broser_url_reflected_xss
Test for reflected XSS vulnerabilities in URLs by injecting payloads into specified parameters to identify security weaknesses.
Instructions
Test whether the URL has an XSS vulnerability
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| url | Yes | ||
| paramName | No | Parameter name for XSS testing |
Implementation Reference
- index.ts:547-614 (handler)The handler function for the 'broser_url_reflected_xss' tool within the handleToolCall switch statement. It tests a list of XSS payloads by injecting them into the URL query parameters, navigates to each test URL, checks if the payload is reflected unescaped in the page content, and reports vulnerable payloads if found.case ToolName.BrowserUrlReflectedXss: { const baseUrl = args.url; const paramName = args.paramName || 'name'; const xssPayloads = [ "<script>alert(1)</script>", "\"><script>alert(1)</script>", "javascript:alert(1)", "<img src=x onerror=alert(1)>", "<svg onload=alert(1)>", "';alert(1);//" ]; let vulnerablePayloads = []; for (const payload of xssPayloads) { const encodedPayload = encodeURIComponent(payload); const testUrl = `${baseUrl}${baseUrl.includes('?') ? '&' : '?'}${paramName}=${encodedPayload}`; try { await page.goto(testUrl); // 检查页面源代码中是否包含未编码的payload const content = await page.content(); const decodedPayload = decodeURIComponent(payload); if (content.includes(decodedPayload)) { vulnerablePayloads.push({ payload: payload, url: testUrl }); } // 检查是否有JavaScript执行 const hasXss = await page.evaluate((testPayload) => { return document.documentElement.innerHTML.includes(testPayload); }, payload); if (hasXss) { vulnerablePayloads.push({ payload: payload, url: testUrl }); } } catch (error) { console.error(`Error testing payload ${payload}: ${error}`); } } if (vulnerablePayloads.length > 0) { return { content: [{ type: "text", text: `发现反射型XSS漏洞!\n\n可利用的Payload:\n${vulnerablePayloads.map(v => `Payload: ${v.payload}\nURL: ${v.url}\n` ).join('\n')}` }], isError: false }; } else { return { content: [{ type: "text", text: "未发现明显的反射型XSS漏洞。" }], isError: false }; } }
- index.ts:74-85 (registration)Registration of the 'broser_url_reflected_xss' tool in the TOOLS array, including its name, description, and input schema definition.{ name: ToolName.BrowserUrlReflectedXss, description: "Test whether the URL has an XSS vulnerability", inputSchema: { type: "object", properties: { url: { type: "string" }, paramName: { type: "string", description: "Parameter name for XSS testing" }, }, required: ["url"], }, },
- index.ts:33-33 (registration)Enum definition for the tool name constant 'broser_url_reflected_xss' used throughout the code.BrowserUrlReflectedXss = "broser_url_reflected_xss",