dalfox: False positives
Hello again,
I know there has already been one open inquiry regarding false positives but I am quite more curious about the current situation. Have you personally stumbled upon any? Recently, for instance, I might have possibly got one positive for an XSS but am not sure about it because in browser (only tested in the latest Chromium) it doesn’t trigger the alert on load. What do you think?
[V] Triggered XSS Payload (found DOM Object): callback='><sVg/onload=alert(45) class=dalfox> 1 line: FUZZ\'><sVg/onload=alert(45) class=dalfox>({"status":"ok","count":12,"count_tota
My question therefore is, how can we distinguish that? Is it dependent on anything?
Thank you very much in advance for your help and comment on this topic.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 1
- Comments: 15 (8 by maintainers)
If I am not mistaken, It can now pipe it to aquatone with the following command.
Sure, this might do.
Thanks be to both of you! @phspade @hahwul
looking forward in your tool, man. I will update mine once there is a new version. Maybe, you can also get an idea here from this tool. 😃
@ZB83486 Hello again! Well, is the content-type json? If I remember correctly, I didn’t check DOM Verify it when it was json. https://github.com/hahwul/dalfox/blob/c9666d4157628aa2182ea727c8efef5444af5ae8/pkg/scanning/ignore.go
Oh, now that I see it, some headers are missing. I’ll add it!
I’m using the goquery of the DOM Parse for now, and I think I’ll need an auxiliary code for a tighter inspection. I’ve been testing the requirements and thinking about it.
As @phspade say, it would be better to pipelining with additional tools.
if there is a way that can pipe it in aquatone then false positive will be lessen 👍