By Brute Logic
Research & Development in Offensive Security.

 
Back to Top

FREQUENTLY ASKED QUESTIONS

What KNOXSS does?

KNOXSS finds source-based and DOM-based reflected and stored XSS in vulnerable pages using components of URL (path and query parameters) as entry points and form fields (this last one automatically with browser add-on). To see all XSS cases KNOXSS is able to spot check our XSS Coverage.

How to use KNOXSS?

The basic usage is just copy + paste the target URL in the main field of the web interface (at /pro). That's for unauthenticated GET requests, most scenarios out there. For POST requests, there's the need to provide the action URL in the main field and the POST body (pairs of name=value separated by a & sign) in the left box after clicking in the "Extra Data" button. For authenticated requests, there's a right box after clicking in "Extra Data" to provide pairs of HTTP headers (usually cookies) in the format header:value, one per line.

What KNOXSS doesn't do (yet)

KNOXSS has no advanced DOM-based testing and discovering capabilities although it can detect and exploit some common DOM-based cases (see our XSS Coverage for those). Current state of browser add-on also can't pass through authentication methods not based solely in cookies although web interface allows user to inform any authentication header before sending the requests. KNOXSS also can't test a target if its IP address is blacklisted. It also can't submit JSON requests, so Stored XSS based on that are not covered by the tool (reflected type is hardly automated).

How KNOXSS works?

It takes the target and all associated data provided and check if there's a reflection in all URL or POST body parameters along with URL path (for friendly URLs). If it finds some reflection somewhere, in response or associated JS calls, it will take some decisions on what type of injection it will use (HTML or JS injection). Finally it will try several specific XSS vectors in order to pop an alert box to prove the vulnerability.

Is KNOXSS better than other free XSS tools?

Definitely. You can check how KNOXSS compares to main free XSS tools here.

How to Properly Test in TestPHP VulnWeb?

In the web interface you need to use the action URL https://testphp.vulnweb.com/search.php as the Target URL then click in Extra Data button to open the additional fields. In the left box, provide the POST variables searchFor=any&goButton=go and hit the ok button. After that you can hit the test button. For the API there's a section in the API Guidelines showing the same example with the API syntax.

How to Manage my Subscription?

In the left bar of the user dashboard there's a "Manage my Subscription" white link, click on it.

How KNOXSS browser add-on (legacy) works?

KNOXSS browser add-on is an automated way to send to KNOXSS online service every page in a chosen domain and all its subdomains while user navigate through a website. Just a click is needed to activate it for *.domain and it must be disabled and enabled again to change domains. If a XSS is found, it will pop up the same window as the main web interface does and it will be deactivated with red XSS state, to prevent recursive testing (test the PoC window itself). KNOXSS add-on also gets and send all forms on page for KNOXSS testing as well as cookies. IMPORTANT: it's provided only as LEGACY SOFTWARE and it's no longer maintained but it still works in old Chrome-based browsers and especially in current Firefox ESR branch.

Can KNOXSS be used with any browser?

Yes, although we recommend latest versions of Chromium-based ones like Chromium, Google Chrome, Brave, Opera and Vivaldi.

Is KNOXSS accurate?

Absolutely. KNOXSS is (almost) false positive free: it will only pop the window with PoC (Proof of Concept) if its engine validates it. By using WebKit, Blink and Gecko (engines used by all major browsers) in the backend, it guarantees that there will be no false positive. False negative is a way harder, so if KNOXSS doesn't find the XSS (although it may find the reflection) it doesn't mean it's not exploitable.

Is KNOXSS able to bypass application filters and WAFs (Web Application Firewalls)?

Yes. KNOXSS employs some tricks to bypass them mostly in pure Javascript injections (no HTML), multi reflection and DOM-based scenarios. It can also craft a specific bypass for a given target using AFB feature.

What is the CheckPoC feature?

The CheckPoC switch in the Web UI allows a feature where you can use KNOXSS to validate a current PoC you already have. Just give KNOXSS the URL with the payload that pops the alert box and it will pop it for you validating it. You must provide alert(), prompt or confirm() functions with the number 1 like alert(1) or with the letter 'k' like alert('k'). It's useful to check a False Negative (when KNOXSS can't detect a valid XSS) so we can track and fix the issue within the code or payload. It can also be used to test bypasses in a automated fashion with the use of the API by just build a list containing the same URL with different payloads (check the API Guidelines).

What is Flash Mode and how to use it?

Flash Mode is an operation mode in which KNOXSS tries an unique XSS vector without performing any previous steps to find an evidence of a vulnerability first. It improves speed a lot and can spot most common XSS Cases found out there including DOM-based ones.

To use Flash Mode just use a [XSS] mark where you want KNOXSS to try its XSS Polyglot.

Usage examples:

 

HTTP GET Method

Target Page: https://brutelogic.com.br/gym.php?p05=[XSS]

 

HTTP POST Method

Target Page: https://brutelogic.com.br/gym.php
POST Body: p05=[XSS]

How can I test other parameters when KNOXSS stops before testing them because of the XSS PoC (popup)?

Just change the order of the parameters in URL or in POST body, placing the vulnerable one (the one responsible for the popup) in the end. Example below.

 

The "a" parameter is vulnerable:

?a=aaa&b=bbb&c=ccc&d=ddd

Then, rearranging:

?b=bbb&c=ccc&d=ddd&a=aaa

Does KNOXSS have technical support?

Yes, there's an X (former Twitter) account @KN0X55 to get help with its usage, technical issues and feedback.

Can KNOXSS really help me to find XSS bugs in bug bounty programs?

Yes, it can. It was developed with this in mind too. But KNOXSS needs to be used as part of a more extensive strategy, to not get depended on luck. An workflow of other useful recon tools to define the attack surface, choose the best servers to try on and sort the best URLs to submit to test is the best way to go.

What is KNOXSS API and how to use it?

Please check the answer here.

May I submit a question to this FAQ?

Sure, just contact us in Twitter @KN0X55 or drop us an email to brutelogic [at] null [dot] net.