我正试图使用PhantomJS循环浏览几个URL,打开页面并检查其中任何页面是否有警报。我还在打印发生警报的页面的URL。
代码如下:
var page = require('webpage');
var u = ["http://127.0.0.1/DVWA-1.0.8/vulnerabilities/xss_r/?name=<SCRIPT>alert('XSS');</SCRIPT>", "http://127.0.0.1/DVWA-1.0.8/vulnerabilities/xss_r/?name=abcd"]
var url = "";
for(var i = 0; i < u.length; i++) {
url = u[i];
var webpage = page.create();
phantom.addCookie({
'name':'PHPSESSID',
'value':'00885b45d9ddda3e757371b177c5959b',
'domain':'127.0.0.1'
});
webpage.onAlert = function(alertMessage){
console.log("Alert URL: " + webpage.url);
console.log("Alert occured with message: " + alertMessage);
}
webpage.open(url, function (status) {
console.log("Opening URL: " + webpage.url);
phantom.exit();
});
}
我希望输出的部分是:
Alert URL: http://127.0.0.1/DVWA-1.0.8/vulnerabilities/xss_r/?name=<SCRIPT>alert('XSS');</SCRIPT>
Alert occured with message: XSS
但相反,它每次都不同,并显示不正确的输出,如:
Alert URL: http://127.0.0.1/DVWA-1.0.8/vulnerabilities/xss_r/?name=abcd
Alert occured with message: XSS
出现这种情况似乎是因为回调的并发性。
有没有一种方法可以处理这个问题,以确保输出符合预期?或者这个图书馆不应该这样使用吗?我应该试试别的吗?
您在循环中创建了一个新页面,就PhantomJS运行时而言,它本质上是一个新选项卡。它将同时执行。为了增加脚本的结构和可复制性,您需要编写一些链接。
像这样的东西应该起作用:
var page = require('webpage');
var u = ["http://127.0.0.1/DVWA-1.0.8/vulnerabilities/xss_r/?name=<SCRIPT>alert('XSS');</SCRIPT>", "http://127.0.0.1/DVWA-1.0.8/vulnerabilities/xss_r/?name=abcd"]
function each(list, func, done){
var len = list.length,
previous = done;
for(var i = len - 1; i >= 0; i--) {
(function(item, done){ // IIFE
previous = function(){
func(item, done);
};
})(list[i], previous);
}
previous(); // start the chain
}
each(u, function(url, done){
var webpage = page.create();
phantom.addCookie({
'name':'PHPSESSID',
'value':'00885b45d9ddda3e757371b177c5959b',
'domain':'127.0.0.1'
});
webpage.onAlert = function(alertMessage){
console.log("Alert URL: " + webpage.url);
console.log("Alert occured with message: " + alertMessage);
}
webpage.open(url, function (status) {
console.log("Opening URL: " + webpage.url);
done();
});
}, function(){
phantom.exit();
});