broser_url_reflected_xss
Detect reflected XSS vulnerabilities in URLs by testing specific parameters to identify insecure web application inputs for improved security.
Instructions
Test whether the URL has an XSS vulnerability
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| paramName | No | Parameter name for XSS testing | |
| url | Yes |
Implementation Reference
- index.ts:547-614 (handler)The main handler function for the 'broser_url_reflected_xss' tool. It tests the provided URL for reflected XSS vulnerabilities by injecting common XSS payloads into a URL parameter (default 'name'), navigating to each test URL using Playwright, checking if the raw payload appears unescaped in the page content, and reporting any vulnerable payloads found.case ToolName.BrowserUrlReflectedXss: { const baseUrl = args.url; const paramName = args.paramName || 'name'; const xssPayloads = [ "<script>alert(1)</script>", "\"><script>alert(1)</script>", "javascript:alert(1)", "<img src=x onerror=alert(1)>", "<svg onload=alert(1)>", "';alert(1);//" ]; let vulnerablePayloads = []; for (const payload of xssPayloads) { const encodedPayload = encodeURIComponent(payload); const testUrl = `${baseUrl}${baseUrl.includes('?') ? '&' : '?'}${paramName}=${encodedPayload}`; try { await page.goto(testUrl); // 检查页面源代码中是否包含未编码的payload const content = await page.content(); const decodedPayload = decodeURIComponent(payload); if (content.includes(decodedPayload)) { vulnerablePayloads.push({ payload: payload, url: testUrl }); } // 检查是否有JavaScript执行 const hasXss = await page.evaluate((testPayload) => { return document.documentElement.innerHTML.includes(testPayload); }, payload); if (hasXss) { vulnerablePayloads.push({ payload: payload, url: testUrl }); } } catch (error) { console.error(`Error testing payload ${payload}: ${error}`); } } if (vulnerablePayloads.length > 0) { return { content: [{ type: "text", text: `发现反射型XSS漏洞!\n\n可利用的Payload:\n${vulnerablePayloads.map(v => `Payload: ${v.payload}\nURL: ${v.url}\n` ).join('\n')}` }], isError: false }; } else { return { content: [{ type: "text", text: "未发现明显的反射型XSS漏洞。" }], isError: false }; } }
- index.ts:77-84 (schema)Input schema definition specifying the required 'url' parameter and optional 'paramName' for the XSS testing tool.inputSchema: { type: "object", properties: { url: { type: "string" }, paramName: { type: "string", description: "Parameter name for XSS testing" }, }, required: ["url"], },
- index.ts:74-85 (registration)Registration of the tool in the TOOLS array, which is returned by ListToolsRequestHandler. Includes name, description, and input schema.{ name: ToolName.BrowserUrlReflectedXss, description: "Test whether the URL has an XSS vulnerability", inputSchema: { type: "object", properties: { url: { type: "string" }, paramName: { type: "string", description: "Parameter name for XSS testing" }, }, required: ["url"], }, },
- index.ts:33-33 (registration)Definition of the ToolName enum constant mapping to the tool name string 'broser_url_reflected_xss', used in tool registration and handler switch.BrowserUrlReflectedXss = "broser_url_reflected_xss",
- index.ts:844-846 (registration)Registration of the general CallToolRequestHandler that dispatches to handleToolCall based on tool name, invoking the specific case for this tool.server.setRequestHandler(CallToolRequestSchema, async (request) => handleToolCall(request.params.name as ToolName, request.params.arguments ?? {}) );