This repository contains a set of tests designed to check for potential reflected cross-site scripting (XSS) vulnerabilities in PHP pages, using the Behave testing framework.
The tests are implemented as Behave feature files and steps in Python. They simulate various potential XSS attacks, like injecting script tags via query parameters, and check whether these attacks succeed.
The repository also includes a Dockerfile that sets up a Docker container with PHP and Apache, and copies the pages under test into the web root directory.
- Docker: You can install Docker by following the instructions on the Docker website
- Python: This project requires Python 3.11 or newer. You can download it from the Python website.
- Make: On Linux, you can install Make with your package manager (e.g.,
sudo apt install makeon Debian-based distributions).- On Windows, you can install Make with Chocolatey using
choco install make.
- On Windows, you can install Make with Chocolatey using
- A web browser: The tests are designed to be run in a web browser. The tests have been tested in Firefox.
-
Clone the repository:
git clone https://github.com/Siponek/Reflected-Cross-Site-Scripting-Suite ./siponek-test-suite
-
Navigate to the project directory:
cd siponek-test-suite -
Install the Python requirements:
make venv make install_reqs
-
Start the docker container:
make up
-
Run the tests:
make run-behave
You can view the test results in the terminal. For more instructions check out the Makefile.
Each test is defined as a scenario in a .feature file, with the steps implemented in Python. The tests check for various potential XSS vulnerabilities. For example, the tests for echo-attr.php check whether it's possible to inject script tags via a query parameter.
Contributions are welcome! Please create a pull request with your changes.