Right now, the program will raise an exception in run_on_url (in Scanner.py) if it encounters an alert. This is caused due toDiff being used while an alert is present on the page.

driver.get(target_url) raises an alert as soon as it is loaded (in case the payload works ofcourse). This might be a problem for differ. So we instead have to switch and close the alert before we differ :-

That's all well and good, but I don't know which source the diff_source = driver.page_source wants, I think the author of it would know more. For instance, which source does it need? the base URL given by the user? or the payload injected URL from run_on_url's target_url.

Please let me know about this!

P.S : Am I dumb or should this be difflib instead of .differ?

no there is a new differ class that @Chr0nicT implemented. We are using that to doff original source over the new results. If an unexpected alert arises we can assume it was triggered by a payload so we should keep that as a result. Maybe we need a way to parse the payload to see if its sending an alert and then match the content of the alert to the payload.

@M4cs I see. I didn't notice the new Class before. Although are we really just comparing the pure source to the changed source? Isn't that rather in-effective? In complex websites many things could change on a form submit, not all of those will have anything to do with XSS success.

Back to the issue at hand, in case of URL Query scan, We can simply just switch to the alert text (if it pops up) to check if the payload worked. What else needs to be done, regarding differ?

I was thinking if say a payload adds an unclosed bold tag. We should check somehow that text after whatever has been added is bold when it shouldn't be. That's what i meant my diffing

Right, I see. I'm not entirely sure if that will work effectively with the current diff method but I'll leave that to Chronic. Right now, we need to fix this exception by addressing the alert PRIOR to using diff.
This will ensure diff actually executes correctly. Someone still has to put the diff_source assignment line on the correct place afterwards as I don't know where it's supposed to be.

In the meantime, could you check my comment and tell me what you think? @M4cs