``` [*] Target URL: https://dark.netflix.io [*] Vaild target [ code:200 / size:5284 ] [*] Using dictionary mining option [list=GF-Patterns] πŸ“šβ› [*] Using DOM mining option πŸ“¦β› [*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect] πŸ” [*] Start static analysis.. πŸ” [*] Start parameter analysis.. πŸ” [*] BAV analysis done βœ“ [*] Static analysis done βœ“ [I] Found 0 testing point in DOM Mining [*] Parameter analysis done βœ“utines [I] Content-Type is text/html; charset=UTF-8 [I] Reflected unsubscribe_token param => Injected: /inATTR-double(2) . - 21 line: l?unsubscribe_token=DalFox" /> 28 line: l?unsubscribe_token=DalFo ``` ![](https://i.imgur.com/RCcLGeT.png) # Reflected but not vulnerable, since it auto-encode. - When is DOM XSS, (react/angular/etc), they almost everytime it will encode " to %22, so you cant exploit it. - Could happens multiple variables here, so just saying the general. - In DOM XSS (that you found in NFLX), is pretty interesting, but usually rare XSS, Intigriti XSS chalenges for example, is all DOM XSS. - You can trigger a XSS in resize/popup, and rare JS functions. I think i have a example of mine, one sec. : ) Bro, this example i did to teach one friend, explaning about DOM Openredirect... BUT.... is is DOM XSS... because we convert openredir to xss... https://poc.crowdsec.com.br/poc_br.html#javascript:alert(document.domain) https://poc.crowdsec.com.br/poc_br.html#https://www.google.com Look the source code. I will close here. we speak in twitter bro <3 - The best cases is `Reflected XSS`, when the value go to backend and comes back (dotnet/java/php) - Easier, faster, usually bypassable, etc.. Example: http://brutelogic.com.br/xss.php?a=FUZZ - It send FUZZ word to backend (php) and returns to HTML - Valid Payload: - http://brutelogic.com.br/xss.php?a=FUZZ%3Cimg%20src=x%20onerror=alert(1)%3E In this case %22 is no problem, backend convert in to `"` and attack happens., we have thousands of different cases here, needed double encoded, triple encoding, utf8 encoding, etc.. And we can bypass WAF, is a very funny XSS to be honest. got it ``` [I] Reflected callback param => Injected: /inATTR-double(2) - 21 line: index.html?callback=DalFox" /> 28 line: index.html?callback=DalFo [I] Reflected goto param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?goto=DalFox" /> 28 line: .io/index.html?goto=DalFo [I] Reflected csrf_token param => Injected: /inATTR-double(2) 21 line: dex.html?csrf_token=DalFox" /> 28 line: dex.html?csrf_token=DalFo [I] Reflected dir param => Injected: /inATTR-double(2) 21 line: x.io/index.html?dir=DalFox" /> 28 line: x.io/index.html?dir=DalFo [I] Reflected email param => Injected: /inATTR-double(2) - . 21 line: io/index.html?email=DalFox" /> 28 line: io/index.html?email=DalFo [I] Reflected go param => Injected: /inATTR-double(2) . - 21 line: ix.io/index.html?go=DalFox" /> 28 line: ix.io/index.html?go=DalFo [I] Reflected img_url param => Injected: /inATTR-double(2) 21 line: /index.html?img_url=DalFox" /> 28 line: /index.html?img_url=DalFo [I] Reflected s param => Injected: /inATTR-double(2) . - 21 line: lix.io/index.html?s=DalFox" /> 28 line: lix.io/index.html?s=DalFo [I] Reflected immagine param => Injected: /inATTR-double(2) . - 21 line: index.html?immagine=DalFox" /> 28 line: index.html?immagine=DalFo [I] Reflected key param => Injected: /inATTR-double(2) . - 21 line: x.io/index.html?key=DalFox" /> 28 line: x.io/index.html?key=DalFo [I] Reflected page_id param => Injected: /inATTR-double(2) 21 line: /index.html?page_id=DalFox" /> 28 line: /index.html?page_id=DalFo [I] Reflected lang param => Injected: /inATTR-double(2) 21 line: .io/index.html?lang=DalFox" /> 28 line: .io/index.html?lang=DalFo [I] Reflected window param => Injected: /inATTR-double(2) - . 21 line: o/index.html?window=DalFox" /> 28 line: o/index.html?window=DalFo [I] Reflected jsonp param => Injected: /inATTR-double(2) . - 21 line: io/index.html?jsonp=DalFox" /> 28 line: io/index.html?jsonp=DalFo [I] Reflected data param => Injected: /inATTR-double(2) - . 21 line: .io/index.html?data=DalFox" /> 28 line: .io/index.html?data=DalFo [I] Reflected id param => Injected: /inATTR-double(2) . - 21 line: ix.io/index.html?id=DalFox" /> 28 line: ix.io/index.html?id=DalFo [I] Reflected month param => Injected: /inATTR-double(2) . 21 line: io/index.html?month=DalFox" /> 28 line: io/index.html?month=DalFo [I] Reflected type param => Injected: /inATTR-double(2) - 21 line: .io/index.html?type=DalFox" /> 28 line: .io/index.html?type=DalFo [I] Reflected password param => Injected: /inATTR-double(2) 21 line: index.html?password=DalFox" /> 28 line: index.html?password=DalFo [I] Reflected name param => Injected: /inATTR-double(2) - . 21 line: .io/index.html?name=DalFox" /> 28 line: .io/index.html?name=DalFo [I] Reflected item param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?item=DalFox" /> 28 line: .io/index.html?item=DalFo [I] Reflected api param => Injected: /inATTR-double(2) . - 21 line: x.io/index.html?api=DalFox" /> 28 line: x.io/index.html?api=DalFo [I] Reflected api_key param => Injected: /inATTR-double(2) 21 line: /index.html?api_key=DalFox" /> 28 line: /index.html?api_key=DalFo [I] Reflected file_name param => Injected: /inATTR-double(2) - . 21 line: ndex.html?file_name=DalFox" /> 28 line: ndex.html?file_name=DalFo [I] Reflected list_type param => Injected: /inATTR-double(2) . - 21 line: ndex.html?list_type=DalFox" /> 28 line: ndex.html?list_type=DalFo [I] Reflected l param => Injected: /inATTR-double(2) - . 21 line: lix.io/index.html?l=DalFox" /> 28 line: lix.io/index.html?l=DalFo [I] Reflected host param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?host=DalFox" /> 28 line: .io/index.html?host=DalFo [I] Reflected username param => Injected: /inATTR-double(2) 21 line: index.html?username=DalFox" /> 28 line: index.html?username=DalFo [I] Reflected domain param => Injected: /inATTR-double(2) - . 21 line: o/index.html?domain=DalFox" /> 28 line: o/index.html?domain=DalFo [I] Reflected view param => Injected: /inATTR-double(2) . 21 line: .io/index.html?view=DalFox" /> 28 line: .io/index.html?view=DalFo [I] Reflected search param => Injected: /inATTR-double(2) . - 21 line: o/index.html?search=DalFox" /> 28 line: o/index.html?search=DalFo [I] Reflected show param => Injected: /inATTR-double(2) - . 21 line: .io/index.html?show=DalFox" /> 28 line: .io/index.html?show=DalFo [I] Reflected begindate param => Injected: /inATTR-double(2) - . 21 line: ndex.html?begindate=DalFox" /> 28 line: ndex.html?begindate=DalFo [I] Reflected file param => Injected: /inATTR-double(2) - . 21 line: .io/index.html?file=DalFox" /> 28 line: .io/index.html?file=DalFo [I] Reflected return param => Injected: /inATTR-double(2) 21 line: o/index.html?return=DalFox" /> 28 line: o/index.html?return=DalFo [I] Reflected keywords param => Injected: /inATTR-double(2) - . 21 line: index.html?keywords=DalFox" /> 28 line: index.html?keywords=DalFo [I] Reflected html param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?html=DalFox" /> 28 line: .io/index.html?html=DalFo [I] Reflected url param => Injected: /inATTR-double(2) 21 line: x.io/index.html?url=DalFox" /> 28 line: x.io/index.html?url=DalFo [I] Reflected token param => Injected: /inATTR-double(2) . - 21 line: io/index.html?token=DalFox" /> 28 line: io/index.html?token=DalFo [I] Reflected cat param => Injected: /inATTR-double(2) - 21 line: x.io/index.html?cat=DalFox" /> 28 line: x.io/index.html?cat=DalFo [I] Reflected query param => Injected: /inATTR-double(2) 21 line: io/index.html?query=DalFox" /> 28 line: io/index.html?query=DalFo [I] Reflected categoryid param => Injected: /inATTR-double(2) - . 21 line: dex.html?categoryid=DalFox" /> 28 line: dex.html?categoryid=DalFo [I] Reflected rurl param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?rurl=DalFox" /> 28 line: .io/index.html?rurl=DalFo [I] Reflected keyword param => Injected: /inATTR-double(2) - 21 line: /index.html?keyword=DalFox" /> 28 line: /index.html?keyword=DalFo [I] Reflected emailto param => Injected: /inATTR-double(2) . - 21 line: /index.html?emailto=DalFox" /> 28 line: /index.html?emailto=DalFo [I] Reflected enddate param => Injected: /inATTR-double(2) . - 21 line: /index.html?enddate=DalFox" /> 28 line: /index.html?enddate=DalFo [I] Reflected feed param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?feed=DalFox" /> 28 line: .io/index.html?feed=DalFo [I] Reflected q param => Injected: /inATTR-double(2) 21 line: lix.io/index.html?q=DalFox" /> 28 line: lix.io/index.html?q=DalFo [I] Reflected p param => Injected: /inATTR-double(2) - . 