XSS测试环境(Flask实现)

文档结构:

XSS.html

 1 from flask import Flask,render_template,request
 2 from flask_wtf import FlaskForm
 3 from wtforms import StringField,SubmitField
 4 app=Flask(__name__)
 5 app.config['SECRET_KEY'] = 'hard to guess string'
 6 class InputForm(FlaskForm):
 7     string=StringField()
 8     sub=SubmitField('submit')
 9     
10 @app.route('/',methods=['GET', 'POST'])    
11 def fontPage():
12     info=InputForm()
13     if request.method=='POST':
14         string=request.form['string']
15         return render_template('show.html',string=string)
16     return render_template('form.html',info=info)
17 
18 if __name__=='__main__':
19     app.run()

form.html

 1 <!DOCTYPE html>
 2 <html lang="en">
 3 <head>
 4     <meta charset="UTF-8">
 5     <meta name="viewport" content="width=device-width, initial-scale=1.0">
 6     <meta http-equiv="X-UA-Compatible" content="ie=edge">
 7     <title>Document</title>
 8 </head>
 9 <body>
10     <form method="POST">
11         {{info.string()}}
12         {{info.sub()}}
13     </form>
14 </body>
15 </html>

show.html

 1 <!DOCTYPE html>
 2 <html lang="en">
 3 <head>
 4     <meta charset="UTF-8">
 5     <meta name="viewport" content="width=device-width, initial-scale=1.0">
 6     <meta http-equiv="X-UA-Compatible" content="ie=edge">
 7     <title>Document</title>
 8 </head>
 9 <body>
10     what you input is:
11     {{string|safe}}  <!--注意这里"|safe"关闭jinja2自动转义功能-->
12 </body>
13 </html>

测试:

1.运行:

 

2.输入测试脚本:

3.提交触发漏洞:

 

一个简单的Python实现的XSS漏洞环境就完成了!

 

posted @ 2018-02-08 22:03  木子阁君  阅读(508)  评论(0编辑  收藏  举报