3

I am trying to create a client side Javascript tool that checks for DOM XSS vulnerability for the input fields that are there in web page.

What I am doing right now is trying to find out the element inside the page with input tag.

Then I am changing their value to some malicious string say alert("hi") then I want to simulate pressing enter key inside the input element so that it got submitted,After that I will check if my malicious script has got executed or not. I need to do this via Javascript, is there any way to do this? I tried the following code but it does not seem to work.

inputField = document.getElementsByTagNameNS("*",'input')
var e = document.createEvent("KeyboardEvent");
if (e.initKeyboardEvent) {  // Chrome, IE
e.initKeyboardEvent("keyup", true, true, document.defaultView, "Enter", 0, 
"", false, "");
} else { // FireFox
e.initKeyEvent("keyup", true, true, document.defaultView, false, false, 
false, false, 13, 0);
}

inputField[0].dispatchEvent(e);

It is not getting submitted.Currently I have to find the next input element that has the type "submit", I am assuming this one is the submit part for the input field and doing a click() on it.but this approach is not foolproof, it might pick a wrong element and click on it.How should I do it ?

Kindly help, stuck big time

Brian Tompsett - 汤莱恩
  • 5,753
  • 72
  • 57
  • 129
biswpo
  • 771
  • 7
  • 23
  • 2
    Possible duplicate of [jquery (or pure js) simulate enter key pressed for testing](https://stackoverflow.com/questions/3276794/jquery-or-pure-js-simulate-enter-key-pressed-for-testing) – gforce301 Jun 20 '17 at 13:50
  • Why does it need to be a keypress? Just do `inputField[0].form.submit()`. No events required. – Bergi Jun 20 '17 at 13:55
  • Thanks a lot Bergi, You saved my day – biswpo Jun 20 '17 at 14:01

0 Answers0