Critical XSS Scanner Flaw: Fails to Detect Basic Reflected XSS in DVWA

A critical vulnerability has been exposed within an XSS scanner's core detection logic, rendering it blind to a textbook reflected cross-site scripting (XSS) attack. The scanner fails to identify the flaw on the standard security testing target, DVWA's `/vulnerabilities/xss_r/` endpoint, even when a simple `<script>alert(1)</script>` payload is reflected verbatim and unencoded in the HTML response. This is a fundamental failure for a tool designed to catch such basic security risks, raising immediate concerns about its reliability in real-world penetration tests and security audits.

The issue, tracked internally as a **P0 priority**—the highest severity level—centers on the scanner's inability to detect reflected XSS on one of the most common and deliberately vulnerable training applications. DVWA (Damn Vulnerable Web Application) is a benchmark for security tools, and its `/vulnerabilities/xss_r/` page is a canonical example of a trivial reflected XSS vulnerability. Initial analysis of the scanner's codebase, specifically the `testParameter()` function within `pkg/scanner/xss.go`, indicates that the logic for sending payloads and checking for reflection appears to be correctly implemented on the surface, suggesting a deeper, more subtle bug in the detection mechanism.

This deficiency signals a significant gap in the scanner's coverage, potentially allowing severe client-side security flaws to go unnoticed during automated assessments. For security teams and developers relying on this tool, the failure to catch such a basic vulnerability undermines confidence in its overall findings and could lead to a false sense of security. The unresolved P0 status places intense internal pressure on the development team to diagnose the root cause—whether it's a parsing error, a mismatch in response handling, or a logic flaw—and deploy a fix before the tool's credibility is further compromised.