There are many ready-made tools for XSS vulnerability scanning, such as PAROS and Vulnerability. A scan tool was used in a recent project to scan vulnerabilities, but several vulnerabilities were discovered by partners. The vulnerability location found by the other party is some requests sent to the background through JavaScript and Ajax. These tools are not scanned. It seems that the vulnerability search still requires tools and Manual combination.
How can we find it by hand? We used the original method to manually find all the places in the background code that will receive the foreground request, and list all the request paths, parameters, and so on, check for vulnerabilities one by one.
Of course, because there are too many locations for receiving requests, it is too hard to manually perform one-by-one checks, so we still use some of our own gadgets to help.
The principle of the tool is to use an Excel file to record the controller, action, Param, and value of each request, then read and splice them into a request, and send it to the server to obtain the returned information. Then, check whether the returned information contains some keywords in the request through character comparison or regular expression. If yes, the vulnerability may exist and further troubleshooting is required.
You can use a small tool to filter out a large number of secure requests, and manually check a small number of requests that may have vulnerabilities, greatly reducing the workload. The difficulty of the entire test is to find all the requests, which requires the help of developers and is a very time-consuming and laborious task.
Tool code uploaded to GitHub: https://github.com/pascocai/url-scan
Later I thought about it. In fact, jmeter can also be used. The specific operation has not yet been implemented. I will supplement the specific practice after the actual operation is feasible.
XSS vulnerability scan Experience Sharing