更新: 359 个文件 - 2026-03-16 23:30:01

02-xss/tools/xss-scanner.go

@@ -7,11 +7,13 @@
 package main
 
 import (
+	"encoding/json"
 	"flag"
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
+	"os"
 	"regexp"
 	"strings"
 	"sync"
@@ -30,6 +32,9 @@ type XSSScanner struct {
 	Threads  int
 	Timeout  time.Duration
 	Payloads map[string][]string
+	Headers  map[string]string
+	Cookie   string
+	Quiet    bool
 }
 
 var (
@@ -52,6 +57,7 @@ func NewXSSScanner(threads int, timeout time.Duration) *XSSScanner {
 		},
 		Threads: threads,
 		Timeout: timeout,
+		Headers: map[string]string{},
 		Payloads: map[string][]string{
 			"basic": {
 				"<script>alert(1)</script>",
@@ -110,6 +116,12 @@ func (s *XSSScanner) SendRequest(targetURL, method, param, payload string) (stri
 	}
 
 	req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36")
+	for k, v := range s.Headers {
+		req.Header.Set(k, v)
+	}
+	if s.Cookie != "" {
+		req.Header.Set("Cookie", s.Cookie)
+	}
 
 	resp, err := s.Client.Do(req)
 	if err != nil {
@@ -150,8 +162,10 @@ func (s *XSSScanner) ScanURL(targetURL, method, param string) []XSSResult {
 						Category: cat,
 					})
 					mu.Unlock()
-					fmt.Printf("%s[VULN]%s [%s] %s - %s\n",
-						colorRed+colorBold, colorEnd, cat, param, p[:min(50, len(p))])
+					if !s.Quiet {
+						fmt.Printf("%s[VULN]%s [%s] %s - %s\n",
+							colorRed+colorBold, colorEnd, cat, param, p[:min(50, len(p))])
+					}
 				}
 			}(category, payload)
 		}
@@ -234,6 +248,21 @@ func min(a, b int) int {
 	return b
 }
 
+func parseHeaders(raw string) map[string]string {
+	headers := map[string]string{}
+	if raw == "" {
+		return headers
+	}
+	for _, part := range strings.Split(raw, ",") {
+		pair := strings.SplitN(part, ":", 2)
+		if len(pair) != 2 {
+			continue
+		}
+		headers[strings.TrimSpace(pair[0])] = strings.TrimSpace(pair[1])
+	}
+	return headers
+}
+
 func main() {
 	target := flag.String("u", "", "Target URL")
 	method := flag.String("m", "GET", "HTTP Method (GET/POST)")
@@ -242,53 +271,105 @@ func main() {
 	timeout := flag.Duration("timeout", 10*time.Second, "Request timeout")
 	checkCSP := flag.Bool("check-csp", false, "Check CSP headers")
 	domScan := flag.Bool("dom-scan", false, "Scan for DOM XSS")
+	header := flag.String("header", "", "Extra headers in Name:Value,Name2:Value2 format")
+	cookie := flag.String("cookie", "", "Cookie header value")
+	format := flag.String("format", "text", "Output format: text or json")
+	output := flag.String("output", "", "Write output to file")
+	evidenceDir := flag.String("evidence-dir", "", "Optional evidence directory")
+	runID := flag.String("run-id", "", "Associated run ID")
+	caseID := flag.String("case-id", "", "Associated case ID")
+	ackAuthorized := flag.Bool("ack-authorized", false, "Confirm the target is owned or authorized")
 
 	flag.Parse()
 
-	if *target == "" {
+	if *target == "" || !*ackAuthorized {
 		fmt.Printf("%s[ERROR]%s Target URL is required. Use -u flag.\n", colorRed, colorEnd)
 		flag.Usage()
 		return
 	}
 
-	fmt.Printf("\n%s%s%s\n", colorBold, strings.Repeat("=", 60), colorEnd)
-	fmt.Printf("%sXSS Scanner (Go)%s\n", colorBold, colorEnd)
-	fmt.Printf("%s%s%s\n\n", colorBold, strings.Repeat("=", 60), colorEnd)
-
 	scanner := NewXSSScanner(*threads, *timeout)
+	scanner.Headers = parseHeaders(*header)
+	scanner.Cookie = *cookie
+	scanner.Quiet = *format != "text"
 
