def get(self): url = self.get_param('url', '', 'url') if url: self.set_template_value('url', url) self.set_template_value('title', 'DOM XSS Scanner - Scan %s' % url) response = HTTP().request(url) if response: content = response.content encoding = False dxs = DOMXSS() # try to determine charset from request headers ctype = response.headers['content-type'].strip() pos = ctype.find('charset=') if pos > 0: encoding = ctype[pos + 8:len(ctype)].lower() if ctype.startswith('text/html') or ctype.startswith( 'text/xml'): # try to determine charset from html if not set before if not encoding: encoding = dxs.get_charset_from_html(content) script_urls = dxs.get_script_urls(url, content) self.set_template_value('script_urls', json.dumps(script_urls)) if not encoding: encoding = 'utf-8' response_text = content.decode(encoding, 'ignore') self.set_template_value('response_text', response_text) if self.is_ajax(): self.generate('text/javascript', 'response.html') else: self.generate('text/html', 'scan.html') else: self.set_template_value( 'error', 'Error: Supplied URL could not be fetched.') self.generate('text/html', 'error.html') else: self.set_template_value('error', 'Error: Supplied URL is not valid.') self.generate('text/html', 'error.html')
def get(self): url = self.get_param("url", "", "url") if url: self.set_template_value("url", url) self.set_template_value("title", "DOM XSS Scanner - Scan %s" % url) response = HTTP().request(url) if response: content = response.content encoding = False dxs = DOMXSS() # try to determine charset from request headers ctype = response.headers["content-type"].strip() pos = ctype.find("charset=") if pos > 0: encoding = ctype[pos + 8 : len(ctype)].lower() if ctype.startswith("text/html") or ctype.startswith("text/xml"): # try to determine charset from html if not set before if not encoding: encoding = dxs.get_charset_from_html(content) script_urls = dxs.get_script_urls(url, content) self.set_template_value("script_urls", json.dumps(script_urls)) if not encoding: encoding = "utf-8" response_text = content.decode(encoding, "ignore") self.set_template_value("response_text", response_text) if self.is_ajax(): self.generate("text/javascript", "response.html") else: self.generate("text/html", "scan.html") else: self.set_template_value("error", "Error: Supplied URL could not be fetched.") self.generate("text/html", "error.html") else: self.set_template_value("error", "Error: Supplied URL is not valid.") self.generate("text/html", "error.html")
def get(self): self.jinja_env.cache = None url = self.get_param('url', '', 'url') if url: self.set_template_value('url', url) self.set_template_value('title', 'DOM XSS Scanner - Scan %s' % url) response = HTTP().request(url) if response: content = response.content encoding = False dxs = DOMXSS() # try to determine charset from request headers ctype = response.headers['content-type'].strip() pos = ctype.find('charset=') if pos > 0: encoding = ctype[pos+8:len(ctype)].lower() if ctype.startswith('text/html') or ctype.startswith('text/xml'): # try to determine charset from html if not set before if not encoding: encoding = dxs.get_charset_from_html(content) script_urls = dxs.get_script_urls(url, content) self.set_template_value('script_urls', json.dumps(script_urls)) if not encoding: encoding = 'utf-8' response_text = content.decode(encoding, 'ignore') self.set_template_value('response_text', response_text) if self.is_ajax(): self.generate('text/javascript', 'response.html') else: self.generate('text/html', 'scan.html') else: self.error('Error: Supplied URL could not be fetched.') else: self.error('Error: Supplied URL is not valid.')
class TestDOMXSS(unittest.TestCase): def setUp(self): self.dxs = DOMXSS() self.url = 'http://localhost:8080/' def get_scripts(self, file_name): return self.dxs.get_script_urls(self.url, open(file_name, 'r').read()) def test_base_tag(self): scripts = self.get_scripts('./base_tag.html') self.assertEqual("http://localhost:8080/static/js/lib/modernizr-1.6.min.js", scripts[0]) def test_script_count(self): scripts = self.get_scripts('./script_count.html') self.assertEqual(3, len(scripts))
def setUp(self): self.dxs = DOMXSS() self.url = 'http://localhost:8080/'