Comments (2)
Hi @Nishantbhagat57,
Before making a tool first do some research, Will this be better than any other tools available?
This tool was created for my own research and use cases in the first place. I felt like the approach of taking the console output into account when searching for client-side vulnerabilities would be of interesting to others, which led me to the decision to publish this tool. It is by no means "production-ready". This is v0.0.1 - the very first "useful" version.
But it can't even detect a simple XSS.
As outlined in the README, the tool comes with a basic set of payloads. Feel free to add your own! For instance, when adding the following payload to the payloads.json
, the tool detects an alert()
:
[
"\"/autofocus/onfocus=\"alert``"
]
At least it should pass all the XSS challenges of http://sudo.co.il/xss/ only then I can think of using this one over the others.
This is a good hint. I will consider adding more payloads and test them against test benches such as sudo.co.il/xss/.
And please understand, most of the modern websites have XSS mechanism in place that automatically blocks alert keyword. prompt is the new alert :)
Again, this partly depends on the payloads you use. But I agree, maybe it would be useful to hook another additional function within DOM that could be used to identify XSS. At the moment, I explicitly hook alert()
:
[...]
// Hook the alert() function within the page and expose helper function
await page.exposeFunction('alert', (message) => {
printColorful('turquoise', `[+] alert() triggered for Payload ${currentPayload}: ${message}`)
})
[...]
I will look into this, too, next week.
Best regards,
Lauritz
from domscan.
Hi there!
I added a custom xyz()
method and more information regarding custom payloads: https://github.com/lauritzh/domscan/releases/tag/v0.0.2
from domscan.
Related Issues (11)
- FEATURE: [TODO] Add further methods to hook for "-g" Parameter Guessing
- TODO: Set User-Agent
- FEATURE: Add Option To Scan From Text File HOT 1
- FEATURE: Pause After Each Payload HOT 3
- [Bug] SyntaxError when NodeJS v12 is used HOT 4
- FEATURE: Improve Output
- FEATURE: Improve Fragment Scanning
- Issue When Authenticated Scanning HOT 2
- [Error] Puppeteer Error: "Running as root without --no-sandbox is not supported" HOT 4
- Seems stuck in a loop HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from domscan.