-	fmt.Printf("%s[INFO]%s Target: %s\n", colorBlue, colorEnd, *target)
-	fmt.Printf("%s[INFO]%s Method: %s\n", colorBlue, colorEnd, *method)
-	fmt.Printf("%s[INFO]%s Parameter: %s\n", colorBlue, colorEnd, *param)
-
+	cspResult := map[string]interface{}{"has_csp": false, "weaknesses": []string{}}
 	if *checkCSP {
-		fmt.Printf("\n%s[*]%s Checking CSP...\n", colorCyan, colorEnd)
-		cspResult := scanner.CheckCSP(*target)
-		if cspResult["has_csp"].(bool) {
+		cspResult = scanner.CheckCSP(*target)
+		if *format == "text" && cspResult["has_csp"].(bool) {
 			fmt.Printf("%s[+]%s CSP configured: %s\n", colorGreen, colorEnd, cspResult["csp"].(string)[:min(100, len(cspResult["csp"].(string)))])
 			for _, w := range cspResult["weaknesses"].([]string) {
 				fmt.Printf("%s[-]%s Weakness: %s\n", colorYellow, colorEnd, w)
 			}
-		} else {
+		} else if *format == "text" {
 			fmt.Printf("%s[-]%s No CSP configured!\n", colorYellow, colorEnd)
 		}
 	}
 
+	domResults := []map[string]string{}
 	if *domScan {
-		fmt.Printf("\n%s[*]%s Scanning for DOM XSS...\n", colorCyan, colorEnd)
-		domResults := scanner.ScanDOMXSS(*target)
+		domResults = scanner.ScanDOMXSS(*target)
+		if *format == "text" {
+			fmt.Printf("\n%s[*]%s Scanning for DOM XSS...\n", colorCyan, colorEnd)
+		}
 		for _, r := range domResults {
+			if *format != "text" {
+				continue
+			}
 			fmt.Printf("%s[-]%s Potential DOM XSS: %s\n", colorYellow, colorEnd, r["desc"])
 		}
 	}
 
-	fmt.Printf("\n%s[*]%s Testing XSS payloads...\n", colorCyan, colorEnd)
 	results := scanner.ScanURL(*target, *method, *param)
-
-	fmt.Printf("\n%s%s%s\n", colorBold, strings.Repeat("=", 60), colorEnd)
-	fmt.Printf("%s[SUMMARY]%s Found %d XSS vulnerabilities\n", colorGreen, colorEnd, len(results))
-	for _, r := range results {
-		fmt.Printf("  - [%s] %s: %s\n", r.Category, r.Type, r.Payload[:min(50, len(r.Payload))])
+	report := map[string]interface{}{
+		"tool":              "xss-scanner-go",
+		"mode":              "bulk-reflected-xss",
+		"target":            *target,
+		"status":            "needs-review",
+		"severity":          "info",
+		"timestamp":         time.Now().UTC().Format(time.RFC3339),
+		"request_summary":   map[string]interface{}{"method": *method, "param": *param, "threads": *threads},
+		"payload_or_probe":  map[string]interface{}{"reflected_hits": results, "dom_hits": domResults, "csp": cspResult},
+		"evidence_refs":     []string{},
+		"minimal_validation": "只读探测、最小化注入、可审计回显、可回滚验证。",
+		"authorization_scope": "lab-local, lab-public, authorized-third-party",
+		"destructive_risk":  "low",
+		"run_id":            *runID,
+		"case_id":           *caseID,
 	}
-	fmt.Printf("%s%s%s\n\n", colorBold, strings.Repeat("=", 60), colorEnd)
+	if len(results) > 0 {
+		report["status"] = "verified"
+		report["severity"] = "high"
+	} else if len(domResults) > 0 {
+		report["status"] = "suspected"
+		report["severity"] = "medium"
+	}
+	if *evidenceDir != "" {
+		_ = os.MkdirAll(*evidenceDir, 0o755)
+		evidencePath := *evidenceDir + "/xss-scanner-go.json"
+		if raw, err := json.MarshalIndent(report, "", "  "); err == nil {
+			_ = os.WriteFile(evidencePath, append(raw, '\n'), 0o644)
+			report["evidence_refs"] = append(report["evidence_refs"].([]string), evidencePath)
+		}
+	}
+	var content []byte
+	if *format == "json" {
+		content, _ = json.MarshalIndent(report, "", "  ")
+	} else {
+		text := []string{
+			strings.Repeat("=", 60),
+			"XSS Scanner (Go)",
+			strings.Repeat("=", 60),
+			"Target: " + *target,
+			"Method: " + *method,
+			fmt.Sprintf("Reflected Hits: %d", len(results)),
+			fmt.Sprintf("DOM Findings: %d", len(domResults)),
+			"Status: " + report["status"].(string),
+		}
+		content = []byte(strings.Join(text, "\n"))
+	}
+	if *output != "" {
+		_ = os.WriteFile(*output, append(content, '\n'), 0o644)
+	}
+	fmt.Println(string(content))
 }