21 line: lix.io/index.html?p=DalFox" /> 28 line: lix.io/index.html?p=DalFo [I] Reflected image_url param => Injected: /inATTR-double(2) - . 21 line: ndex.html?image_url=DalFox" /> 28 line: ndex.html?image_url=DalFo [I] Reflected page param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?page=DalFox" /> 28 line: .io/index.html?page=DalFo [I] Reflected year param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?year=DalFox" /> 28 line: .io/index.html?year=DalFo [I] Reflected file_url param => Injected: /inATTR-double(2) . - 21 line: index.html?file_url=DalFox" /> 28 line: index.html?file_url=DalFo [I] Reflected terms param => Injected: /inATTR-double(2) . - 21 line: io/index.html?terms=DalFox" /> 28 line: io/index.html?terms=DalFo [*] Generate XSS payload and optimization.Optimization.. πŸ›  [*] Start XSS Scanning.. with 6633 queries πŸ—‘ [*] Finish :D ____________________________________________________ [*] Target URL: https://www.dark.netflix.io [*] Vaild target [ code:200 / size:5308 ] [*] Using dictionary mining option [list=GF-Patterns] πŸ“šβ› [*] Using DOM mining option πŸ“¦β› [*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect] πŸ” [*] Start static analysis.. πŸ” [*] Start parameter analysis.. πŸ” [*] BAV analysis done βœ“ [*] Static analysis done βœ“ [I] Found 0 testing point in DOM Mining [*] Parameter analysis done βœ“utines [I] Content-Type is text/html; charset=UTF-8 [I] Reflected callback param => Injected: /inATTR-double(2) . - 21 line: index.html?callback=DalFox" /> 28 line: index.html?callback=DalFo [I] Reflected domain param => Injected: /inATTR-double(2) - . 21 line: o/index.html?domain=DalFox" /> 28 line: o/index.html?domain=DalFo [I] Reflected email param => Injected: /inATTR-double(2) . - 21 line: io/index.html?email=DalFox" /> 28 line: io/index.html?email=DalFo [I] Reflected password param => Injected: /inATTR-double(2) 21 line: index.html?password=DalFox" /> 28 line: index.html?password=DalFo [I] Reflected return param => Injected: /inATTR-double(2) 21 line: o/index.html?return=DalFox" /> 28 line: o/index.html?return=DalFo [I] Reflected year param => Injected: /inATTR-double(2) 21 line: .io/index.html?year=DalFox" /> 28 line: .io/index.html?year=DalFo [I] Reflected api param => Injected: /inATTR-double(2) . - 21 line: x.io/index.html?api=DalFox" /> 28 line: x.io/index.html?api=DalFo [I] Reflected url param => Injected: /inATTR-double(2) - . 21 line: x.io/index.html?url=DalFox" /> 28 line: x.io/index.html?url=DalFo [I] Reflected img_url param => Injected: /inATTR-double(2) 21 line: /index.html?img_url=DalFox" /> 28 line: /index.html?img_url=DalFo [I] Reflected key param => Injected: /inATTR-double(2) - . 21 line: x.io/index.html?key=DalFox" /> 28 line: x.io/index.html?key=DalFo [I] Reflected host param => Injected: /inATTR-double(2) - . 21 line: .io/index.html?host=DalFox" /> 28 line: .io/index.html?host=DalFo [I] Reflected categoryid param => Injected: /inATTR-double(2) 21 line: dex.html?categoryid=DalFox" /> 28 line: dex.html?categoryid=DalFo [I] Reflected list_type param => Injected: /inATTR-double(2) . - 21 line: ndex.html?list_type=DalFox" /> 28 line: ndex.html?list_type=DalFo [I] Reflected file_url param => Injected: /inATTR-double(2) . - 21 line: index.html?file_url=DalFox" /> 28 line: index.html?file_url=DalFo [I] Reflected show param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?show=DalFox" /> 28 line: .io/index.html?show=DalFo [I] Reflected id param => Injected: /inATTR-double(2) 21 line: ix.io/index.html?id=DalFox" /> 28 line: ix.io/index.html?id=DalFo [I] Reflected file param => Injected: /inATTR-double(2) 21 line: .io/index.html?file=DalFox" /> 28 line: .io/index.html?file=DalFo [I] Reflected search param => Injected: /inATTR-double(2) 21 line: o/index.html?search=DalFox" /> 28 line: o/index.html?search=DalFo [I] Reflected terms param => Injected: /inATTR-double(2) - . 21 line: io/index.html?terms=DalFox" /> 28 line: io/index.html?terms=DalFo [I] Reflected name param => Injected: /inATTR-double(2) - . 21 line: .io/index.html?name=DalFox" /> 28 line: .io/index.html?name=DalFo [I] Reflected jsonp param => Injected: /inATTR-double(2) . - 21 line: io/index.html?jsonp=DalFox" /> 28 line: io/index.html?jsonp=DalFo [I] Reflected api_key param => Injected: /inATTR-double(2) . - 21 line: /index.html?api_key=DalFox" /> 28 line: /index.html?api_key=DalFo [I] Reflected l param => Injected: /inATTR-double(2) 21 line: lix.io/index.html?l=DalFox" /> 28 line: lix.io/index.html?l=DalFo [I] Reflected view param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?view=DalFox" /> 28 line: .io/index.html?view=DalFo [I] Reflected keyword param => Injected: /inATTR-double(2) . - 21 line: /index.html?keyword=DalFox" /> 28 line: /index.html?keyword=DalFo [I] Reflected s param => Injected: /inATTR-double(2) . - 21 line: lix.io/index.html?s=DalFox" /> 28 line: lix.io/index.html?s=DalFo [I] Reflected begindate param => Injected: /inATTR-double(2) . - 21 line: ndex.html?begindate=DalFox" /> 28 line: ndex.html?begindate=DalFo [I] Reflected immagine param => Injected: /inATTR-double(2) . - 21 line: index.html?immagine=DalFox" /> 28 line: index.html?immagine=DalFo [I] Reflected username param => Injected: /inATTR-double(2) 21 line: index.html?username=DalFox" /> 28 line: index.html?username=DalFo [I] Reflected emailto param => Injected: /inATTR-double(2) 21 line: /index.html?emailto=DalFox" /> 28 line: /index.html?emailto=DalFo [I] Reflected html param => Injected: /inATTR-double(2) 21 line: .io/index.html?html=DalFox" /> 28 line: .io/index.html?html=DalFo [I] Reflected type param => Injected: /inATTR-double(2) 21 line: .io/index.html?type=DalFox" /> 28 line: .io/index.html?type=DalFo [I] Reflected q param => Injected: /inATTR-double(2) . 21 line: lix.io/index.html?q=DalFox" /> 28 line: lix.io/index.html?q=DalFo [I] Reflected unsubscribe_token param => Injected: /inATTR-double(2) - . 21 line: l?unsubscribe_token=DalFox" /> 28 line: l?unsubscribe_token=DalFo [I] Reflected token param => Injected: /inATTR-double(2) . - 21 line: io/index.html?token=DalFox" /> 28 line: io/index.html?token=DalFo [I] Reflected file_name param => Injected: /inATTR-double(2) 21 line: ndex.html?file_name=DalFox" /> 28 line: ndex.html?file_name=DalFo [I] Reflected page_id param => Injected: /inATTR-double(2) 21 line: /index.html?page_id=DalFox" /> 28 line: /index.html?page_id=DalFo [I] Reflected go param => Injected: /inATTR-double(2) . - 21 line: ix.io/index.html?go=DalFox" /> 28 line: ix.io/index.html?go=DalFo [I] Reflected enddate param => Injected: /inATTR-double(2) . - 21 line: /index.html?enddate=DalFox" /> 28 line: /index.html?enddate=DalFo [I] Reflected rurl param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?rurl=DalFox" /> 28 line: .io/index.html?rurl=DalFo [I] Reflected feed param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?feed=DalFox" /> 28 line: .io/index.html?feed=DalFo [I] Reflected lang param => Injected: /inATTR-double(2) 21 line: .io/index.html?lang=DalFox" /> 28 line: .io/index.html?lang=DalFo [I] Reflected goto param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?goto=DalFox" /> 28 line: .io/index.html?goto=DalFo [I] Reflected window param => Injected: /inATTR-double(2) . - 21 line: o/index.html?window=DalFox" /> 28 line: o/index.html?window=DalFo [I] Reflected keywords param => Injected: /inATTR-double(2) - . 21 line: index.html?keywords=DalFox" /> 28 line: index.html?keywords=DalFo [I] Reflected month param => Injected: /inATTR-double(2) - . 21 line: io/index.html?month=DalFox" /> 28 line: io/index.html?month=DalFo [I] Reflected query param => Injected: /inATTR-double(2) . - 21 line: io/index.html?query=DalFox" /> 28 line: io/index.html?query=DalFo [I] Reflected item param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?item=DalFox" /> 28 line: .io/index.html?item=DalFo [I] Reflected cat param => Injected: /inATTR-double(2) - . 