Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update payload.go #578

Closed
wants to merge 2 commits into from
Closed

Update payload.go #578

wants to merge 2 commits into from

Conversation

ghost
Copy link

@ghost ghost commented Sep 3, 2024

Add new mini payloads

Update payload.go
0fa7d98 
Add new mini payloads
@ghost ghost changed the base branch from main to dev September 3, 2024 21:40
@hahwul hahwul self-requested a review September 4, 2024 13:25
@hahwul hahwul assigned ghost Sep 4, 2024
@hahwul hahwul added the payload label Sep 4, 2024
hahwul
hahwul requested changes Sep 4, 2024
View reviewed changes
Copy link
Owner

@hahwul hahwul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @TannicArcher
First and foremost, thank you so much for your contribution. I've reviewed the code and made a few adjustments, but I'm very open to your thoughts on these:

Open Redirect

In Dalfox's BAV feature, redirect detection only occurs with the google.com domain. Therefore, code that redirects to evil.com isn't actually detected. I've adjusted it to use google.com and removed payloads that cannot be detected.

ESI Injection

I think it would be better to use the user-input CALLBACKURL instead of evil.com, so I've made that change.

SQL Injection

Dalfox is primarily an XSS scanning tool, offering only error-based detection for SQLi. While having many payloads isn't necessarily bad, I've removed those that could cause critical service issues like drop or sleep.

And..

While Dalfox helps us spot various vulnerabilities, its core strength lies in XSS. I'm considering slimming down the SQLi payloads further since they seem a bit extensive. Any suggestions or thoughts on this?

Looking forward to your feedback!

@ghost ghost closed this by deleting the head repository Oct 7, 2024
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
payload
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@hahwul