yaph / domxssscanner Goto Github PK

DOMXSS Scanner is an online tool to scan source code for DOM based XSS vulnerabilities

Home Page: https://geeksta.net/domxssscanner/

Python 13.40% CSS 16.75% JavaScript 9.06% HTML 60.61% Shell 0.18%

dom xss-vulnerability scanner online-tool web-security domxss

domxssscanner's Introduction

DOM XSS Scanner is an online tool that facilitates code review of web pages and JavaScript code for potential DOM based XSS security vulnerabilities.

Sample Results Page

Check your Web page

Learn more about the tool on the project's about page.

Install

Clone this repository and download the Google App Engine SDK for Python. Extract the SDK archive and add aliases for the dev server and update programs, for example:

alias gae_pyserver='python PATH_TO_SDK/google_appengine/dev_appserver.py'
alias gae_update='python PATH_TO_SDK/google_appengine/appcfg.py update'

Then start the dev server in the domxssscanner directory with the command:

gae_pyserver .

You can then access the application at http://localhost:8080/.

domxssscanner's People

Contributors

Stargazers

Watchers

domxssscanner's Issues

Scan Scripts dynamically loaded via other Scripts

Execute JavaScript to automatically load other scripts referenced in the code.

JS var script_urls is cached and set on index page after scan

The JavaScript variable script_urls should not be set on the index page and the corresponding JS code not added to the HTML output.

Error when loading localhost:8080 => ImportError: No module named gae_utils

I get the below error when I try to access http://localhost:8080 after running the server gae_pyserver .:

INFO     2016-07-11 11:43:34,318 sdk_update_checker.py:229] Checking for updates to the SDK.
INFO     2016-07-11 11:43:35,169 sdk_update_checker.py:257] The SDK is up to date.
INFO     2016-07-11 11:43:35,216 api_server.py:205] Starting API server at: http://localhost:50347
INFO     2016-07-11 11:43:35,220 dispatcher.py:197] Starting module "default" running at: http://localhost:8080
INFO     2016-07-11 11:43:35,222 admin_server.py:116] Starting admin server at: http://localhost:8000
ERROR    2016-07-11 11:43:41,678 wsgi.py:263]
Traceback (most recent call last):
  File "/Applications/GoogleAppEngineLauncher.app/Contents/Resources/GoogleAppEngine-default.bundle/Contents/Resources/google_appengine/google/appengine/runtime/wsgi.py", line 240, in Handle
    handler = _config_handle.add_wsgi_middleware(self._LoadHandler())
  File "/Applications/GoogleAppEngineLauncher.app/Contents/Resources/GoogleAppEngine-default.bundle/Contents/Resources/google_appengine/google/appengine/runtime/wsgi.py", line 299, in _LoadHandler
    handler, path, err = LoadObject(self._handler)
  File "/Applications/GoogleAppEngineLauncher.app/Contents/Resources/GoogleAppEngine-default.bundle/Contents/Resources/google_appengine/google/appengine/runtime/wsgi.py", line 85, in LoadObject
    obj = __import__(path[0])
  File "/Users/manisarkar/Projects/codurance/CodeReviews/Tesco/domxssscanner/main.py", line 4, in <module>
    from gae_utils import BaseHandler, HTTP
ImportError: No module named gaeutils
INFO     2016-07-11 11:43:41,684 module.py:788] default: "GET / HTTP/1.1" 500 -

Already installed gaeutils via pip install:
sudo pip install https://pypi.python.org/packages/source/g/gaeutils/gaeutils-0.0.2.tar.gz
but still get the error.

document.write classified as DOM XSS source

The regular expression for sources matches document.write( which is a sink and not a source

requirements.txt and updated README

Hey,

Hope you're well. Was going to play around with this, but it's not clear what packages the python scripts need nor how to setup domxssscanner.

It would be good to include requirements.txt file so people can use a python virtualenv and install the packages need by domxssscanner with pip install -r requirements.txt. A simple way to generate that would be to do a pip freeze where you do have domxssscanner working. Be warned, that might include packages that have been installed on the system that aren't necessary for domxssscanner.

Also, it would be great if the README included documentation on how best to setup. A process like the following would be great:

clone domxssscanner repo
virtualenv env
. ./env/bin/activate
pip install -r requirements.txt
find . -name "*.js" | xargs ./domxss.py
- that is an obviously made up command since I am unfamiliar with how to run domxssscanner

yaph / domxssscanner Goto Github PK

domxssscanner's Introduction

Sample Results Page

Install

domxssscanner's People

Contributors

Stargazers

Watchers

Forkers

domxssscanner's Issues

Scan Scripts dynamically loaded via other Scripts

JS var script_urls is cached and set on index page after scan

Error when loading localhost:8080 => ImportError: No module named gae_utils

document.write classified as DOM XSS source

requirements.txt and updated README

Cannot access page_url template var created in gae_utils.py in templates

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent