利用Python编写测试目标网页是否存在XSS漏洞的工具
2022/5/2 17:13:08
本文主要是介绍利用Python编写测试目标网页是否存在XSS漏洞的工具,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
以DVWA应用为目标,测试目标URL是否存在XSS漏洞,其基本思想是:
1. 利用session登录DVWA应用
2. 下载目标URL网页,并提取出表单以及input等名称
3. 构造请求,并将XSS测试语句作为表单的提交内容
import requests
from lxml import etree
import sys
class XSSTester:
def __init__(self, target_url) -> None:
self.banner()
self.headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0',
}
self.sessions = requests.Session()
login_url = 'http://192.168.140.137/dvwa/login.php'
credentials_data = {
'username':'admin',
'password':'password',
'Login':'Login'
}
response = self.sessions.post(url=login_url, headers=self.headers, data=credentials_data).text
if "Login failed" not in response:
self.target_url = target_url
else:
print("Failed to authenticate")
sys.exit(0)
def banner(self):
banner = """
******************************************************************
******************************************************************
XSS Test Tool by Jason Wong V1.0
******************************************************************
******************************************************************
"""
print(banner)
def xss_check(self, payload):
response = self.sessions.get(url=self.target_url, headers=self.headers)
html = etree.HTML(response.text)
form_list = html.xpath("//form")
for form in form_list:
method = form.xpath('./@method')[0]
action = self.target_url
if form.xpath('./@action'):
action = form.xpath('./@action')[0]
input_list = form.xpath('.//input')
dict_data = {}
for input in input_list:
name = input.xpath('./@name')[0]
value = payload
type = input.xpath('./@type')[0]
if type == 'submit' and input.xpath('./@value'):
value = input.xpath('./@value')[0]
dict_data[name] = value
if form.xpath('.//textarea'):
text_area = form.xpath('.//textarea')[0]
dict_data[text_area.xpath('./@name')[0]] = 'test data for text area'
if method == 'post':
response = self.sessions.post(url=action,data=dict_data,headers=self.headers).text
if payload in response:
print("XSS vulnerability exists on the target URL: tested by payload %s" % payload)
sys.exit(0)
else:
response = self.sessions.get(url=action,params=dict_data, headers=self.headers).text
if payload in response:
print("XSS vulnerability exists on the target URL: tested by payload %s" % payload)
sys.exit(0)
def run(self):
with open('XssPayloads.txt', 'r') as f:
for line in f.readlines():
payload = line.strip()
self.xss_check(payload)
if __name__ == "__main__":
target_url = 'http://192.168.140.137/dvwa/vulnerabilities/xss_s/'
xss_tester = XSSTester(target_url=target_url)
xss_tester.run()
这篇关于利用Python编写测试目标网页是否存在XSS漏洞的工具的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
- 2024-05-08有遇到过吗?同样的规则 Excel 中 比Python 结果大
- 2024-03-30开始python成长之路
- 2024-03-29python optparse
- 2024-03-29python map 函数
- 2024-03-20invalid format specifier python
- 2024-03-18pool.map python
- 2024-03-18threads in python
- 2024-03-14python Ai 应用开发基础训练,字符串,字典,文件
- 2024-03-13id3 algorithm python
- 2024-03-13sum array elements python
