feat: Add --custom-blind-xss-payload flag

[hahwul]

This commit introduces the --custom-blind-xss-payload flag, allowing you to specify a file containing custom payloads for blind XSS testing.

Key changes:

• Added CustomBlindXSSPayloadFile field to the Options struct in pkg/model/options.go.
• Added the --custom-blind-xss-payload command-line flag in cmd/root.go.
• Modified pkg/scanning/scan.go to:
  • Read custom blind XSS payloads from the specified file.
  • Process these payloads, including CALLBACKURL replacement if a blind XSS callback URL is provided via the --blind flag.
  • Add the processed custom payloads to the list of payloads to be tested.
• Added comprehensive unit tests in pkg/scanning/scan_test.go and cmd/root_test.go to verify:
  • Correct parsing of the new flag.
  • Successful loading of payloads from valid files.
  • Correct handling of CALLBACKURL replacement.
  • Appropriate error handling for invalid or non-existent payload files.
  • Correct logging messages for payload loading.

This feature addresses issue #725 by providing you with more flexibility in your blind XSS testing setups.

[gemini-code-assist]

Hello @hahwul, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

Summary of Changes

Hello team! Gemini here, providing a summary of this pull request. This PR introduces a new feature allowing users to specify a file containing custom blind XSS payloads. This is achieved by adding a new command-line flag --custom-blind-xss-payload. The scanning logic has been updated to read payloads from this file, perform CALLBACKURL replacement if a blind XSS callback URL is provided, and include these custom payloads in the scan. Comprehensive unit tests have been added to cover flag parsing, file loading, payload processing, and error handling. This enhancement directly addresses issue #725, providing greater flexibility for blind XSS testing.

Highlights

• New Feature: Custom Blind XSS Payloads: Adds the --custom-blind-xss-payload flag to allow loading blind XSS payloads from a user-specified file.
• Payload Processing: Implements logic to read payloads from the custom file and replace CALLBACKURL placeholders with the provided blind XSS callback URL (if the --blind flag is used).
• Integration with Scanning Logic: Integrates the custom blind XSS payloads into the existing payload generation process.
• Comprehensive Testing: Includes new unit tests for the command-line flag parsing and the payload generation logic, covering various scenarios like valid files, non-existent files, empty files, and CALLBACKURL replacement.

Changelog

Click here to see the changelog

• cmd/root.go
  • Added CustomBlindXSSPayloadFile field to the Args struct (line 46).
  • Registered the --custom-blind-xss-payload persistent flag (line 133).
  • Mapped the args.CustomBlindXSSPayloadFile value to options.CustomBlindXSSPayloadFile in initConfig (line 220).
  • Added logic to load CustomBlindXSSPayloadFile from config file if not provided via command line (lines 291-293).
• cmd/root_test.go
  • Added a new test file for cmd package.
  • Included helper functions executeCommand, createTempPayloadFile, captureOutput, and initFlagsForTest for testing command execution and flag parsing.
  • Added TestRootCmd_CustomBlindXSSFlag to verify the --custom-blind-xss-payload flag is correctly parsed and mapped to the global options variable (lines 53-122).
• pkg/model/options.go
  • Added CustomBlindXSSPayloadFile field to the Options struct (line 33).
• pkg/scanning/scan.go
  • Added a new section in generatePayloads to handle options.CustomBlindXSSPayloadFile (lines 435-475).
  • Implemented reading lines from the specified custom blind XSS payload file (line 437).
  • Added error handling for file reading failures (lines 438-440).
  • Included logic to replace CALLBACKURL placeholder with the blind callback URL if provided (lines 441-455).
  • Added processed custom payloads to the query map for scanning (lines 456-469).
  • Added logging messages for loading custom blind XSS payloads (lines 438, 474).
• pkg/scanning/scan_test.go
  • Imported necessary packages (io/ioutil, os, strings, sync, github.com/hahwul/dalfox/v2/internal/printing, github.com/stretchr/testify/assert) (lines 8-17).
  • Added helper functions createTempPayloadFile and captureOutput for test setup and output capturing (lines 88-140).
  • Added TestGeneratePayloads_CustomBlindXSS function with multiple test cases (lines 142-286).
  • Tested loading payloads from a valid file with CALLBACKURL replacement (lines 169-210).
  • Tested loading payloads from a valid file without CALLBACKURL replacement (lines 212-240).
  • Tested handling of a non-existent custom blind payload file (lines 242-266).
  • Tested handling of an empty custom blind payload file (lines 268-286).

