When testing an application for XSS vulnerabilities it can be sometimes hard to come up with a successful
attack and test multiple alternatives. You can use an app like XSStrike to automate this, in this quick tips
episode, you will learn how. Above is the vid and below you will find some useful notes.
- 1.
Pre-reqs
-
Have node.js installed for the sample app
-
Have Docker installed
-
- 2.
Using XSStrike
-
Create the dockerfile with xsstrike
FROM continuumio/anaconda3 WORKDIR /workdir RUN apt-get install -y unzip ADD https://github.com/s0md3v/XSStrike/archive/master.zip ./ RUN unzip master.zip && \ rm master.zip RUN conda config --append channels conda-forge && \ conda install fuzzywuzzy requests ENTRYPOINT ["python", "./XSStrike-master/xsstrike.py"]
-
Build the image
docker build -t xsstrike .
-
Run xsstrike to check options
Run xsstrike to test against the vulnerable app from the videodocker run -it --rm --name xsstrike xsstrike
docker run -it --rm --name xsstrike xsstrike -u "http://192.168.99.1:3000/?name=testing"
-
- 3.
Comentarios
Publicar un comentario