fixed #1

Author: dragthor

package.json

@@ -1,6 +1,6 @@
 {
   "name": "xss-scanner",
-  "version": "0.0.7",
+  "version": "0.0.8",
   "description": "Cross-Site Scripting (XSS) scanner.  This tool helps to find possible XSS vulnerabilities.",
   "keywords" : [ "xss", "xss-vulnerability", "xss-detection", "xss-exploitation", "xss-scanner" ],
   "repository": {

src/config.js

@@ -16,6 +16,6 @@ function xssOptions() {
         path: "/special.plp?page={0}",
         method: "POST",
         protocol: "http:",
-        postData: "paramName1=paramValue1&paramName2=paramValue2"
+        postData: "paramName1={0}&paramName2=paramValue2"
     };
 }

src/payload.js

@@ -40,7 +40,7 @@ var attack = function (line) {
 
         if (config.method === "POST") {
             reqOptions.headers["Content-Type"] = "application/x-www-form-urlencoded";
-            reqOptions.headers["Content-Length"] = Buffer.byteLength(config.postData)
+            reqOptions.headers["Content-Length"] = Buffer.byteLength(stringFormat(config.postData, line));
         }
 
         var request = http.request(reqOptions, (res) => {
@@ -55,7 +55,7 @@ var attack = function (line) {
                 if (statusCode != 200) return;
                 if (rawData == null || rawData.length === 0) return;
 
-                rawData = "<![CDATA[ " + line + "]]>" + rawData;
+                rawData = "<!-- <![CDATA[ " + line + "]]> -->" + rawData;
 
                 console.log(chalk.red(line));
 
@@ -70,7 +70,7 @@ var attack = function (line) {
         });
 
         if (config.method === "POST") {
-            request.write(config.postData);
+            request.write(stringFormat(config.postData, line));
         }
 
         request.end();