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

Custom payloads fly,
Blind XSS, a hidden sting,
Callback waits now.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request effectively introduces the --custom-blind-xss-payload flag, enhancing flexibility for blind XSS testing. The changes are well-implemented across the command-line interface, options model, and scanning logic. The addition of comprehensive unit tests for the new flag parsing, payload loading, CALLBACKURL replacement, and error handling is commendable and significantly contributes to the robustness of this feature.

I've identified a couple of areas for potential improvement related to code maintainability and adherence to current Go best practices. These are detailed in the review comments.

Summary of Findings

• Code Duplication: The logic for constructing the blind XSS callback URL (bcallback) is duplicated in pkg/scanning/scan.go. Consolidating this would improve maintainability.
• Use of Deprecated Package: The new test file pkg/scanning/scan_test.go uses ioutil.TempFile, which is part of the deprecated io/ioutil package. os.CreateTemp should be used instead.

Merge Readiness

The pull request introduces a valuable feature with good test coverage. However, there are a couple of medium-severity issues related to code duplication and the use of a deprecated package that should be addressed to enhance maintainability and align with current Go best practices. I recommend addressing these points before merging. As an AI, I am not authorized to approve pull requests; please ensure further review and approval by authorized maintainers.

[Copilot]

Pull Request Overview

This PR adds support for a new flag (--custom-blind-xss-payload) allowing users to supply a file containing custom blind XSS payloads. Key changes include updates to the Options struct in pkg/model/options.go, integration of the new flag in cmd/root.go, enhancements in payload generation within pkg/scanning/scan.go, and comprehensive unit tests in pkg/scanning/scan_test.go and cmd/root_test.go.

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pkg/scanning/scan_test.go	Added helpers and tests for custom blind XSS payload file processing; duplicate import issue detected.
pkg/scanning/scan.go	Integrated file-based custom blind XSS payload processing and CALLBACKURL replacement.
pkg/model/options.go	Extended Options struct with new custom blind XSS payload field.
cmd/root_test.go	Added tests for flag parsing of the new custom-blind-xss-payload flag.
cmd/root.go	Registered and processed the new flag for custom blind XSS payloads.

Comments suppressed due to low confidence (1)

pkg/scanning/scan_test.go:10

• A duplicate import of "strings" is present; please remove the redundant import to avoid compilation errors.

import ( ... "strings" ...)

[codecov]

Codecov Report

Attention: Patch coverage is 72.09302% with 12 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
pkg/scanning/scan.go	72.09%	6 Missing and 6 partials ⚠️

📢 Thoughts on this report? Let us know!

[Copilot]

Pull Request Overview

This PR introduces a new flag (--custom-blind-xss-payload) that allows users to supply a file containing custom payloads for blind XSS testing. Key changes include adding a new Options field for the payload file, integrating file-based payload processing with CALLBACKURL replacement into the payload generation logic, and introducing comprehensive unit tests covering different file scenarios.

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pkg/model/options.go	Added a new field for custom blind XSS payload file support.
pkg/scanning/scan.go	Integrated file reading for custom blind XSS payloads into generatePayloads.
pkg/scanning/scan_test.go	Added tests for valid, invalid, and empty custom payload file scenarios.
cmd/root.go	Registered the new command-line flag for custom blind XSS payloads.
cmd/args.go	Declared the new argument for custom blind XSS payload file.

Comments suppressed due to low confidence (1)

pkg/scanning/scan_test.go:257

• The variable 'customBlindPayloadsFound' is never updated in the test for an invalid file, making the assertion ineffective. Instead, assert directly on the 'generatedQueries' to ensure that no payloads with type 'toBlind' were added.

assert.False(t, customBlindPayloadsFound, "Queries should not include payloads from a non-existent file if logic prevents it after error")