21 line: x.io/index.html?cat=DalFox" /> 28 line: x.io/index.html?cat=DalFo [I] Reflected dir param => Injected: /inATTR-double(2) - . 21 line: x.io/index.html?dir=DalFox" /> 28 line: x.io/index.html?dir=DalFo [I] Reflected p param => Injected: /inATTR-double(2) - 21 line: lix.io/index.html?p=DalFox" /> 28 line: lix.io/index.html?p=DalFo [I] Reflected page param => Injected: /inATTR-double(2) 21 line: .io/index.html?page=DalFox" /> 28 line: .io/index.html?page=DalFo [I] Reflected image_url param => Injected: /inATTR-double(2) 21 line: ndex.html?image_url=DalFox" /> 28 line: ndex.html?image_url=DalFo [I] Reflected data param => Injected: /inATTR-double(2) - . 21 line: .io/index.html?data=DalFox" /> 28 line: .io/index.html?data=DalFo [I] Reflected csrf_token param => Injected: /inATTR-double(2) . - 21 line: dex.html?csrf_token=DalFox" /> 28 line: dex.html?csrf_token=DalFo [*] Generate XSS payload and optimization.Optimization.. πŸ›  [*] Start XSS Scanning.. with 6633 queries πŸ—‘ [*] Finish :D _________________________________________________________ [*] Target URL: https://dark06272020.netflix.io [*] Vaild target [ code:200 / size:5332 ] [*] Using dictionary mining option [list=GF-Patterns] πŸ“šβ› [*] Using DOM mining option πŸ“¦β› [*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect] πŸ” [*] Start static analysis.. πŸ” [*] Start parameter analysis.. πŸ” [*] BAV analysis done βœ“ [*] Static analysis done βœ“ [I] Found 0 testing point in DOM Mining [*] Parameter analysis done βœ“utines [I] Content-Type is text/html; charset=UTF-8 [I] Reflected key param => Injected: /inATTR-double(2) 21 line: x.io/index.html?key=DalFox" /> 28 line: x.io/index.html?key=DalFo [I] Reflected html param => Injected: /inATTR-double(2) 21 line: .io/index.html?html=DalFox" /> 28 line: .io/index.html?html=DalFo [I] Reflected list_type param => Injected: /inATTR-double(2) 21 line: ndex.html?list_type=DalFox" /> 28 line: ndex.html?list_type=DalFo [I] Reflected token param => Injected: /inATTR-double(2) . - 21 line: io/index.html?token=DalFox" /> 28 line: io/index.html?token=DalFo [I] Reflected show param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?show=DalFox" /> 28 line: .io/index.html?show=DalFo [I] Reflected file param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?file=DalFox" /> 28 line: .io/index.html?file=DalFo [I] Reflected enddate param => Injected: /inATTR-double(2) - . 21 line: /index.html?enddate=DalFox" /> 28 line: /index.html?enddate=DalFo [I] Reflected l param => Injected: /inATTR-double(2) - . 21 line: lix.io/index.html?l=DalFox" /> 28 line: lix.io/index.html?l=DalFo [I] Reflected q param => Injected: /inATTR-double(2) 21 line: lix.io/index.html?q=DalFox" /> 28 line: lix.io/index.html?q=DalFo [I] Reflected file_url param => Injected: /inATTR-double(2) - . 21 line: index.html?file_url=DalFox" /> 28 line: index.html?file_url=DalFo [I] Reflected type param => Injected: /inATTR-double(2) - . 21 line: .io/index.html?type=DalFox" /> 28 line: .io/index.html?type=DalFo [I] Reflected data param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?data=DalFox" /> 28 line: .io/index.html?data=DalFo [I] Reflected year param => Injected: /inATTR-double(2) - . 21 line: .io/index.html?year=DalFox" /> 28 line: .io/index.html?year=DalFo [I] Reflected file_name param => Injected: /inATTR-double(2) . - 21 line: ndex.html?file_name=DalFox" /> 28 line: ndex.html?file_name=DalFo [I] Reflected feed param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?feed=DalFox" /> 28 line: .io/index.html?feed=DalFo [I] Reflected begindate param => Injected: /inATTR-double(2) 21 line: ndex.html?begindate=DalFox" /> 28 line: ndex.html?begindate=DalFo [I] Reflected page param => Injected: /inATTR-double(2) 21 line: .io/index.html?page=DalFox" /> 28 line: .io/index.html?page=DalFo [I] Reflected api param => Injected: /inATTR-double(2) . - 21 line: x.io/index.html?api=DalFox" /> 28 line: x.io/index.html?api=DalFo [I] Reflected search param => Injected: /inATTR-double(2) - . 21 line: o/index.html?search=DalFox" /> 28 line: o/index.html?search=DalFo [I] Reflected api_key param => Injected: /inATTR-double(2) - . 21 line: /index.html?api_key=DalFox" /> 28 line: /index.html?api_key=DalFo [I] Reflected terms param => Injected: /inATTR-double(2) . - 21 line: io/index.html?terms=DalFox" /> 28 line: io/index.html?terms=DalFo [I] Reflected email param => Injected: /inATTR-double(2) . - 21 line: io/index.html?email=DalFox" /> 28 line: io/index.html?email=DalFo [I] Reflected name param => Injected: /inATTR-double(2) - . 21 line: .io/index.html?name=DalFox" /> 28 line: .io/index.html?name=DalFo [I] Reflected go param => Injected: /inATTR-double(2) - 21 line: ix.io/index.html?go=DalFox" /> 28 line: ix.io/index.html?go=DalFo [I] Reflected categoryid param => Injected: /inATTR-double(2) 21 line: dex.html?categoryid=DalFox" /> 28 line: dex.html?categoryid=DalFo [I] Reflected cat param => Injected: /inATTR-double(2) 21 line: x.io/index.html?cat=DalFox" /> 28 line: x.io/index.html?cat=DalFo [I] Reflected page_id param => Injected: /inATTR-double(2) . - 21 line: /index.html?page_id=DalFox" /> 28 line: /index.html?page_id=DalFo [I] Reflected id param => Injected: /inATTR-double(2) . 21 line: ix.io/index.html?id=DalFox" /> 28 line: ix.io/index.html?id=DalFo [I] Reflected unsubscribe_token param => Injected: /inATTR-double(2) . - 21 line: l?unsubscribe_token=DalFox" /> 28 line: l?unsubscribe_token=DalFo [I] Reflected keywords param => Injected: /inATTR-double(2) 21 line: index.html?keywords=DalFox" /> 28 line: index.html?keywords=DalFo [I] Reflected host param => Injected: /inATTR-double(2) . 21 line: .io/index.html?host=DalFox" /> 28 line: .io/index.html?host=DalFo [I] Reflected csrf_token param => Injected: /inATTR-double(2) . - 21 line: dex.html?csrf_token=DalFox" /> 28 line: dex.html?csrf_token=DalFo [I] Reflected jsonp param => Injected: /inATTR-double(2) - . 21 line: io/index.html?jsonp=DalFox" /> 28 line: io/index.html?jsonp=DalFo [I] Reflected immagine param => Injected: /inATTR-double(2) - . 21 line: index.html?immagine=DalFox" /> 28 line: index.html?immagine=DalFo [I] Reflected dir param => Injected: /inATTR-double(2) - . 21 line: x.io/index.html?dir=DalFox" /> 28 line: x.io/index.html?dir=DalFo [I] Reflected lang param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?lang=DalFox" /> 28 line: .io/index.html?lang=DalFo [I] Reflected keyword param => Injected: /inATTR-double(2) . - 21 line: /index.html?keyword=DalFox" /> 28 line: /index.html?keyword=DalFo [I] Reflected username param => Injected: /inATTR-double(2) - . 21 line: index.html?username=DalFox" /> 28 line: index.html?username=DalFo [I] Reflected window param => Injected: /inATTR-double(2) . - 21 line: o/index.html?window=DalFox" /> 28 line: o/index.html?window=DalFo [I] Reflected month param => Injected: /inATTR-double(2) 21 line: io/index.html?month=DalFox" /> 28 line: io/index.html?month=DalFo [I] Reflected rurl param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?rurl=DalFox" /> 28 line: .io/index.html?rurl=DalFo [I] Reflected query param => Injected: /inATTR-double(2) . - 21 line: io/index.html?query=DalFox" /> 28 line: io/index.html?query=DalFo [I] Reflected return param => Injected: /inATTR-double(2) 21 line: o/index.html?return=DalFox" /> 28 line: o/index.html?return=DalFo [I] Reflected view param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?view=DalFox" /> 28 line: .io/index.html?view=DalFo [I] Reflected image_url param => Injected: /inATTR-double(2) . 21 line: ndex.html?image_url=DalFox" /> 28 line: ndex.html?image_url=DalFo [I] Reflected s param => Injected: /inATTR-double(2) - . 21 line: lix.io/index.html?s=DalFox" /> 28 line: lix.io/index.html?s=DalFo [I] Reflected url param => Injected: /inATTR-double(2) - . 