XSStrike Payloads Generated by XSStrike not suitable if URLDecoded.

Payloads Generated by XSStrike not suitable if URLDecoded.

Open mansoorr123 opened this issue 5 years ago • 0 comments

Scenario: XSStrike is generating paylod for as: /dvwa/vulnerabilities/xss_d/?default=%3Cscript%3Ealert%28%29%3C%2Fscript%3E

But dvwa in backend javascript uses decodeURI() which decodes above payload to: http://192.168.43.53/dvwa/vulnerabilities/xss_d/?default=

Thus XSSStrike payloads generated are showing false positive when above scenario(i.e. applicaytion javascript uses decodeURI). Also I have tested this scenario in mozilla firefox.

Dec 07 '19 06:12 mansoorr123

XSStrike XSStrike copied to clipboard

Payloads Generated by XSStrike not suitable if URLDecoded.

XSStrike
XSStrike copied to clipboard