I am trying to make XSS scanner using selenium. First I tried checking for XSS with the response until I realized that is a poor way to check. I started using Selenium because I thought it would be better at interacting with pages and able to detect the alert box popping up. I built a vulnerable website with a simple form and tested it, but it just fills the form without causing the alert to popup, here is code i used
from selenium import webdriver
from selenium.webdriver.common.keys import Keys
from selenium.webdriver.common.by import By
import time
def check_xss(url, input_boxes):
vulnerabilities = []
payloads = [
"<script>alert('XSS')</script>",
"<img src='x' onerror='alert(\"XSS\")'>",
"<svg/onload=alert('XSS')>",
"<svg><script>alert('XSS')</script>",
"'\"><script>alert('XSS')</script>",
"';alert('XSS');//",
"%3Cscript%3Ealert('XSS')%3C/script%3E"
]
driver = webdriver.Chrome()
try:
for input_box in input_boxes:
if 'name' in input_box.attrs:
print(f"Testing for XSS on input box : {input_box['name']}")
for payload in payloads:
driver.get(url)
input_field = driver.find_element(By.NAME, input_box['name'])
input_field.send_keys(payload)
input_field.submit()
time.sleep(1)
try:
alert = driver.switch_to.alert
vulnerabilities.append({
'type': 'XSS',
'input_param': input_box['name'],
'payload': payload,
'result': f'XSS Success with payload : {payload}'
})
print(f"XSS Success with payload : {payload}")
alert.accept() # Close the alert dialog
except:
pass # No alert dialog appeared, so continue testing
finally:
# Close the browser
driver.quit()
if not vulnerabilities:
print(f"No XSS vulnerability found for input box: {input_box['name']}")
return vulnerabilities
With this it just fills the form and doesnt trigger the alert box, even though i know its XSS vulnernable and when maunually doing the attack the alert box appears.
How can I get this to actually check for XSS
I can't figure out how to make this work, ive tried increasing the timeout but it didnt do anything