I'm automating XSS security test, I automated XSS reflected and stored, now for automating XSS dom I'm required to use XSSStrike tool (https://github.com/s0md3v/XSStrike/wiki/Usage). Im using Selenium to automated the business logic (login) get cookies and store cookies in json and txt file. however when I provide the cookies for the tool
python xsstrike.py -u https://test.com/ --headers "cookie:C:\Users\Desktop\cookies\cookie.json" --crawl --blind --params --file-log-level INFO --log-file log
I don't see if the tool used the cookies or not, i used Wireshark to filter to see if the tool used the cookies but it doesn't capture it. also from the log, there is nothing about using cookies.
is there a way to verify if the tool used the cookies and performed an authenticated xss scan? also I'm not sure which cookies to provide.
my script to store the cookies
def login(self,url):
driver = webdriver.Firefox(executable_path=r'C:\Users\Desktop\geckodriver.exe')
cookiepath = "C:/Users/Desktop/cookies/cookie.txt"
cookiepath2 = "C:/Users/Desktop/cookies/cookie.json"
driver.get(url)
username = driver.find_element_by_id("Username")
password = driver.find_element_by_id("password")
username.send_keys("test")
password.send_keys("testtest")
driver.find_element_by_id("btnLogin").click()
self.save_cookie(driver,cookiepath) # store cookies as txt file
self.save_cookies(driver,cookiepath2) # store cookies as json
elem = driver.find_element_by_xpath("//*")
source_code = elem.get_attribute("outerHTML")
driver.close()
return source_code
