>']*'[^>]*>", ('\'',), "\"<.'.xss.'.>\", inside the tag, inside single-quotes, %(filtering)s filtering", r"(?s)<script.+?</script>|<!--.*?-->") 

egg:
demo.php:

<?php
$input= str_replace("\"", "&quot;" ,$_GET['xss']);
$input=str_replace(">","&lt;",$input);
$input=str_replace("<","&gt;",$input);
echo '<meta name="description" content="';
print($input);
echo '#23578';
print($input);
echo '#23578';
print($input);
echo '#23578"/>';
?>

for help～