21 line: x.io/index.html?url=DalFox" /> 28 line: x.io/index.html?url=DalFo [I] Reflected p param => Injected: /inATTR-double(2) . - 21 line: lix.io/index.html?p=DalFox" /> 28 line: lix.io/index.html?p=DalFo [I] Reflected img_url param => Injected: /inATTR-double(2) . - 21 line: /index.html?img_url=DalFox" /> 28 line: /index.html?img_url=DalFo [I] Reflected item param => Injected: /inATTR-double(2) 21 line: .io/index.html?item=DalFox" /> 28 line: .io/index.html?item=DalFo [I] Reflected emailto param => Injected: /inATTR-double(2) 21 line: /index.html?emailto=DalFox" /> 28 line: /index.html?emailto=DalFo [I] Reflected callback param => Injected: /inATTR-double(2) 21 line: index.html?callback=DalFox" /> 28 line: index.html?callback=DalFo [I] Reflected goto param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?goto=DalFox" /> 28 line: .io/index.html?goto=DalFo [I] Reflected domain param => Injected: /inATTR-double(2) . - 21 line: o/index.html?domain=DalFox" /> 28 line: o/index.html?domain=DalFo [I] Reflected password param => Injected: /inATTR-double(2) 21 line: index.html?password=DalFox" /> 28 line: index.html?password=DalFo [*] Generate XSS payload and optimization.Optimization.. πŸ›  [*] Start XSS Scanning.. with 6633 queries πŸ—‘ [*] Finish :D ________________________________________________________ [*] Target URL: https://test.dark06272020.netflix.io [*] Vaild target [ code:200 / size:5343 ] [*] Using dictionary mining option [list=GF-Patterns] πŸ“šβ› [*] Using DOM mining option πŸ“¦β› [*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect] πŸ” [*] Start static analysis.. πŸ” [*] Start parameter analysis.. πŸ” [*] BAV analysis done βœ“ [*] Static analysis done βœ“ [I] Found 0 testing point in DOM Mining [*] Parameter analysis done βœ“utines [I] Content-Type is text/html; charset=UTF-8 [I] Reflected unsubscribe_token param => Injected: /inATTR-double(2) . - 21 line: /?unsubscribe_token=DalFox" /> 28 line: /?unsubscribe_token=DalFo [I] Reflected p param => Injected: /inATTR-double(2) . - 21 line: 72020.netflix.io/?p=DalFox" /> 28 line: 72020.netflix.io/?p=DalFo [I] Reflected file_url param => Injected: /inATTR-double(2) - . 21 line: etflix.io/?file_url=DalFox" /> 28 line: etflix.io/?file_url=DalFo [I] Reflected domain param => Injected: /inATTR-double(2) - . 21 line: .netflix.io/?domain=DalFox" /> 28 line: .netflix.io/?domain=DalFo [I] Reflected return param => Injected: /inATTR-double(2) - . 21 line: .netflix.io/?return=DalFox" /> 28 line: .netflix.io/?return=DalFo [I] Reflected jsonp param => Injected: /inATTR-double(2) - . 21 line: 0.netflix.io/?jsonp=DalFox" /> 28 line: 0.netflix.io/?jsonp=DalFo [I] Reflected emailto param => Injected: /inATTR-double(2) . - 21 line: netflix.io/?emailto=DalFox" /> 28 line: netflix.io/?emailto=DalFo [I] Reflected lang param => Injected: /inATTR-double(2) - . 21 line: 20.netflix.io/?lang=DalFox" /> 28 line: 20.netflix.io/?lang=DalFo [I] Reflected show param => Injected: /inATTR-double(2) - . 21 line: 20.netflix.io/?show=DalFox" /> 28 line: 20.netflix.io/?show=DalFo [I] Reflected cat param => Injected: /inATTR-double(2) - . 21 line: 020.netflix.io/?cat=DalFox" /> 28 line: 020.netflix.io/?cat=DalFo [I] Reflected go param => Injected: /inATTR-double(2) . - 21 line: 2020.netflix.io/?go=DalFox" /> 28 line: 2020.netflix.io/?go=DalFo [I] Reflected enddate param => Injected: /inATTR-double(2) . - 21 line: netflix.io/?enddate=DalFox" /> 28 line: netflix.io/?enddate=DalFo [I] Reflected file_name param => Injected: /inATTR-double(2) - . 21 line: tflix.io/?file_name=DalFox" /> 28 line: tflix.io/?file_name=DalFo [I] Reflected rurl param => Injected: /inATTR-double(2) . - 21 line: 20.netflix.io/?rurl=DalFox" /> 28 line: 20.netflix.io/?rurl=DalFo [I] Reflected image_url param => Injected: /inATTR-double(2) . - 21 line: tflix.io/?image_url=DalFox" /> 28 line: tflix.io/?image_url=DalFo [I] Reflected list_type param => Injected: /inATTR-double(2) - . 21 line: tflix.io/?list_type=DalFox" /> 28 line: tflix.io/?list_type=DalFo [I] Reflected token param => Injected: /inATTR-double(2) . - 21 line: 0.netflix.io/?token=DalFox" /> 28 line: 0.netflix.io/?token=DalFo [I] Reflected immagine param => Injected: /inATTR-double(2) - 21 line: etflix.io/?immagine=DalFox" /> 28 line: etflix.io/?immagine=DalFo [I] Reflected data param => Injected: /inATTR-double(2) - . 21 line: 20.netflix.io/?data=DalFox" /> 28 line: 20.netflix.io/?data=DalFo [I] Reflected type param => Injected: /inATTR-double(2) . - 21 line: 20.netflix.io/?type=DalFox" /> 28 line: 20.netflix.io/?type=DalFo [I] Reflected api_key param => Injected: /inATTR-double(2) - . 21 line: netflix.io/?api_key=DalFox" /> 28 line: netflix.io/?api_key=DalFo [I] Reflected l param => Injected: /inATTR-double(2) - . 21 line: 72020.netflix.io/?l=DalFox" /> 28 line: 72020.netflix.io/?l=DalFo [I] Reflected csrf_token param => Injected: /inATTR-double(2) - 21 line: flix.io/?csrf_token=DalFox" /> 28 line: flix.io/?csrf_token=DalFo [I] Reflected window param => Injected: /inATTR-double(2) 21 line: .netflix.io/?window=DalFox" /> 28 line: .netflix.io/?window=DalFo [I] Reflected url param => Injected: /inATTR-double(2) - . 21 line: 020.netflix.io/?url=DalFox" /> 28 line: 020.netflix.io/?url=DalFo [I] Reflected dir param => Injected: /inATTR-double(2) - . 21 line: 020.netflix.io/?dir=DalFox" /> 28 line: 020.netflix.io/?dir=DalFo [I] Reflected item param => Injected: /inATTR-double(2) - . 21 line: 20.netflix.io/?item=DalFox" /> 28 line: 20.netflix.io/?item=DalFo [I] Reflected file param => Injected: /inATTR-double(2) 21 line: 20.netflix.io/?file=DalFox" /> 28 line: 20.netflix.io/?file=DalFo [I] Reflected s param => Injected: /inATTR-double(2) - . 21 line: 72020.netflix.io/?s=DalFox" /> 28 line: 72020.netflix.io/?s=DalFo [I] Reflected keyword param => Injected: /inATTR-double(2) . - 21 line: netflix.io/?keyword=DalFox" /> 28 line: netflix.io/?keyword=DalFo [I] Reflected id param => Injected: /inATTR-double(2) . - 21 line: 2020.netflix.io/?id=DalFox" /> 28 line: 2020.netflix.io/?id=DalFo [I] Reflected categoryid param => Injected: /inATTR-double(2) 21 line: flix.io/?categoryid=DalFox" /> 28 line: flix.io/?categoryid=DalFo [I] Reflected username param => Injected: /inATTR-double(2) - . 21 line: etflix.io/?username=DalFox" /> 28 line: etflix.io/?username=DalFo [I] Reflected query param => Injected: /inATTR-double(2) . - 21 line: 0.netflix.io/?query=DalFox" /> 28 line: 0.netflix.io/?query=DalFo [I] Reflected goto param => Injected: /inATTR-double(2) - . 21 line: 20.netflix.io/?goto=DalFox" /> 28 line: 20.netflix.io/?goto=DalFo [I] Reflected year param => Injected: /inATTR-double(2) . - 21 line: 20.netflix.io/?year=DalFox" /> 28 line: 20.netflix.io/?year=DalFo [I] Reflected api param => Injected: /inATTR-double(2) . - 21 line: 020.netflix.io/?api=DalFox" /> 28 line: 020.netflix.io/?api=DalFo [I] Reflected host param => Injected: /inATTR-double(2) - . 21 line: 20.netflix.io/?host=DalFox" /> 28 line: 20.netflix.io/?host=DalFo [I] Reflected search param => Injected: /inATTR-double(2) . - 21 line: .netflix.io/?search=DalFox" /> 28 line: .netflix.io/?search=DalFo [I] Reflected page param => Injected: /inATTR-double(2) - . 21 line: 20.netflix.io/?page=DalFox" /> 28 line: 20.netflix.io/?page=DalFo [I] Reflected q param => Injected: /inATTR-double(2) . - 21 line: 72020.netflix.io/?q=DalFox" /> 28 line: 72020.netflix.io/?q=DalFo [I] Reflected keywords param => Injected: /inATTR-double(2) - . 21 line: etflix.io/?keywords=DalFox" /> 28 line: etflix.io/?keywords=DalFo [I] Reflected feed param => Injected: /inATTR-double(2) . - 21 line: 20.netflix.io/?feed=DalFox" /> 28 line: 20.netflix.io/?feed=DalFo [I] Reflected name param => Injected: /inATTR-double(2) - . 21 line: 20.netflix.io/?name=DalFox" /> 28 line: 20.netflix.io/?name=DalFo [I] Reflected callback param => Injected: /inATTR-double(2) - 21 line: etflix.io/?callback=DalFox" /> 28 line: etflix.io/?callback=DalFo [I] Reflected img_url param => Injected: /inATTR-double(2) . 21 line: netflix.io/?img_url=DalFox" /> 28 line: netflix.io/?img_url=DalFo [I] Reflected view param => Injected: /inATTR-double(2) - . 21 line: 20.netflix.io/?view=DalFox" /> 28 line: 20.netflix.io/?view=DalFo [I] Reflected begindate param => Injected: /inATTR-double(2) - . 21 line: tflix.io/?begindate=DalFox" /> 28 line: tflix.io/?begindate=DalFo [I] Reflected page_id param => Injected: /inATTR-double(2) . - 21 line: netflix.io/?page_id=DalFox" /> 28 line: netflix.io/?page_id=DalFo [I] Reflected email param => Injected: /inATTR-double(2) - . 21 line: 0.netflix.io/?email=DalFox" /> 28 line: 0.netflix.io/?email=DalFo [I] Reflected key param => Injected: /inATTR-double(2) - . 21 line: 020.netflix.io/?key=DalFox" /> 28 line: 020.netflix.io/?key=DalFo [I] Reflected month param => Injected: /inATTR-double(2) - . 21 line: 0.netflix.io/?month=DalFox" /> 28 line: 0.netflix.io/?month=DalFo [I] Reflected password param => Injected: /inATTR-double(2) - 21 line: etflix.io/?password=DalFox" /> 28 line: etflix.io/?password=DalFo [I] Reflected terms param => Injected: /inATTR-double(2) - 21 line: 0.netflix.io/?terms=DalFox" /> 28 line: 0.netflix.io/?terms=DalFo [I] Reflected html param => Injected: /inATTR-double(2) - . 21 line: 20.netflix.io/?html=DalFox" /> 28 line: 20.netflix.io/?html=DalFo [*] Generate XSS payload and optimization.Optimization.. πŸ›  [*] Start XSS Scanning.. with 6633 queries πŸ—‘ [*] Finish :D ______________________________________________________ [*] Target URL: https://test.dark.netflix.io [*] Vaild target [ code:200 / size:5315 ] [*] Using dictionary mining option [list=GF-Patterns] πŸ“šβ› [*] Using DOM mining option πŸ“¦β› [*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect] πŸ” [*] Start static analysis.. πŸ” [*] Start parameter analysis.. πŸ” [*] BAV analysis done βœ“ [I] Found 0 testing point in DOM Mining [*] Static analysis done βœ“ [*] Parameter analysis done βœ“utines [I] Content-Type is text/html; charset=UTF-8 [I] Reflected view param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?view=DalFox" /> 28 line: .io/index.html?view=DalFo [I] Reflected item param => Injected: /inATTR-double(2) - . 21 line: .io/index.html?item=DalFox" /> 28 line: .io/index.html?item=DalFo [I] Reflected jsonp param => Injected: /inATTR-double(2) 21 line: io/index.html?jsonp=DalFox" /> 28 line: io/index.html?jsonp=DalFo [I] Reflected page_id param => Injected: /inATTR-double(2) - . 21 line: /index.html?page_id=DalFox" /> 28 line: /index.html?page_id=DalFo [I] Reflected rurl param => Injected: /inATTR-double(2) - . 21 line: .io/index.html?rurl=DalFox" /> 28 line: .io/index.html?rurl=DalFo [I] Reflected file_name param => Injected: /inATTR-double(2) - . 21 line: ndex.html?file_name=DalFox" /> 28 line: ndex.html?file_name=DalFo [I] Reflected month param => Injected: /inATTR-double(2) 21 line: io/index.html?month=DalFox" /> 28 line: io/index.html?month=DalFo [I] Reflected page param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?page=DalFox" /> 28 line: .io/index.html?page=DalFo [I] Reflected password param => Injected: /inATTR-double(2) - . 21 line: index.html?password=DalFox" /> 28 line: index.html?password=DalFo [I] Reflected categoryid param => Injected: /inATTR-double(2) . 21 line: dex.html?categoryid=DalFox" /> 28 line: dex.html?categoryid=DalFo [I] Reflected immagine param => Injected: /inATTR-double(2) 21 line: index.html?immagine=DalFox" /> 28 line: index.html?immagine=DalFo [I] Reflected data param => Injected: /inATTR-double(2) 21 line: .io/index.html?data=DalFox" /> 28 line: .io/index.html?data=DalFo [I] Reflected query param => Injected: /inATTR-double(2) - . 21 line: io/index.html?query=DalFox" /> 28 line: io/index.html?query=DalFo [I] Reflected s param => Injected: /inATTR-double(2) - . 21 line: lix.io/index.html?s=DalFox" /> 28 line: lix.io/index.html?s=DalFo [I] Reflected list_type param => Injected: /inATTR-double(2) . - 21 line: ndex.html?list_type=DalFox" /> 28 line: ndex.html?list_type=DalFo [I] Reflected image_url param => Injected: /inATTR-double(2) . - 21 line: ndex.html?image_url=DalFox" /> 28 line: ndex.html?image_url=DalFo [I] Reflected file_url param => Injected: /inATTR-double(2) . - 21 line: index.html?file_url=DalFox" /> 28 line: index.html?file_url=DalFo [I] Reflected q param => Injected: /inATTR-double(2) - . 21 line: lix.io/index.html?q=DalFox" /> 28 line: lix.io/index.html?q=DalFo [I] Reflected cat param => Injected: /inATTR-double(2) . - 21 line: x.io/index.html?cat=DalFox" /> 28 line: x.io/index.html?cat=DalFo [I] Reflected keywords param => Injected: /inATTR-double(2) . - 21 line: index.html?keywords=DalFox" /> 28 line: index.html?keywords=DalFo [I] Reflected goto param => Injected: /inATTR-double(2) - . 21 line: .io/index.html?goto=DalFox" /> 28 line: .io/index.html?goto=DalFo [I] Reflected begindate param => Injected: /inATTR-double(2) 21 line: ndex.html?begindate=DalFox" /> 28 line: ndex.html?begindate=DalFo [I] Reflected url param => Injected: /inATTR-double(2) . - 21 line: x.io/index.html?url=DalFox" /> 28 line: x.io/index.html?url=DalFo [I] Reflected id param => Injected: /inATTR-double(2) - . 21 line: ix.io/index.html?id=DalFox" /> 28 line: ix.io/index.html?id=DalFo [I] Reflected emailto param => Injected: /inATTR-double(2) - . 21 line: /index.html?emailto=DalFox" /> 28 line: /index.html?emailto=DalFo [I] Reflected p param => Injected: /inATTR-double(2) . - 21 line: lix.io/index.html?p=DalFox" /> 28 line: lix.io/index.html?p=DalFo [I] Reflected domain param => Injected: /inATTR-double(2) - . 21 line: o/index.html?domain=DalFox" /> 28 line: o/index.html?domain=DalFo [I] Reflected l param => Injected: /inATTR-double(2) 21 line: lix.io/index.html?l=DalFox" /> 28 line: lix.io/index.html?l=DalFo [I] Reflected key param => Injected: /inATTR-double(2) 21 line: x.io/index.html?key=DalFox" /> 28 line: x.io/index.html?key=DalFo [I] Reflected keyword param => Injected: /inATTR-double(2) - . 21 line: /index.html?keyword=DalFox" /> 28 line: /index.html?keyword=DalFo [I] Reflected host param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?host=DalFox" /> 28 line: .io/index.html?host=DalFo [I] Reflected unsubscribe_token param => Injected: /inATTR-double(2) . - 21 line: l?unsubscribe_token=DalFox" /> 28 line: l?unsubscribe_token=DalFo [I] Reflected feed param => Injected: /inATTR-double(2) - . 21 line: .io/index.html?feed=DalFox" /> 28 line: .io/index.html?feed=DalFo [I] Reflected lang param => Injected: /inATTR-double(2) - . 21 line: .io/index.html?lang=DalFox" /> 28 line: .io/index.html?lang=DalFo [I] Reflected go param => Injected: /inATTR-double(2) - . 21 line: ix.io/index.html?go=DalFox" /> 28 line: ix.io/index.html?go=DalFo [I] Reflected file param => Injected: /inATTR-double(2) 21 line: .io/index.html?file=DalFox" /> 28 line: .io/index.html?file=DalFo [I] Reflected enddate param => Injected: /inATTR-double(2) - 21 line: /index.html?enddate=DalFox" /> 28 line: /index.html?enddate=DalFo [I] Reflected api param => Injected: /inATTR-double(2) . 21 line: x.io/index.html?api=DalFox" /> 28 line: x.io/index.html?api=DalFo [I] Reflected csrf_token param => Injected: /inATTR-double(2) - . 21 line: dex.html?csrf_token=DalFox" /> 28 line: dex.html?csrf_token=DalFo [I] Reflected html param => Injected: /inATTR-double(2) - . 21 line: .io/index.html?html=DalFox" /> 28 line: .io/index.html?html=DalFo [I] Reflected name param => Injected: /inATTR-double(2) - . 21 line: .io/index.html?name=DalFox" /> 28 line: .io/index.html?name=DalFo [I] Reflected username param => Injected: /inATTR-double(2) 21 line: index.html?username=DalFox" /> 28 line: index.html?username=DalFo [I] Reflected return param => Injected: /inATTR-double(2) - 21 line: o/index.html?return=DalFox" /> 28 line: o/index.html?return=DalFo [I] Reflected terms param => Injected: /inATTR-double(2) . - 21 line: io/index.html?terms=DalFox" /> 28 line: io/index.html?terms=DalFo [I] Reflected dir param => Injected: /inATTR-double(2) - . 21 line: x.io/index.html?dir=DalFox" /> 28 line: x.io/index.html?dir=DalFo [I] Reflected callback param => Injected: /inATTR-double(2) 21 line: index.html?callback=DalFox" /> 28 line: index.html?callback=DalFo [I] Reflected token param => Injected: /inATTR-double(2) 21 line: io/index.html?token=DalFox" /> 28 line: io/index.html?token=DalFo [I] Reflected year param => Injected: /inATTR-double(2) 21 line: .io/index.html?year=DalFox" /> 28 line: .io/index.html?year=DalFo [I] Reflected show param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?show=DalFox" /> 28 line: .io/index.html?show=DalFo [I] Reflected api_key param => Injected: /inATTR-double(2) 21 line: /index.html?api_key=DalFox" /> 28 line: /index.html?api_key=DalFo [I] Reflected type param => Injected: /inATTR-double(2) . - 21 line: .io/index.html?type=DalFox" /> 28 line: .io/index.html?type=DalFo [I] Reflected search param => Injected: /inATTR-double(2) - . 21 line: o/index.html?search=DalFox" /> 28 line: o/index.html?search=DalFo [I] Reflected img_url param => Injected: /inATTR-double(2) 21 line: /index.html?img_url=DalFox" /> 28 line: /index.html?img_url=DalFo [I] Reflected email param => Injected: /inATTR-double(2) - . 