利用Python编写测试目标网页是否存在XSS漏洞的工具

2022/5/2 17:13:08

本文主要是介绍利用Python编写测试目标网页是否存在XSS漏洞的工具,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!

    以DVWA应用为目标,测试目标URL是否存在XSS漏洞,其基本思想是:

    1. 利用session登录DVWA应用

    2. 下载目标URL网页,并提取出表单以及input等名称

    3. 构造请求,并将XSS测试语句作为表单的提交内容

import requests
from lxml import etree
import sys


class XSSTester:

    def __init__(self, target_url) -> None:
        self.banner()
        self.headers = {
            'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0',
            
        }
        self.sessions = requests.Session()
        login_url = 'http://192.168.140.137/dvwa/login.php'
        credentials_data = {
            'username':'admin',
            'password':'password',
            'Login':'Login'
        }
        response  = self.sessions.post(url=login_url, headers=self.headers, data=credentials_data).text
        if "Login failed" not in response:
            self.target_url = target_url
        else:
            print("Failed to authenticate")
            sys.exit(0)

       
    def banner(self):
        banner = """
            ******************************************************************
            ******************************************************************
                            XSS Test Tool by Jason Wong V1.0
            ******************************************************************
            ******************************************************************
        """
        print(banner)

    
    def xss_check(self, payload):
        response = self.sessions.get(url=self.target_url, headers=self.headers)      

        html = etree.HTML(response.text)
        form_list = html.xpath("//form") 

        for form in form_list:
            method = form.xpath('./@method')[0]
            
            action = self.target_url
            if form.xpath('./@action'):
                action = form.xpath('./@action')[0]
         
            input_list = form.xpath('.//input')          
      
            dict_data = {}
            for input in input_list:                
                name = input.xpath('./@name')[0]                
                value =  payload
                type = input.xpath('./@type')[0]
                if type == 'submit' and input.xpath('./@value'):
                    value = input.xpath('./@value')[0]
                dict_data[name] = value
            if form.xpath('.//textarea'):
                text_area = form.xpath('.//textarea')[0]
                dict_data[text_area.xpath('./@name')[0]] = 'test data for text area'  
        
      
        if method == 'post':
            response = self.sessions.post(url=action,data=dict_data,headers=self.headers).text
            if payload in response:
                print("XSS vulnerability exists on the target URL: tested by payload %s" % payload)
                sys.exit(0)         
           
        else:
            response = self.sessions.get(url=action,params=dict_data, headers=self.headers).text
            if payload in response:
                print("XSS vulnerability exists on the target URL: tested by payload %s" % payload)
                sys.exit(0)
             
                


    def run(self):
        with open('XssPayloads.txt', 'r') as f:
            for line in f.readlines():
                payload = line.strip()
                self.xss_check(payload)


if __name__ == "__main__":
    target_url = 'http://192.168.140.137/dvwa/vulnerabilities/xss_s/'
    xss_tester = XSSTester(target_url=target_url)
    xss_tester.run()

 



这篇关于利用Python编写测试目标网页是否存在XSS漏洞的工具的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!


扫一扫关注最新编程教程