diff --git a/README.md b/README.md index eb3f06f..b3a9375 100644 --- a/README.md +++ b/README.md @@ -30,3 +30,4 @@ At the top of the Html content, look for a ` ## Additional Resources [OWASP XSS Cheatsheet](https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet) + diff --git a/package.json b/package.json index d7cfa90..f974183 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "xss-scanner", - "version": "0.0.8", + "version": "0.0.9", "description": "Cross-Site Scripting (XSS) scanner. This tool helps to find possible XSS vulnerabilities.", "keywords" : [ "xss", "xss-vulnerability", "xss-detection", "xss-exploitation", "xss-scanner" ], "repository": { diff --git a/src/config.js b/src/config.js index 06dac69..9e65e8d 100644 --- a/src/config.js +++ b/src/config.js @@ -10,6 +10,7 @@ function xssOptions() { // port: 8888 // }, + payloadFile: "data/payload.test.txt", fileOutput: false, host: "www.yourwebsite.com", port: 80, diff --git a/src/payload.js b/src/payload.js index fe1f6ff..49dcef5 100644 --- a/src/payload.js +++ b/src/payload.js @@ -1,24 +1,13 @@ -var { stringFormat } = require('./util'); +var { stringFormat, ripPayload } = require('./util'); var { xssOptions } = require('./config'); const http = require("http"); const fs = require("fs"); const uuid = require("node-uuid"); -const readline = require("readline"); const chalk = require("chalk"); const config = xssOptions(); -const payloadFileReader = readline.createInterface({ - input: fs.createReadStream("data/payload.txt") -}); - -payloadFileReader.on("line", (line) => { - if (line.length === 0) return; - - attack(line); -}); - var attack = function (line) { try { var reqOptions = { @@ -77,4 +66,6 @@ var attack = function (line) { } catch (err) { console.log(chalk.red(err + " - " + line)); } -}; \ No newline at end of file +}; + +ripPayload(config.payloadFile, attack); \ No newline at end of file diff --git a/src/util.js b/src/util.js index 4a4ba65..f34877e 100644 --- a/src/util.js +++ b/src/util.js @@ -1,7 +1,11 @@ module.exports = { - stringFormat + stringFormat, + ripPayload } +const readline = require("readline"); +const fs = require("fs"); + // Thanks ASP.NET AJAX 1.0 Source Code Released // https://weblogs.asp.net/scottgu/asp-net-ajax-1-0-source-code-released function stringFormat (s) { @@ -10,4 +14,22 @@ function stringFormat (s) { s = s.replace(reg, arguments[i + 1]); } return s; +}; + +function ripPayload(pathToPayload, attackCallback, doneCallback) { + let payloadReader = readline.createInterface({ + input: fs.createReadStream(pathToPayload) + }); + + payloadReader.on("line", (line) => { + if (line.length === 0) return; + + attackCallback(line); + }); + + payloadReader.on("close", () => { + if (doneCallback) { + doneCallback(); + } + }); }; \ No newline at end of file diff --git a/tests/util.test.js b/tests/util.test.js index 0beccd7..7bf3a81 100644 --- a/tests/util.test.js +++ b/tests/util.test.js @@ -1,4 +1,4 @@ -var { stringFormat } = require('../src/util'); +var { stringFormat, ripPayload } = require('../src/util'); const chai = require("chai"); const expect = chai.expect; @@ -15,4 +15,17 @@ describe("stringFormat", () => { expect(actual).to.equal("/whatever.php?foo=bar&fizz=buzz"); }); +}); + +describe("ripPayload", () => { + it("should rip line by line the input and invoke callback", (done) => { + let actualAttacks = 0; + + ripPayload("data/payload.test.txt", (line) => { + actualAttacks++; + }, () => { + expect(actualAttacks).to.equal(12); + done(); + }); + }); }); \ No newline at end of file