21 line: io/index.html?email=DalFox" /> 28 line: io/index.html?email=DalFo [I] Reflected window param => Injected: /inATTR-double(2) - . 21 line: o/index.html?window=DalFox" /> 28 line: o/index.html?window=DalFo [*] Generate XSS payload and optimization.Optimization.. πŸ›  [*] Start XSS Scanning.. with 6633 queries πŸ—‘ [*] Finish :D ___________________________________________ [*] Target URL: https://andrewhasaboner.microsites.netflix.io [*] Vaild target [ code:200 / size:5477 ] [*] Using dictionary mining option [list=GF-Patterns] πŸ“šβ› [*] Using DOM mining option πŸ“¦β› [*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect] πŸ” [*] Start static analysis.. πŸ” [*] Start parameter analysis.. πŸ” [*] BAV analysis done βœ“ [I] Found 1 testing point in DOM Mining [*] Static analysis done βœ“ [*] Parameter analysis done βœ“outines [I] Content-Type is text/html; charset=UTF-8 [I] Reflected file_name param => Injected: /inATTR-double(1) . - 24 line: tflix.io/?file_name=DalFo [I] Reflected html param => Injected: /inATTR-double(1) . - 24 line: es.netflix.io/?html=DalFo [I] Reflected show param => Injected: /inATTR-double(1) . - 24 line: es.netflix.io/?show=DalFo [I] Reflected l param => Injected: /inATTR-double(1) 24 line: sites.netflix.io/?l=DalFo [I] Reflected api_key param => Injected: /inATTR-double(1) 24 line: netflix.io/?api_key=DalFo [I] Reflected return param => Injected: /inATTR-double(1) . - 24 line: .netflix.io/?return=DalFo [I] Reflected password param => Injected: /inATTR-double(1) 24 line: etflix.io/?password=DalFo [I] Reflected host param => Injected: /inATTR-double(1) 24 line: es.netflix.io/?host=DalFo [I] Reflected img_url param => Injected: /inATTR-double(1) . - 24 line: netflix.io/?img_url=DalFo [I] Reflected immagine param => Injected: /inATTR-double(1) . - 24 line: etflix.io/?immagine=DalFo [I] Reflected query param => Injected: /inATTR-double(1) . - 24 line: s.netflix.io/?query=DalFo [I] Reflected url param => Injected: /inATTR-double(1) 24 line: tes.netflix.io/?url=DalFo [I] Reflected domain param => Injected: /inATTR-double(1) . - 24 line: .netflix.io/?domain=DalFo [I] Reflected month param => Injected: /inATTR-double(1) - 24 line: s.netflix.io/?month=DalFo [I] Reflected p param => Injected: /inATTR-double(1) - . 24 line: sites.netflix.io/?p=DalFo [I] Reflected name param => Injected: /inATTR-double(1) . - 24 line: es.netflix.io/?name=DalFo [I] Reflected go param => Injected: /inATTR-double(1) - . 24 line: ites.netflix.io/?go=DalFo [I] Reflected key param => Injected: /inATTR-double(1) - . 24 line: tes.netflix.io/?key=DalFo [I] Reflected s param => Injected: /inATTR-double(1) 24 line: sites.netflix.io/?s=DalFo [I] Reflected terms param => Injected: /inATTR-double(1) 24 line: s.netflix.io/?terms=DalFo [I] Reflected callback param => Injected: /inATTR-double(1) - 24 line: etflix.io/?callback=DalFo [I] Reflected unsubscribe_token param => Injected: /inATTR-double(1) . - 24 line: /?unsubscribe_token=DalFo [I] Reflected view param => Injected: /inATTR-double(1) - 24 line: es.netflix.io/?view=DalFo [I] Reflected keywords param => Injected: /inATTR-double(1) 24 line: etflix.io/?keywords=DalFo [I] Reflected emailto param => Injected: /inATTR-double(1) . 24 line: netflix.io/?emailto=DalFo [I] Reflected image_url param => Injected: /inATTR-double(1) . - 24 line: tflix.io/?image_url=DalFo [I] Reflected page_id param => Injected: /inATTR-double(1) . - 24 line: netflix.io/?page_id=DalFo [I] Reflected categoryid param => Injected: /inATTR-double(1) 24 line: flix.io/?categoryid=DalFo [I] Reflected csrf_token param => Injected: /inATTR-double(1) . - 24 line: flix.io/?csrf_token=DalFo [I] Reflected goto param => Injected: /inATTR-double(1) 24 line: es.netflix.io/?goto=DalFo [I] Reflected file_url param => Injected: /inATTR-double(1) - . 24 line: etflix.io/?file_url=DalFo [I] Reflected email param => Injected: /inATTR-double(1) - . 24 line: s.netflix.io/?email=DalFo [I] Reflected param => Injected: /inATTR-double(1) . 24 line: osites.netflix.io/?=DalFo [I] Reflected dir param => Injected: /inATTR-double(1) . - 24 line: tes.netflix.io/?dir=DalFo [I] Reflected username param => Injected: /inATTR-double(1) - 24 line: etflix.io/?username=DalFo [I] Reflected jsonp param => Injected: /inATTR-double(1) . - 24 line: s.netflix.io/?jsonp=DalFo [I] Reflected page param => Injected: /inATTR-double(1) 24 line: es.netflix.io/?page=DalFo [I] Reflected window param => Injected: /inATTR-double(1) . 24 line: .netflix.io/?window=DalFo [I] Reflected lang param => Injected: /inATTR-double(1) 24 line: es.netflix.io/?lang=DalFo [I] Reflected rurl param => Injected: /inATTR-double(1) 24 line: es.netflix.io/?rurl=DalFo [I] Reflected api param => Injected: /inATTR-double(1) . - 24 line: tes.netflix.io/?api=DalFo [I] Reflected token param => Injected: /inATTR-double(1) 24 line: s.netflix.io/?token=DalFo [I] Reflected list_type param => Injected: /inATTR-double(1) - . 24 line: tflix.io/?list_type=DalFo [I] Reflected feed param => Injected: /inATTR-double(1) . - 24 line: es.netflix.io/?feed=DalFo [I] Reflected id param => Injected: /inATTR-double(1) 24 line: ites.netflix.io/?id=DalFo [I] Reflected search param => Injected: /inATTR-double(1) - . 24 line: .netflix.io/?search=DalFo [I] Reflected cat param => Injected: /inATTR-double(1) . - 24 line: tes.netflix.io/?cat=DalFo [I] Reflected data param => Injected: /inATTR-double(1) 24 line: es.netflix.io/?data=DalFo [I] Reflected keyword param => Injected: /inATTR-double(1) 24 line: netflix.io/?keyword=DalFo [I] Reflected begindate param => Injected: /inATTR-double(1) . - 24 line: tflix.io/?begindate=DalFo [I] Reflected enddate param => Injected: /inATTR-double(1) 24 line: netflix.io/?enddate=DalFo [I] Reflected year param => Injected: /inATTR-double(1) 24 line: es.netflix.io/?year=DalFo [I] Reflected q param => Injected: /inATTR-double(1) 24 line: sites.netflix.io/?q=DalFo [I] Reflected type param => Injected: /inATTR-double(1) . - 24 line: es.netflix.io/?type=DalFo [I] Reflected item param => Injected: /inATTR-double(1) 24 line: es.netflix.io/?item=DalFo [I] Reflected file param => Injected: /inATTR-double(1) 24 line: es.netflix.io/?file=DalFo [*] Generate XSS payload and optimization.Optimization.. πŸ›  [*] Start XSS Scanning.. with 6753 queries πŸ—‘ [*] Finish :D ____________________________________________________ [*] Target URL: https://biohackers-pressemappe.netflix.io [*] Vaild target [ code:200 / size:14761 ] [*] Using dictionary mining option [list=GF-Patterns] πŸ“šβ› [*] Using DOM mining option πŸ“¦β› [*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect] πŸ” [*] Start static analysis.. πŸ” [*] Start parameter analysis.. πŸ” [*] BAV analysis done βœ“ [*] Static analysis done βœ“ng routines [I] Found 1 testing point in DOM Mining [*] Parameter analysis done βœ“outines [I] Content-Type is text/html; charset=utf-8 [I] Strict-Transport-Security is max-age=15724800; includeSubDomains [I] Reflected window param => Injected: /inATTR-double(1) 7 line: p/amp?from=/?window=Dal [I] Reflected feed param => Injected: /inATTR-double(1) 7 line: amp/amp?from=/?feed=Dal [I] Reflected api param => Injected: /inATTR-double(1) 7 line: /amp/amp?from=/?api=Dal [I] Reflected html param => Injected: /inATTR-double(1) 7 line: amp/amp?from=/?html=Dal [I] Reflected categoryid param => Injected: /inATTR-double(1) 7 line: p?from=/?categoryid=Dal [I] Reflected api_key param => Injected: /inATTR-double(1) 7 line: /amp?from=/?api_key=Dal [I] Reflected csrf_token param => Injected: /inATTR-double(1) 7 line: p?from=/?csrf_token=Dal [I] Reflected q param => Injected: /inATTR-double(1) 7 line: io/amp/amp?from=/?q=Dal [I] Reflected dir param => Injected: /inATTR-double(1) 7 line: /amp/amp?from=/?dir=Dal [I] Reflected s param => Injected: /inATTR-double(1) 7 line: io/amp/amp?from=/?s=Dal [I] Reflected file_name param => Injected: /inATTR-double(1) 7 line: mp?from=/?file_name=Dal [I] Reflected emailto param => Injected: /inATTR-double(1) 7 line: /amp?from=/?emailto=Dal [I] Reflected password param => Injected: /inATTR-double(1) 7 line: amp?from=/?password=Dal [I] Reflected host param => Injected: /inATTR-double(1) 7 line: amp/amp?from=/?host=Dal [I] Reflected