TotallyNotChase
commented
5 years ago Hello, could you elaborate a bit?
Which part of your code needs tweaking exactly and how'd you like it to be?
Open M4cs opened 5 years ago
TotallyNotChase
commented
5 years ago Hello, could you elaborate a bit?
Which part of your code needs tweaking exactly and how'd you like it to be?
M4cs
commented
5 years ago @TotallyNotChase the block of code below here. It's supposed to be inputting the payloads into input and textarea elements and then finding a submit button and clicking but I don't believe it's the correct way or the best way of doing it. I need a more optimized, correct way of doing this DOM injection.
TotallyNotChase
commented
5 years ago Yep! you are correct, iterating through everything is a bad idea indeed. I'll give it a go, I'll update you on any progress :)
M4cs
commented
5 years ago Thanks mate!
TotallyNotChase
commented
5 years ago Alright, I made it so that the list only consists of the tags you require and that should cut down on delay significantly. Here's how it works
As you can see, in the first line, it will only select the elements your code requires. I also made it do explicit wait instead of implicit wait because implicit wait might be unpredictable.
However, I still think we can optimize this more, if you're fine with what we have right now, I suggest we merge it and then keep working on it. I want to understand some of the things in the code first though, so if you could help me with that that'd be super cool!
TotallyNotChase
commented
5 years ago Also, I just checked the last commit on the master branch, this indentation seems crooked, what's up with that?
shouldn't all those if and try statements be inside the elements loop?
M4cs
commented
5 years ago Yes they should be
TotallyNotChase
commented
5 years ago @M4cs I noticed you merged my PR, thanks! I think we might still be able to improve on this though. Can you tell me what is the purpose of using the new = driver.find_element_by_css_selector('button').click() inside the try block in the input or textarea block?
M4cs
commented
5 years ago That's a really bad way of trying to test a submit button. Need to improve that as well
TotallyNotChase
commented
5 years ago That's not gonna work at all though since it's only gonna find the first element in the whole DOM with the button tag, so at the moment, that achieves nothing. I'll look into that.
I'd also like to restructure the inner loop block (i.e the try and if statements) if you're fine with that. I'll make sure it does nothing less than it already does though :)
M4cs
commented
5 years ago Yes please. I just want some reliable way of emulating manual input and clicks. Hard without target classes/ids. Maybe add a menu option for that?
TotallyNotChase
commented
5 years ago I think adding menu option would be rather un-intuitive. I'm looking into correctly approximating the correct submit button, have some ideas off the top of my head, I'll see how far we can take it. I'll update you on the progress!
One thing that I REALLY need to know though, what happens the form gets submitted? For instance, let's say the id.send_keys(Keys.ENTER) works correctly and submits the form, couldn't the resulting webpage be completely new sometimes? Which would invoke StaleElementException every time, hence wasting time and resources?
Sorry if I misunderstand, I just kinda need to know how it works haha
M4cs
commented
5 years ago The driver.switch_to.alert.text confirms a JavaScript alert has triggered. Currently the scanners are just looking for that.
We need to add reflective scanning for something like a bold script injector. (i.e )
The current method of manually rending DOM and testing XSS is bad. I need a better way of doing it. If you would like a good hacktoberfest project and first issue take this on!