def get(self):
url = self.get_param('url', '', 'url')
if url:
self.set_template_value('url', url)
self.set_template_value('title', 'DOM XSS Scanner - Scan %s' % url)
response = HTTP().request(url)
if response:
content = response.content
encoding = False
dxs = DOMXSS()
# try to determine charset from request headers
ctype = response.headers['content-type'].strip()
pos = ctype.find('charset=')
if pos > 0:
encoding = ctype[pos + 8:len(ctype)].lower()
if ctype.startswith('text/html') or ctype.startswith(
'text/xml'):
# try to determine charset from html if not set before
if not encoding:
encoding = dxs.get_charset_from_html(content)
script_urls = dxs.get_script_urls(url, content)
self.set_template_value('script_urls',
json.dumps(script_urls))
if not encoding:
encoding = 'utf-8'
response_text = content.decode(encoding, 'ignore')
self.set_template_value('response_text', response_text)
if self.is_ajax():
self.generate('text/javascript', 'response.html')
else:
self.generate('text/html', 'scan.html')
else:
self.set_template_value(
'error', 'Error: Supplied URL could not be fetched.')
self.generate('text/html', 'error.html')
else:
self.set_template_value('error',
'Error: Supplied URL is not valid.')
self.generate('text/html', 'error.html')
def get(self):
url = self.get_param("url", "", "url")
if url:
self.set_template_value("url", url)
self.set_template_value("title", "DOM XSS Scanner - Scan %s" % url)
response = HTTP().request(url)
if response:
content = response.content
encoding = False
dxs = DOMXSS()
# try to determine charset from request headers
ctype = response.headers["content-type"].strip()
pos = ctype.find("charset=")
if pos > 0:
encoding = ctype[pos + 8 : len(ctype)].lower()
if ctype.startswith("text/html") or ctype.startswith("text/xml"):
# try to determine charset from html if not set before
if not encoding:
encoding = dxs.get_charset_from_html(content)
script_urls = dxs.get_script_urls(url, content)
self.set_template_value("script_urls", json.dumps(script_urls))
if not encoding:
encoding = "utf-8"
response_text = content.decode(encoding, "ignore")
self.set_template_value("response_text", response_text)
if self.is_ajax():
self.generate("text/javascript", "response.html")
else:
self.generate("text/html", "scan.html")
else:
self.set_template_value("error", "Error: Supplied URL could not be fetched.")
self.generate("text/html", "error.html")
else:
self.set_template_value("error", "Error: Supplied URL is not valid.")
self.generate("text/html", "error.html")
def get(self):
self.jinja_env.cache = None
url = self.get_param('url', '', 'url')
if url:
self.set_template_value('url', url)
self.set_template_value('title', 'DOM XSS Scanner - Scan %s' % url)
response = HTTP().request(url)
if response:
content = response.content
encoding = False
dxs = DOMXSS()
# try to determine charset from request headers
ctype = response.headers['content-type'].strip()
pos = ctype.find('charset=')
if pos > 0:
encoding = ctype[pos+8:len(ctype)].lower()
if ctype.startswith('text/html') or ctype.startswith('text/xml'):
# try to determine charset from html if not set before
if not encoding:
encoding = dxs.get_charset_from_html(content)
script_urls = dxs.get_script_urls(url, content)
self.set_template_value('script_urls', json.dumps(script_urls))
if not encoding:
encoding = 'utf-8'
response_text = content.decode(encoding, 'ignore')
self.set_template_value('response_text', response_text)
if self.is_ajax():
self.generate('text/javascript', 'response.html')
else:
self.generate('text/html', 'scan.html')
else:
self.error('Error: Supplied URL could not be fetched.')
else:
self.error('Error: Supplied URL is not valid.')
class TestDOMXSS(unittest.TestCase):
def setUp(self):
self.dxs = DOMXSS()
self.url = 'http://localhost:8080/'
def get_scripts(self, file_name):
return self.dxs.get_script_urls(self.url, open(file_name, 'r').read())
def test_base_tag(self):
scripts = self.get_scripts('./base_tag.html')
self.assertEqual("http://localhost:8080/static/js/lib/modernizr-1.6.min.js", scripts[0])
def test_script_count(self):
scripts = self.get_scripts('./script_count.html')
self.assertEqual(3, len(scripts))
def setUp(self):
self.dxs = DOMXSS()
self.url = 'http://localhost:8080/'
