Frequently Asked Questions
What KNOXSS does?
Finds source and DOM-based reflected and stored XSS in vulnerable pages using components of URL (path and query parameters) as entry points and form fields (this last one automatically with browser add-on).
What KNOXSS doesn't do (yet)
KNOXSS has no advanced DOM-based testing and discovering capabilities although it can detect and exploit some common DOM-based cases (see our default test page for those). Current state of browser add-on also can't pass through authentication methods not based solely in cookies although web interface allows user to inform any authentication header before sending the requests. KNOXSS also can't test a target if its IP address is blacklisted.
How KNOXSS works?
It takes the target and check if there's a reflection in all URL parameters for Demo and also in URL path and for Standard and Pro versions. If so, it will use its XSS vector, in Demo and Standard versions, this last one having a XSS polyglot capable to trigger in several contexts. In Pro version, it will take some decision on what type of injection it will use (HTML or JS injection) and then it will try several specific XSS vectors in order to find a right one.
How KNOXSS browser add-on works?
Exclusive to Standard and Pro plans, KNOXSS browser add-on is a way to send to KNOXSS every page in a chosen domain (and all its subdomains in Pro version) while user navigate through a website. In Standard version of add-on, user must click on icon when in target page to send it to main interface. In Pro, a click is needed to activate it for *.domain and it must be disabled and enabled again to change domains. If a XSS is found, it will pop up the same window as the main interface and will be deactivated with red XSS state, to prevent recursive testing (test the PoC window itself). Currently, both add-ons also get and send all forms on page for KNOXSS testing.
Can KNOXSS be used with any browser?
Yes, although if a browser with native anti-XSS filter like webkit/blink ones (Google Chrome, Apple Safari and Opera) or Trident/EdgeHTML (Microsoft Internet Explorer and Microsoft Edge) is used, it will not be possible to show the XSS PoC in a popup window (except for pure JS injection cases or DOM-based ones). We recommend Mozilla Firefox browser, for which this service was built upon and designed for.
Is KNOXSS accurate?
To a certain extend, yes. KNOXSS is (almost) false positive free: it will only pop the window with PoC (Proof of Concept) if its engine already validates it. By using Gecko, the Firefox browser engine to do so, it guarantees that there will be no false positive. False negative is a way harder, so if KNOXSS doesn't find the XSS (although it may find the reflection) it doesn't mean it's not exploitable.
Is KNOXSS able to bypass application filters and WAFs (Web Application Firewalls)?
Yes. Standard and Pro versions have some tricks to bypass them, with Pro being able even to bypass weak Content Security Policies (CSP).
Does KNOXSS have technical support?
Yes, for all plans there's a twitter account @knoxss_me to get help with its usage, technical issues and feedback.
Can KNOXSS really help me to find XSS bugs in bug bounty programs?
Yes, it can. It was developed with this in mind, hence Standard and Pro browser add-ons. But all versions are able to find bugs in bug bounty programs, like in any other website.
May I submit a question for this FAQ?
Sure, just contact us @knoxss_me