AttributeError: 'str' object has no attribute 'keys' on JSON export. #438
Description
Describe the bug
An AttributeError: 'str' object has no attribute 'keys' occurs when running XSStrike against a URL that does not contain any query parameters. The scanner expects a dictionary of parameters but receives a string instead during the DOM vulnerability check or initial scan setup.
To Reproduce
Steps to reproduce the behavior:
Run XSStrike on a plain URL without parameters:
python xsstrike.py -u https://example.net --json
The tool starts checking for DOM vulnerabilities.
The process crashes with the following traceback:
File "/opt/jenny/bounty/xsstrike/modes/scan.py", line 53, in scan url, {list(params.keys())[0]: xsschecker}, ... AttributeError: 'str' object has no attribute 'keys'
Screenshots
(.venv) root@vagent103:/opt/jenny/bounty/xsstrike# python xsstrike.py --update
XSStrike v3.1.5
[~] Checking for updates
[+] XSStrike is up to date!
(.venv) root@vagent103:/opt/jenny/bounty/xsstrike# python xsstrike.py -u https://xxxxxx.net
XSStrike v3.1.5
[~] Checking for DOM vulnerabilities
[+] Potentially vulnerable objects found
------------------------------------------------------------
49 // Mobile menu links: close menu and navigate correctamente
66 setTimeout(() => { targetEl.scrollIntoView({ behavior: 'smooth' }); }, 450);
73 location.hash = href;
76 // external or full-page link: navigate after scrolling to top
80 setTimeout(() => { window.location.href = href; }, 600);
82 window.location.href = href;
30 element.innerHTML = translations[key];
------------------------------------------------------------
[-] No parameters to test.
(.venv) root@vagent103:/opt/jenny/bounty/xsstrike# python xsstrike.py -u https://xxxxxx.net --json
XSStrike v3.1.5
[~] Checking for DOM vulnerabilities
Traceback (most recent call last):
File "/opt/jenny/bounty/xsstrike/xsstrike.py", line 174, in <module>
scan(target, paramData, encoding, headers, delay, timeout, skipDOM, skip)
~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/jenny/bounty/xsstrike/modes/scan.py", line 53, in scan
url, {list(params.keys())[0]: xsschecker}, headers, GET, delay, timeout)
^^^^^^^^^^^
AttributeError: 'str' object has no attribute 'keys'
Potential cause or fix
In modes/scan.py, the code assumes params is a dictionary and attempts to call .keys(). If the target URL has no parameters, params might be initialized as an empty string or null, leading to the crash. A check should be added to verify if params is a valid dictionary before accessing its keys.
Environment
OS: Linux (vagent103)
Python version: 3.13
XSStrike version: v3.1.5
Some Questions
[x] I am using the latest version of XSStrike.
[x] I installed the dependencies using pip3 instead of pip
[x] I have read the documentation before submitting this issue.
[x] I have checked the other issues to see if someone reported this before.
Other comments
The issue seems specifically triggered when using the --json flag or during the transition to the DOM scanning phase when no input vectors are provided in the URL.