Merge pull request #8 from gosub/patch-1

Bugfix: URL and POST parameters concatenation
secdec · Feb 7, 2020 · ed2826b · ed2826b
2 parents 7d98af1 + 49b595a
commit ed2826b
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/XssScanner.py b/XssScanner.py
@@ -109,6 +109,7 @@ def render_GET_page(self, attack, request_url_root, param_under_test,\
                 u = u + attack
             else:
                 u = u + param_to_add['name'] + '=' + param_to_add['value']
+            u += '&'
 
         # If we ended up with trailing ampersand on URL, remove
         if u[-1] == '&':
@@ -159,6 +160,7 @@ def render_POST_page(self, attack, request_url_root, param_under_test,\
                 attack_url += attack
             else:
                 attack_url += param['name'] + '=' + param['value']
+            attack_url += '&'
 
         # If we ended up with trailing ampersand on URL, remove
         if attack_url[-1] == '&':
@@ -170,6 +172,7 @@ def render_POST_page(self, attack, request_url_root, param_under_test,\
                 attack_body += attack
             else:
                 attack_body += param['name'] + '=' + param['value']
+            attack_body += '&'
 
         # If we ended up with trailing ampersand in body, remove
         if attack_body and attack_body[-1] == '&':