Here, we shall see an approach that we will use to automatically detect XSS in web applications using Python, Beautifulsoup, Selenium, and Phantomjs.

Let's install the dependencies by running the following commands:

pip install BeautifulSoup
pip install bs4
pip install selenium
sudo apt-get install libfontconfig
apt-get install npm
npm install ghostdriver
wget https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-2.1.1-linux-x86_64.tar.bz2
tar xvjf phantomjs-2.1.1-linux-x86_64.tar.bz2
sudo cp phantomjs-2.1.1-linux-x86_64/bin/phantomjs /usr/bin/
sudo cp phantomjs-2.1.1-linux-x86_64/bin/phantomjs /usr/local/bin/

Let's understand the objective of each:

• BeautifulSoup is a brilliant Python library that is required for web scraping and parsing web pages.
• Selenium is an automation framework used for automatically testing web applications. Its functionality is particularly important in the security domain and is used for browser simulation and automatically traversing the workflows of a web application.
• Phantomjs is a utility that is used for headless browsing. It performs all activities of a browser without actually loading it, but instead running it in the background, which makes it lightweight and very useful.

After installing Phantomjs, we need to execute the following command on the console: unset QT_QPA_PLATFORM. This is used to handle the error thrown by the Phantomjs version on Ubuntu 16.04, which is as follows: Message: Service phantomjs unexpectedly exited. Status code was: -6.

It should be noted that the objective of this exercise is to simulate normal user behavior and find the injection points within the web application. What we mean by injection points are all the input fields in which the user can supply the input. To find the injection points, we shall make use of the BeautifulSoup library. From the web page, we extract all fields whose type is either text, password, or textarea. Once we find the injection points, we will use selenium to pass our payload values in the injection points. Once the payload is set in the injection points, we will then locate the submit button for the form, again with the help of BeautifulSoup. After this, we pass the ID of the submit button to silinium, to click it, in order to submit the form.

The payload we will be using is <a href=#> Malicious Link XSS </a>. If this is created, we can deduce that the website is vulnerable to XSS. It must also be noted that, after submitting the payload, we also capture a screenshot of the webpage to see if the link was actually created, which will serve as a proof of concept.

It should be noted that we will demonstrate the proof of concept of our script on the DVWA application that is running locally on our IP http://192.168.250.1/dvwa. As we know, the application requires the user to log in. We will first make our script log into the application automatically and then set the appropriate cookies and session. Then, after logging in, we will navigate to the pages where XSS is present and carry out the mentioned operation. We will also update the cookie value and set security=low, for XSS to be possible in the DVWA application. It should be noted that the same concept can be extended and applied to any web application, as we are using a very generic approach of identifying the injection points and submitting a payload in them. Modify the script and extend it further as appropriate. I will be working toward the development of a fully-featured XSS detection tool on top of this script, which will be located on my GitHub repository. Please feel free to contribute to it.

In the next section, we'll take a look at extreme automation.