Dalfox fails to detect DOM XSS with innerHTML sink and postMessage DOM XSS

[ajmal-rzp]

Describe the bug

I ran dalfox on the following vulnerable application:

const express = require('express')
const app = express()
const port = 3000

app.get('/', (req, res) => {
  res.send(`
  	<html>
  	<body> 

	  	<h1> DOM XSS </h1>
	  	<i> input field -> dom innerHTML </i><br>
	  	<input type=text width=20 id=source1><br>
	  	<p> You typed: <span id=sink1></span></p>
	  	<script>
	  		document.getElementById('source1').addEventListener('input', (e)=>{
	  			document.getElementById('sink1').innerHTML=e.target.value;
	  		})
	  	</script>


	  	<h1> postMessage DOM XSS </h1>
	  	<i> postmessage -> dom element innerHTML </i><br>
	  	<p> Message received: <span id=sink2></span></p>
	  	<script>
	  		window.addEventListener('message', (e)=>{
	  			document.getElementById('sink2').innerHTML=e.data;
	  		})
	  	</script>
	</body>
  	</html>
  	`);
})

app.listen(port, () => {
  console.log(`Example app listening on port ${port}`)
})

command:

dalfox url http://localhost:3000/ --deep-domxss --output-all --report

output:

🎯  Target                 http://localhost:3000/
 🏁  Method                 GET
 🖥   Worker                 100
 🔦  BAV                    true
 ⛏   Mining                 true (Gf-Patterns)
 🔬  Mining-DOM             true (mining from DOM)
 ⏱   Timeout                10
 📤  FollowRedirect         false
 🕰   Started at             2022-10-03 17:27:24.945134 +0530 IST m=+0.017429880

 >>>>>>>>>>>>>>>>>>>>>>>>>
[*] 🦊 Start scan [SID:Single] / URL: http://localhost:3000/
[I] Found 1 testing point in DOM base parameter mining
[I] Content-Type is text/html; charset=utf-8
[I] Reflected PATH '/dalfoxpathtest' => Injected: /inHTML-none(1)]
[*] ----------------------------------------------------------------------------------------------------------------------------------------------
[*] [duration: 2.071994303s][issues: 0] Finish Scan!
[*] Report

[ Information ]
+ Start: 2022-10-03 17:27:24.945654 +0530 IST m=+0.017949645
+ End: 2022-10-03 17:27:27.017595 +0530 IST m=+2.089943948
+ Duration: 2.071994303s

[ Parameter Analysis ]
+-------+------+-----------+---------+--------+-------+
| PARAM | TYPE | REFLECTED | R-POINT | R-CODE | CHARS |
+-------+------+-----------+---------+--------+-------+
+-------+------+-----------+---------+--------+-------+

[ XSS PoCs ]
+---+------+----------+--------+-------+-------------+-----+
| # | TYPE | SEVERITY | METHOD | PARAM | INJECT-TYPE | CWE |
+---+------+----------+--------+-------+-------------+-----+
+---+------+----------+--------+-------+-------------+-----+

Dalfox failed to detect the vulnerabilities.

What's expected.

Detection of DOM XSS and postMessage XSS with the innerHTML sink.

Environment

• Dalfox Version: v2.8.2
• Installed from: Github releases

[ajmal-rzp]

Not just this one, it fails on all DOM XSS labs in Portswigger Web academy.

[hahwul]

Hi @Ajmal99
First, thank you so much for submit issue.
DOM XSS is only conducting a very simple scan due to the speed problem.
Maybe that's why I think the detection rate for DOM XSS is very low.

I'll try to come up with some ways to detect it well while considering its speed!

Since dalfox is often used in the form of scanning a large number of URLs on a pipeline, the more frequently the headless browser is used, the more slowly 😭

[ajmal-rzp]

i appreciate the update, thanks @hahwul

[kenduq]

i tried to test dalfox vs Lab: DOM XSS in document.write sink using source location.search and academy showed me that lab is solved, but cli showed me small amount of information

command:
└─$ dalfox url https://0ab900d8034ec21483b1555f00b300ed.web-security-academy.net/ --output-all --report

🎯 Target https://0ab900d8034ec21483b1555f00b300ed.web-security-academy.net/
🏁 Method GET
🖥 Worker 100
🔦 BAV true
⛏ Mining true (Gf-Patterns)
🔬 Mining-DOM true (mining from DOM)
⏱ Timeout 10
📤 FollowRedirect false
🕰 Started at 2023-11-17 08:03:45.164230421 -0500 EST m=+0.023900483

[] 🦊 Start scan [SID:Single] / URL: https://0ab900d8034ec21483b1555f00b300ed.web-security-academy.net/
[I] Found 11 testing point in DOM base parameter mining
[I] Found 1 testing point in Dictionary base parameter mining
[I] Content-Type is text/html; charset=utf-8
[I] X-Frame-Options is SAMEORIGIN
[I] Reflected search param => PTYPE: URL Injected: /inHTML-none(1) ] \ [ { . ; } | - , + : = ( ) $
77 line: 0 search results for 'DalFox'
[] ----------------------------------------------------------------------------------------------------
[*] [duration: 13.396382062s][issues: 0] Finish Scan!
[ Parameter Analysis ]
+--------+------+-----------+-----------------+--------------------------------+--------------------------------+
| PARAM | TYPE | REFLECTED | R-POINT | R-CODE | CHARS |
+--------+------+-----------+-----------------+--------------------------------+--------------------------------+
| search | URL | true | /inHTML-none(1) | 77 line: | ] \ [ { . ; } | - , + : = ( ) |
| | | | | 0 search results for | $ |
| | | | | 'DalFox' | |
+--------+------+-----------+-----------------+--------------------------------+--------------------------------+

[ XSS PoCs ]
+---+------+----------+--------+-------+-------------+-----+
| # | TYPE | SEVERITY | METHOD | PARAM | INJECT-TYPE | CWE |
+---+------+----------+--------+-------+-------------+-----+

How I can test what actually happened and why the lab is solved?

[hahwul]

Um.. From the logs, it appears that Dalfox is only showing results for mining and not detecting XSS.

I haven't tried Portswigger lab before, so I'm not sure, but is it a method where a specific request is sent to solve?
If that approach is correct, the issue might have inadvertently been resolved through payloads used for testing.