248 check for xss eg using httpsgithubcomhahwuldalfox #1251
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…of github.com:CERT-Polska/Artemis into 248-check-for-xss-eg-using-httpsgithubcomhahwuldalfox
kazet
reviewed
Sep 6, 2024
.readthedocs.yaml
Outdated
| version: 2 | ||
|
|
||
| build: | ||
| os: ubuntu-20.04 |
kazet
reviewed
Sep 6, 2024
| Running a report with data generated using the Dalfox tool, which scans URLs for XSS vulnerabilities. | ||
| """ | ||
|
|
||
| XSS_VULNERABILITY = ReportType("xss_vulnerability") |
kazet
reviewed
Sep 6, 2024
| {% trans trimmed %}In the URL{% endtrans %} <em>{{ message.url }}</em> | ||
| {% trans trimmed %}we identified an xss vulnerability in the parameter:{% endtrans %} | ||
| <b>{{ message.param }}</b> {% trans trimmed %}in{% endtrans %} {{ message.evidence }}. | ||
| {% trans trimmed %}Based on the Dalfox documentation, the{% endtrans %} <b>{{ message.type_name }}</b> {% trans trimmed %}type (Proof of Concept) was detected.{% endtrans %} |
There was a problem hiding this comment.
nuke this line, as nobody knows what these types mean ;)
kazet
reviewed
Sep 6, 2024
| <li> | ||
| <p> | ||
| {% trans trimmed %}In the URL{% endtrans %} <em>{{ message.url }}</em> | ||
| {% trans trimmed %}we identified an xss vulnerability in the parameter:{% endtrans %} |
kazet
reviewed
Sep 6, 2024
| <p> | ||
| {% trans trimmed %}In the URL{% endtrans %} <em>{{ message.url }}</em> | ||
| {% trans trimmed %}we identified an xss vulnerability in the parameter:{% endtrans %} | ||
| <b>{{ message.param }}</b> {% trans trimmed %}in{% endtrans %} {{ message.evidence }}. |
There was a problem hiding this comment.
write some info what XSS is. Some inspiration:
"Cross-Site Scripting, umożliwiającą atakującemu spreparowanie linku, który, po kliknięciu przez administratora, wykona dowolną akcję z jego uprawnieniami (taką jak np. modyfikacja treści)."
kazet
reviewed
Sep 6, 2024
docker-compose.test.yaml
Outdated
| @@ -196,6 +196,14 @@ services: | |||
| volumes: | |||
| - ./test/reporting/data/bruteable_files/htpasswd/:/var/www/html/ | |||
|
|
|||
| test_apache-with-sql-injection-xss: | |||
kazet
reviewed
Sep 6, 2024
test/data/dalfox/xss.php
Outdated
| <input type="submit" value="Wyślij"> | ||
| </form> | ||
|
|
||
| <!-- Wyświetlanie wprowadzonego imienia --> |
kazet
reviewed
Sep 6, 2024
test/modules/test_xss_by_dalfox.py
Outdated
| def test_dalfox_on_xss_page(self) -> None: | ||
| task = Task( | ||
| {"type": TaskType.SERVICE.value, "service": Service.UNKNOWN.value}, | ||
| payload={"url": "http://test_apache-with-sql-injection-xss/xss.php"}, |
There was a problem hiding this comment.
we shouldn't test some internal pages - we should test whether this module crawls on its own
kazet
deleted the
248-check-for-xss-eg-using-httpsgithubcomhahwuldalfox
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
First version of Dalfox integration with Artemis.