基于JS的XSS扫描器——XSS Rays.

最近The Spanner发布了一个名为XSS Rays的 XSS漏洞扫描器。这tool有点意思，是使用JS写的，JS遍历目标的link、form，然后构造测试用例去测试，可以发现DOM的XSS（当然是在测试用例打对了的情况下）。它的调用方式也特别，在要测试的页面输入javascr ipt:等代码引入JS就好了，然后由引入的JS负责抓去url和测试。



这种思路非常值得学习。小规模单兵作战可以，大规模的话估计效率不高。当然，我觉得要解决DOM XSS最终还是要靠JS引擎-The XSS scanner based on JS- XSS Rays. The Spanner released recently called XSS Rays of the XSS vulnerability scanner. This tool bit mean, is written using JS, JS traverse target link, form, and then construct test cases to test, you can find the DOM XSS (of course, is playing in the test case on the circumstances). It calls in particular ways, to test the page, enter in the javascr ipt: and other JS code like the introduction, and then taken away by the responsible url JS introduced and tested. This idea is worth learning. Man operations to small-scale and large-scale, then estimate the efficiency is not high. Of course, I feel the need to solve the DOM XSS ultimately depend on JS engines