When validating XSS by hand, typically the alert() function is used as a payload. This is hard to automate as alerts can be called by the website during normal operation, but also because the alert also requires interaction.
In order to validate potential XSS during tests we usually inject a JavaScript function into the page. The XSS is then triggered with a payload which calls this function with a specific unique input (e.g. a hex string). We then listen for the function call and check whether the input matches the value in the payload.
In cases where it is not possible to inject a custom script or listen for the answer, it would be great to have a function taking a single argument and writing a unique message to stdout.
When validating XSS by hand, typically the
alert()function is used as a payload. This is hard to automate as alerts can be called by the website during normal operation, but also because the alert also requires interaction.In order to validate potential XSS during tests we usually inject a JavaScript function into the page. The XSS is then triggered with a payload which calls this function with a specific unique input (e.g. a hex string). We then listen for the function call and check whether the input matches the value in the payload.
In cases where it is not possible to inject a custom script or listen for the answer, it would be great to have a function taking a single argument and writing a unique message to stdout.