unsubscribe_token param => Injected: /inATTR-double(1) 7 line: /?unsubscribe_token=Dal [I] Reflected immagine param => Injected: /inATTR-double(1) 7 line: amp?from=/?immagine=Dal [I] Reflected username param => Injected: /inATTR-double(1) 7 line: amp?from=/?username=Dal [I] Reflected data param => Injected: /inATTR-double(1) 7 line: amp/amp?from=/?data=Dal [I] Reflected type param => Injected: /inATTR-double(1) 7 line: amp/amp?from=/?type=Dal [I] Reflected terms param => Injected: /inATTR-double(1) 7 line: mp/amp?from=/?terms=Dal [I] Reflected id param => Injected: /inATTR-double(1) 7 line: o/amp/amp?from=/?id=Dal [I] Reflected file_url param => Injected: /inATTR-double(1) 7 line: amp?from=/?file_url=Dal [I] Reflected month param => Injected: /inATTR-double(1) 7 line: mp/amp?from=/?month=Dal [I] Reflected list_type param => Injected: /inATTR-double(1) 7 line: mp?from=/?list_type=Dal [I] Reflected page_id param => Injected: /inATTR-double(1) 7 line: /amp?from=/?page_id=Dal [I] Reflected show param => Injected: /inATTR-double(1) 7 line: amp/amp?from=/?show=Dal [I] Reflected query param => Injected: /inATTR-double(1) 7 line: mp/amp?from=/?query=Dal [I] Reflected rurl param => Injected: /inATTR-double(1) 7 line: amp/amp?from=/?rurl=Dal [I] Reflected lang param => Injected: /inATTR-double(1) 7 line: amp/amp?from=/?lang=Dal [I] Reflected search param => Injected: /inATTR-double(1) 7 line: p/amp?from=/?search=Dal [I] Reflected go param => Injected: /inATTR-double(1) 7 line: o/amp/amp?from=/?go=Dal [I] Reflected keywords param => Injected: /inATTR-double(1) 7 line: amp?from=/?keywords=Dal [I] Reflected view param => Injected: /inATTR-double(1) 7 line: amp/amp?from=/?view=Dal [I] Reflected begindate param => Injected: /inATTR-double(1) 7 line: mp?from=/?begindate=Dal [I] Reflected enddate param => Injected: /inATTR-double(1) 7 line: /amp?from=/?enddate=Dal [I] Reflected goto param => Injected: /inATTR-double(1) 7 line: amp/amp?from=/?goto=Dal [I] Reflected return param => Injected: /inATTR-double(1) 7 line: p/amp?from=/?return=Dal [I] Reflected domain param => Injected: /inATTR-double(1) 7 line: p/amp?from=/?domain=Dal [I] Reflected page param => Injected: /inATTR-double(1) 7 line: amp/amp?from=/?page=Dal [I] Reflected token param => Injected: /inATTR-double(1) 7 line: mp/amp?from=/?token=Dal [I] Reflected name param => Injected: /inATTR-double(1) 7 line: amp/amp?from=/?name=Dal [I] Reflected key param => Injected: /inATTR-double(1) 7 line: /amp/amp?from=/?key=Dal [I] Reflected p param => Injected: /inATTR-double(1) 7 line: io/amp/amp?from=/?p=Dal [I] Reflected l param => Injected: /inATTR-double(1) 7 line: io/amp/amp?from=/?l=Dal [I] Reflected item param => Injected: /inATTR-double(1) 7 line: amp/amp?from=/?item=Dal [I] Reflected file param => Injected: /inATTR-double(1) 7 line: amp/amp?from=/?file=Dal [I] Reflected image_url param => Injected: /inATTR-double(1) 7 line: mp?from=/?image_url=Dal [I] Reflected year param => Injected: /inATTR-double(1) 7 line: amp/amp?from=/?year=Dal [I] Reflected cat param => Injected: /inATTR-double(1) 7 line: /amp/amp?from=/?cat=Dal [I] Reflected url param => Injected: /inATTR-double(1) 7 line: /amp/amp?from=/?url=Dal [I] Reflected callback param => Injected: /inATTR-double(1) 7 line: amp?from=/?callback=Dal [I] Reflected email param => Injected: /inATTR-double(1) 7 line: mp/amp?from=/?email=Dal [I] Reflected keyword param => Injected: /inATTR-double(1) 7 line: /amp?from=/?keyword=Dal [I] Reflected jsonp param => Injected: /inATTR-double(1) 7 line: mp/amp?from=/?jsonp=Dal [I] Reflected img_url param => Injected: /inATTR-double(1) 7 line: /amp?from=/?img_url=Dal [*] Generate XSS payload and optimization.Optimization.. πŸ›  [*] Start XSS Scanning.. with 6633 queries πŸ—‘ [*] Finish :D [*] Target URL: http://makeit.netflix.io [*] Vaild target [ code:200 / size:33831 ] [*] Using dictionary mining option [list=GF-Patterns] πŸ“šβ› [*] Using DOM mining option πŸ“¦β› [*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect] πŸ” [*] Start static analysis.. πŸ” [*] Start parameter analysis.. πŸ” [*] BAV analysis done βœ“ [I] Found 0 testing point in DOM Mining [*] Static analysis done βœ“ [*] Parameter analysis done βœ“outines [I] Content-Type is text/html; charset=utf-8 [I] X-Frame-Options is SAMEORIGIN [*] Generate XSS payload and optimization.Optimization.. πŸ›  [*] Start XSS Scanning.. with 33 queries πŸ—‘ [*] Finish :D [*] Target URL: http://makeit.test.netflix.io [*] Vaild target [ code:200 / size:33846 ] [*] Using dictionary mining option [list=GF-Patterns] πŸ“šβ› [*] Using DOM mining option πŸ“¦β› [*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect] πŸ” [*] Start static analysis.. πŸ” [*] Start parameter analysis.. πŸ” [*] BAV analysis done βœ“ [I] Found 0 testing point in DOM Mining [*] Static analysis done βœ“ [*] Parameter analysis done βœ“outines [I] Content-Type is text/html; charset=utf-8 [I] X-Frame-Options is SAMEORIGIN [*] Generate XSS payload and optimization.Optimization.. πŸ›  [*] Start XSS Scanning.. with 33 queries πŸ—‘ [*] Finish :D ``` ____________________________________________________ [*] Target URL: https://partnerhelp.netflixstudios.com/api/v2/help_center/en-us/articles.json?label_names=covid [*] Vaild target [ code:200 / size:141 ] [*] Using dictionary mining option [list=GF-Patterns] πŸ“šβ› [*] Using DOM mining option πŸ“¦β› [*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect] πŸ” [*] Start static analysis.. πŸ” [*] Start parameter analysis.. πŸ” [I] Found 0 testing point in DOM Mining [*] Static analysis done βœ“ [*] BAV analysis done βœ“ting routines [*] Parameter analysis done βœ“utines [I] Content-Type is application/json; charset=utf-8 [I] X-Frame-Options is SAMEORIGIN [I] Strict-Transport-Security is max-age=259200; [I] Access-Control-Allow-Origin is * [I] Reflected callback param => Injected: /inHTML-none(1) 1 line: DalFox({"count":0,"next_page":null,"page":1,"page_count":0,"per_page":30,"p [*] Generate XSS payload and optimization.Optimization.. πŸ›  [*] Type is 'application/json; charset=utf-8', It does not test except customized payload (custom/blind). ________________________________________ [*] Target URL: https://partnerhelp.netflixstudios.com/hc/en-us/sections/203547178-Automated-QC-Error-Messages?page=2 [*] Vaild target [ code:200 / size:29085 ] [*] Using dictionary mining option [list=GF-Patterns] πŸ“šβ› [*] Using DOM mining option πŸ“¦β› [*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect] πŸ” [*] Start static analysis.. πŸ” [*] Start parameter analysis.. πŸ” [I] Found 2 testing point in DOM Mining [*] Static analysis done βœ“ [*] BAV analysis done βœ“ting routines [*] Parameter analysis done βœ“utines [I] Strict-Transport-Security is max-age=259200; [I] Content-Type is text/html; charset=utf-8 [I] X-Frame-Options is SAMEORIGIN [I] Reflected data param => Injected: /inATTR-double(2) 101 line: page%3D2%26return%3DDalFox&amp;locale=en-us">Sign in</a> 458 line: 583%2589%3Freturn%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected begindate param => Injected: /inATTR-double(2) 101 line: rror-Messages%3Fp%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: 5E3%2583%2589%3Fp%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected key param => Injected: /inATTR-double(2) 101 line: or-Messages%3Fkey%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: 3%2583%2589%3Fkey%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected emailto param => Injected: /inATTR-double(2) 101 line: rror-Messages%3Fp%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: 5E3%2583%2589%3Fp%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected username param => Injected: /inATTR-double(2) 101 line: ge%3D2%26username%3DDalFox&amp;locale=en-us">Sign in</a> 458 line: 3%2589%3Fusername%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected feed param => Injected: /inATTR-double(2) 101 line: r-Messages%3Ffeed%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: %2583%2589%3Ffeed%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected html param => Injected: /inATTR-double(2) 101 line: r-Messages%3Fhtml%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: %2583%2589%3Fhtml%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected goto param => Injected: /inATTR-double(2) 101 line: r-Messages%3Fgoto%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: %2583%2589%3Fgoto%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected keywords param => Injected: /inATTR-double(2) 101 line: ssages%3Fkeywords%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: 3%2589%3Fkeywords%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected immagine param => Injected: /inATTR-double(2) 101 line: ssages%3Fimmagine%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: 3%2589%3Fimmagine%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected search param => Injected: /inATTR-double(2) 101 line: page%3D2%26search%3DDalFox&amp;locale=en-us">Sign in</a> 458 line: 583%2589%3Fsearch%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected callback param => Injected: /inATTR-double(2) 101 line: ssages%3Fcallback%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: 3%2589%3Fcallback%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected page param => Injected: /inATTR-double(1) . - 101 line: -Messages%3Fpage%3D2DalFox&amp;locale=en-us">Sign i [I] Reflected domain param => Injected: /inATTR-double(1) 101 line: Messages%3Fdomain%3DDalFox%26page%3D2&amp;locale=en-us">Sign i [I] Reflected lang param => Injected: /inATTR-double(2) 101 line: r-Messages%3Flang%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: %2583%2589%3Flang%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected email param => Injected: /inATTR-double(2) 101 line: -Messages%3Femail%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: 2583%2589%3Femail%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected page_id param => Injected: /inATTR-double(2) 101 line: age%3D2%26page_id%3DDalFox&amp;locale=en-us">Sign in</a> 458 line: 83%2589%3Fpage_id%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected list_type param => Injected: /inATTR-double(2) 101 line: sages%3Flist_type%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: %2589%3Flist_type%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected return param => Injected: /inATTR-double(2) 101 line: page%3D2%26return%3DDalFox&amp;locale=en-us">Sign in</a> 458 line: 583%2589%3Freturn%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected dir param => Injected: /inATTR-double(2) 101 line: or-Messages%3Fdir%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: 3%2583%2589%3Fdir%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected view param => Injected: /inATTR-double(2) 101 line: 3Fpage%3D2%26view%3DDalFox&amp;locale=en-us">Sign in</a> 458 line: %2583%2589%3Fview%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected window param => Injected: /inATTR-double(2) 101 line: page%3D2%26window%3DDalFox&amp;locale=en-us">Sign in</a> 458 line: 583%2589%3Fwindow%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected api_key param => Injected: /inATTR-double(2) 101 line: essages%3Fapi_key%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: 83%2589%3Fapi_key%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected show param => Injected: /inATTR-double(2) 101 line: 3Fpage%3D2%26show%3DDalFox&amp;locale=en-us">Sign in</a> 458 line: %2583%2589%3Fshow%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected go param => Injected: /inATTR-double(2) 101 line: ror-Messages%3Fgo%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: E3%2583%2589%3Fgo%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected image_url param => Injected: /inATTR-double(2) 101 line: sages%3Fimage_url%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: %2589%3Fimage_url%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected host param => Injected: /inATTR-double(1) 101 line: r-Messages%3Fhost%3DDalFox%26page%3D2&amp;locale=en-us">Sign i [I] Reflected file_name param => Injected: /inATTR-double(2) 101 line: sages%3Ffile_name%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: %2589%3Ffile_name%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected file param => Injected: /inATTR-double(2) 101 line: r-Messages%3Ffile%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: %2583%2589%3Ffile%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected query param => Injected: /inATTR-double(2) 101 line: Fpage%3D2%26query%3DDalFox&amp;locale=en-us">Sign in</a> 458 line: 2583%2589%3Fquery%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected month param => Injected: /inATTR-double(2) 101 line: age%3D2%26page_id%3DDalFox&amp;locale=en-us">Sign in</a> 458 line: 83%2589%3Fpage_id%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected csrf_token param => Injected: /inATTR-double(2) 101 line: Fpage%3D2%26query%3DDalFox&amp;locale=en-us">Sign in</a> 458 line: 2583%2589%3Fquery%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected name param => Injected: /inATTR-double(2) 101 line: r-Messages%3Fname%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: %2583%2589%3Fname%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected s param => Injected: /inATTR-double(2) 101 line: es%3Fpage%3D2%26s%3DDalFox&amp;locale=en-us">Sign in</a> 458 line: 5E3%2583%2589%3Fs%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected id param => Injected: /inATTR-double(1) - . 101 line: ror-Messages%3Fid%3DDalFox%26page%3D2&amp;locale=en-us">Sign i [I] Reflected q param => Injected: /inATTR-double(2) 101 line: es%3Fpage%3D2%26q%3DDalFox&amp;locale=en-us">Sign in</a> 458 line: 5E3%2583%2589%3Fq%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected categoryid param => Injected: /inATTR-double(2) 101 line: ages%3Fcategoryid%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: 2589%3Fcategoryid%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected type param => Injected: /inATTR-double(2) 101 line: 3Fpage%3D2%26type%3DDalFox&amp;locale=en-us">Sign in</a> 458 line: %2583%2589%3Ftype%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected l param => Injected: /inATTR-double(2) 101 line: rror-Messages%3Fl%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: 5E3%2583%2589%3Fl%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected url param => Injected: /inATTR-double(2) 101 line: %3Fpage%3D2%26url%3DDalFox&amp;locale=en-us">Sign in</a> 458 line: 3%2583%2589%3Furl%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected file_url param => Injected: /inATTR-double(2) 101 line: ssages%3Ffile_url%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: 3%2589%3Ffile_url%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected rurl param => Injected: /inATTR-double(2) 101 line: 3Fpage%3D2%26rurl%3DDalFox&amp;locale=en-us">Sign in</a> 458 line: %2583%2589%3Frurl%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected terms param => Injected: /inATTR-double(2) 101 line: rror-Messages%3Fp%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: 5E3%2583%2589%3Fp%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected utf8 param => Injected: /inATTR-double(2) 101 line: 3Fpage%3D2%26utf8%3DDalFox&amp;locale=en-us">Sign in</a> 458 line: %2583%2589%3Futf8%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected item param => Injected: /inATTR-double(2) 101 line: 3Fpage%3D2%26utf8%3DDalFox&amp;locale=en-us">Sign in</a> 458 line: %2583%2589%3Futf8%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected img_url param => Injected: /inATTR-double(2) 101 line: essages%3Fimg_url%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: 83%2589%3Fimg_url%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected keyword param => Injected: /inATTR-double(2) 101 line: essages%3Fkeyword%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: 83%2589%3Fkeyword%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected api param => Injected: /inATTR-double(2) 101 line: or-Messages%3Fapi%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: 3%2583%2589%3Fapi%3DDalFox" dir="ltr" rel="nofollow" role="menui [I] Reflected p param => Injected: /inATTR-double(2) 101 line: rror-Messages%3Fp%3DDalFox%26page%3D2&amp;locale=en-us">Sign in</a> 458 line: 5E3%2583%2589%3Fp%3DDalFox" dir="ltr" rel="nofollow" role="menui [*] Generate XSS payload and optimization.Optimization.. πŸ›  [*] Start XSS Scanning.. with 5913 queries πŸ—‘ [*] Finish :D ___________________________________________