Detect DOM Based XSS website using python

Question

I have a sample url: http://www.foo.bar/index.php?ids=111

I've found that it has a vulnerability by http://www.foo.bar/index.php?ids="><SCrIpT>alert('XSS')</ScRiPt>

A basic different from normal url and xss url is a alert box has been showed in the browser. But when using python, how can i we see that or detect which url is vulnerability?

I've tried python request library:

import requests

xss_url = 'http://www.foo.bar/index.php?ids="><SCrIpT>alert('XSS')</ScRiPt>'
r = requests.get(xss_url);
print r.text

normal_url = 'http://www.foo.bar/index.php?ids=111'
t = requests.get(normal_url);
print t.text

Result of r.text and t.text is the same.

Answer 1

A basic check woule be to to see if your payload is present in the page's source without being escaped, something like this should do the trick :

payload = "<SCrIpT>alert('XSS')</ScRiPt>"
xss_url = 'http://www.foo.bar/index.php?ids=">'+payload

r = requests.get(xss_url)

if payload.lower() in r.text.lower(): print("vulnerable")

This checks if the payload is present in the page's source, case-insensitive. If the site isn't vulnerable then the payload would be converted to HTML entities which while looking the same in a browser are actually different, for example < becomes <.

Note : this can be used to confirm the presence of an XSS but not to deny the presence of one; for example incorrect escaping would make this return false while the payload may still run in a real browser.

Answer 2

The confirm whether an injection is executable script you could do e.g.

• Open the URL using Selenium WebDriver and Firefox

• Instead of alert() use window.exploitDetected = True as the injection verification

• Wait the the page to load

• Run JavaScript in the context of the WebDriver, read if window.exploitDetected has been set