Skip to content

Instantly share code, notes, and snippets.

@reigningshells
Created May 24, 2019 18:45
Show Gist options
  • Save reigningshells/191d1a7b3af2433bd552eb94120986b9 to your computer and use it in GitHub Desktop.
Save reigningshells/191d1a7b3af2433bd552eb94120986b9 to your computer and use it in GitHub Desktop.
Simple script to identify an XSS filters "bad characters"
#!/usr/bin/env python
"""
Very simple script to automate the discovery of
bad characters in XSS filters that replace
the entire user input string with an empty string
[CR] = Carriage Return or \r
[LF] = Line Feed or \n
"""
import sys
import string
import requests
import urllib3
import urllib
urllib3.disable_warnings()
def isCharBad(url,search):
# Can set whatever custom headers you'd like
headers = {'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36'}
r = requests.get(url, headers=headers, allow_redirects=False, verify=False)
if search in r.text:
return False
else:
return True
def main():
if len(sys.argv) != 3:
print '(+) usage: %s <url> <search_string>' % sys.argv[0]
print '(+) %IP% can be used for injection points'
print '(+) eg: %s http://www.example.com/?param=%%IP%% \'var x="%%IP%%"\'' % sys.argv[0]
sys.exit(-1)
url = sys.argv[1]
search = sys.argv[2]
badchars = ""
for char in string.printable:
temp_url = url.replace('%IP%',urllib.quote(char))
temp_search = search.replace('%IP%',char)
if isCharBad(temp_url,temp_search):
badchars += char
print '\nBad Characters => %s\n' % badchars.replace('\r','[CR]').replace('\n','[LF]')
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment