jeudi 27 avril 2017

Why does this error occur when it shouldn't?

I've been writing a script that will check for reflective XSS vulnerabilities. I'm having an error on a part that checks if you have "http://" or "https://" in your URL and '*' in the place of queries. However, when I put https://google.com/#q=*", it results inERROR! MISSING 'http://', OR 'https://'!`. Here's my code:

<!DOCTYPE html>

<html>

  <head>

    <title>Slingshot.XSS</title>

  </head>

  <body style="font-family:monospace;" align="center">

    <h2>Slingshot.XSS</h2>
    <h3>Slingshot.XSS is a script that launches pre-loaded XSS payloads at a target to test its vulnerabilities.</h3>
    <h4>Please report all issues to <a href="http://ift.tt/2qk9t6X"></a> or contact me at keeganjkuhn@gmail.com.</h4>
    <a href="http://ift.tt/2pr7PD9" style="font-family:monospace" align="center">Source Code / Learn More</a>
    <br />

    <h4>Enter a URL with <b>*</b> in the place of query.</h4>
    <h5>Example: http://ift.tt/2qk2TgO;
    <input type="text" id="myText" placeholder="Enter a URL"> <button onclick="myFunction()">Submit</button>

    <p id="demo">No Submitted URL</p>

    <script>

      function myFunction() {

        var x = document.getElementById("myText").value;

        // Error check
        if ( !x.includes("*") && ( !x.includes("http://") || !x.includes("https://") ) ) {

            document.getElementById("demo").innerHTML = "ERROR! MISSING \'*\' IN PLACE OF QUERY, \'http://\', AND \'https://\'!";
            x = false;
            return 0;

        }

        if ( !x.includes("*") ) {

            document.getElementById("demo").innerHTML = "ERROR! MISSING \'*\' IN PLACE OF QUERY!";
            x = false;
            return 0;

        }

        if ( !x.includes("http://") || !x.includes("https://") ) {

            document.getElementById("demo").innerHTML = "ERROR! MISSING \'http://\', OR \'https://\'!";
            x = false;
            return 0;

        }

        document.getElementById("demo").innerHTML = x;

      }

    </script>

  </body>

</html>

What am I doing wrong?

Aucun commentaire:

Enregistrer un commentaire