By Brute Logic
Research & Development in Offensive Security.

 
Back to Top

FREQUENTLY ASKED QUESTIONS

1. What KNOXSS does?

Finds source-based and DOM-based reflected and stored XSS in vulnerable pages using components of URL (path and query parameters) as entry points and form fields (this last one automatically with browser add-on). To see all XSS cases KNOXSS is able to spot check our XSS Coverage.

2. What KNOXSS doesn't do (yet)

KNOXSS has no advanced DOM-based testing and discovering capabilities although it can detect and exploit some common DOM-based cases (see our XSS Coverage for those). Current state of browser add-on also can't pass through authentication methods not based solely in cookies although web interface allows user to inform any authentication header before sending the requests. KNOXSS also can't test a target if its IP address is blacklisted.

3. How KNOXSS works?

It takes the target and all associated data provided and check if there's a reflection in all URL or POST body parameters along with URL path (for friendly URLs). If it finds some reflection somewhere, in response or associated JS calls, it will take some decisions on what type of injection it will use (HTML or JS injection). Finally it will try several specific XSS vectors in order to pop an alert box to prove the vulnerability.

4. How KNOXSS browser add-on works?

KNOXSS browser add-on is an automated way to send to KNOXSS online service every page in a chosen domain and all its subdomains while user navigate through a website. Just a click is needed to activate it for *.domain and it must be disabled and enabled again to change domains. If a XSS is found, it will pop up the same window as the main web interface does and it will be deactivated with red XSS state, to prevent recursive testing (test the PoC window itself). KNOXSS add-on also gets and send all forms on page for KNOXSS testing as well as cookies.

5. Can KNOXSS be used with any browser?

Yes, although we recommend latest versions of Chromium-based ones like Chromium, Google Chrome, Brave, Opera and Vivaldi.

6. Is KNOXSS accurate?

Absolutely. KNOXSS is (almost) false positive free: it will only pop the window with PoC (Proof of Concept) if its engine validates it. By using WebKit, Blink and Gecko (engines used by all major browsers) in the backend, it guarantees that there will be no false positive. False negative is a way harder, so if KNOXSS doesn't find the XSS (although it may find the reflection) it doesn't mean it's not exploitable.

7. Is KNOXSS able to bypass application filters and WAFs (Web Application Firewalls)?

Yes. KNOXSS employs some tricks to bypass them mostly in pure Javascript injections (no HTML), multi reflection and DOM-based scenarios. It can also craft a specific bypass for a given target using AFB feature.

8. What is AFB?

AFB stands for Advanced Filter Bypass. It's a feature designed to find any character or set of characters that can be used to built a custom XSS vector or payload that is able to bypass WAF since it evades regular expressions but gets changed when used by page or application. Use it with caution and only if there's some WAF or any other similar filter in place, since it slows down KNOXSS perfomance due to extra tests made. It's automatically triggered when a WAF behavior is detected.

9. What is Flash Mode and how to use it?

Flash Mode is an operation mode in which KNOXSS tries an unique XSS vector without performing any previous steps to find an evidence of a vulnerability first. It improves speed a lot and can spot most common XSS Cases found out there including DOM-based ones.

To use Flash Mode just use a [XSS] mark where you want KNOXSS to try its XSS Polyglot.

Usage examples:

 

HTTP GET Method

Target Page: https://brutelogic.com.br/gym.php?p05=[XSS]

 

HTTP POST Method

Target Page: https://brutelogic.com.br/gym.php
POST Body: p05=[XSS]

10. How can I test other parameters when KNOXSS stops before testing them because of the XSS PoC (popup)?

Just change the order of the parameters in URL or in POST body, placing the vulnerable one (the one responsible for the popup) in the end. Example below.

 

The "a" parameter is vulnerable:

?a=aaa&b=bbb&c=ccc&d=ddd

Then, rearranging:

?b=bbb&c=ccc&d=ddd&a=aaa

11. Does KNOXSS have technical support?

Yes, there's a twitter account @KN0X55 to get help with its usage, technical issues and feedback.

12. Can KNOXSS really help me to find XSS bugs in bug bounty programs?

Yes, it can. It was developed with this in mind too. But KNOXSS needs to be used as part of a more extensive strategy, to not get depended on luck. An workflow of other useful recon tools to define the attack surface, choose the best servers to try on and sort the best URLs to submit to test is the best way to go.

13. What is KNOXSS API and how to use it?

Please check the answer here.

14. May I submit a question for this FAQ?

Sure, just contact us in Twitter @KN0X55 or drop us an email to brutelogic [at] null [dot] net.