No CSS files were found? #21
Comments
|
Hey @marcelo321 , did you find this out? It's first time I'm running this and got this:
|
WCVS searches responses for linked CSS files. It is not possible to directly link CSS files. CSS files are mostly static but there may be occasions where CSS files reflect the requests URL. WCVS checks if that is the case and if true whether it's possible to poison the cache with an arbitrary URL. That is the only check for CSS files. |
The website you are scanning returns Cf-Cache-Status: DYNAMIC. This means, that the response is not eligible for caching. Hence, wcvs will not test for web cache poisoning (unless you force it to with -f/-force). However, it is trying to achieve web cache deception. This means that it is trying to manipulate the request in order for the response to get cached. It is doing this by trying to trick the Cache Proxy into thinking that a css files is requested. That is because css files will be cached most of the times. The status codes 400 and 444 mean that the Cache Proxy could not be tricked. |
|
@m10x Thank you so much for your great explanation and the tool 🙏 |
|
Getting this error on android (termux) termux-tools version: 1.38.3 |
|
Golang throws an error because https://example.com% is an invalid format and it won't send the request. https://example.com/% however would be rfc compliant and work. |
|
Thanks m8, got it. '/' trailing was missing. |
Do we hae to link CSS files, or how does one see how the tool performs CSS poisoning, how it differs from the other tests?
The text was updated successfully, but these errors were encountered: