0

The book:"Web Security Testing Cookbook By Paco Hope, Ben Walther" is the only source I could find which covers the topic. They use cURL. I just want to write some scripts to automate testing for xss. I'm just gonna run it on a site like demo.testfire.net for example. I know there are allot of tools available for the job though but that won't teach me anything. Thanks. If someone could perhaps post a one-liner example of testing with cURL. I don't really get how the example in the book works, besides that it assumes that if you get a popup then you won't get any errors for example an error that says:"Characters not allowed or 404 error."

Anyways my real question is what is a good way of automating tests for xss? Would be cool if someone could suggest a way of doing it in bash. Perhaps commandlinefu would be a better place to ask but I thought I'd start here. (Without using tools made specifically for the purpose.)

Eric G
  • 9,691
  • 4
  • 31
  • 58
dickolopicks
  • 11
  • 2

1 Answers1

1

Why in Bash? I guess technically you could use curl to post data and then see if the data gets echoed back to you without being escaped... but really, why limit yourself to bash?

Take a look at "Gray Hat Python", "Coding for Penetration Testers: Building Better Tools", or "Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers" for Python examples that do this.

See also: https://www.owasp.org/index.php/Testing_for_Cross_site_scripting

David
  • 15,814
  • 3
  • 48
  • 73