XSStrike icon indicating copy to clipboard operation
XSStrike copied to clipboard

Published 20 hours ago verified publisher icon s0md3v

XSStrike misses XSS if server redirects because of lack of cookies

Open SomeKirill opened this issue 3 years ago • 0 comments

Description XSStrike misses XSS if the server redirects because of lack of cookies. During testing XSStike on DVWA I've noticed that XSStrike could not find simple XSS on vulnerabilities/xss_r/?name=payloadHere. So I debugged this tool and found that if the request does not contain cookies, the user will be redirected. As far as I know there are a lot of sites that behave the same way. Setting up cookies for each site is not a solution, as some people use this tool for mass scanning.

To Reproduce

  1. Set up DVWA
  2. python3 xsstrike.py -u http://example.com/vulnerabilities/xss_r/ --param

Screenshots Screenshot of request made by XSStrike and response image

Potential cause or fix Make an initial request and apply the cookie you've got to all following requests.

Environment:

  • OS: Ubuntu 20.04.1
  • Python version: 3.8.5

SomeKirill avatar Dec 16 '20 15:12 SomeKirill