sensepost
Hangs when encountering a page with a JavaScript alert box
Describe the bug When Gowitness attempts to screenshot a page that pops up a JS alert box it hangs indefinitely. There are no errors (when using the debug flag) but the scan will never complete and has to be forcefully ended.
To Reproduce I have encountered this on live systems but reproduced it on a local server, so the example domain in my screenshots will not work but you can set up your own and test.
- On your web server, set up index.html to pop an alert box. For example:
- Run a normal scan: gowitness scan single -u
--screenshot-path /tmp/test -D - It will hang and you'll have to Ctrl-C the SOB.
- Remove the alert from the html and try again, it will work fine.
Expected behavior I'd expect a screenshot or, at the very least, for the timeout to kick in and skip that host. I did try messing with the timeout flag too but it didn't make a difference.
Screenshots The screenshots show the page displaying the alert box in the browser and then running gowitness twice. The first time the JS alert box is present on the page and gowitness has to be stopped. The second run is after it was removed and no JS was on the page.
Version Information:
- OS: Ubuntu 20.04.5 LTS
- gowitness: 3.0.4
- Chromium: 130.0.6723.58 snap
Thanks for the report. That behaviour implies that the alert box handling is not working as expected for chromedp here, and probably for gorod here too then.
is it fixable in gowitness or it requires a fix in chromedp? hanging is quite a big problem
@lappsec how did you address this
This is still an issue, one you can temporarily avoid by using the Go Rod driver with --driver gorod.
This is still an issue, one you can temporarily avoid by using the Go Rod driver with
--driver gorod.
I wish I could. gorod does not work on some Hetzner instances due to something missing in the kernel