From 4d4fa3c6ed55469753a61d35e2112750984c2044 Mon Sep 17 00:00:00 2001 From: hackademix Date: Tue, 28 May 2019 00:48:27 +0200 Subject: Make XSS timeouts fatal and reported. --- src/xss/XSS.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/xss/XSS.js b/src/xss/XSS.js index 51216d8..5b93921 100644 --- a/src/xss/XSS.js +++ b/src/xss/XSS.js @@ -58,7 +58,7 @@ var XSS = (() => { data = []; } catch (e) { error(e, "XSS filter processing %o", xssReq); - if (e instanceof TimingException) { + if (e instanceof TimingException && !/\btimeout\b/i.test(e.message)) { // we don't want prompts if the request expired / errored first return; } @@ -256,6 +256,7 @@ var XSS = (() => { let ic = new (await this.InjectionChecker)(); let {timing} = ic; timingsMap.set(request.id, timing); + timing.fatalTimeout = true; let postInjection = xssReq.isPost && request.requestBody && request.requestBody.formData && -- cgit v1.2.3