Skip to content

Instantly share code, notes, and snippets.

@yeukhon

yeukhon/test.html

Last active Sep 15, 2019
Embed
What would you like to do?
Simple XSS detector using PhantomJS
<html>
<head></head>
<body>
<a href="javascript: alert('clicked xss link')" id="link">click me</a>
<img src="xx" onerror="alert('xss')" />
</body>
</html>
var page = require('webpage').create(),
system = require('system'),
address;
page.onAlert = function (msg) {
console.log("Received an alert: " + msg);
};
page.onConfirm = function (msg) {
console.log("Received a confirm dialog: " + msg);
return true;
};
if (system.args.length === 1) {
console.log("Must provide the address of the webpage");
} else {
address = system.args[1];
page.open(address, function (status) {
if (status === "success") {
console.log("opened web page successfully!");
page.evaluate(function () {
// .click() is not standard
// see https://github.com/ariya/phantomjs/issues/11153
var e = document.createEvent('Events');
e.initEvent('click', true, false);
document.getElementById("link").dispatchEvent(e);
});
}
});
}

Usage

Launch python -m SimpleHTTPServer in the same directory as test.html. By default, the port is 8000.

Then launch phantomJS like this: phantomjs test.js http://localhost:8000/test.html

Output

vagrant@precise64:~$ pjs test.js http://localhost:8000/test.html
Received an alert: xss
opened web page successfully!
Received an alert: clicked xss link

^C
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment