Listen to this Post
I recently finished beta 1 of my script inj.py, which helps identify vulnerabilities in remote JavaScript functions. The script accepts either a domain or a `.js` file as an argument ($1) and scans for dangerous JavaScript methods that could be exploited.
Dangerous JavaScript Sources Detected by inj.py
The script checks for high-risk methods such as:
dangerous_sources = [ "document.URL", "document.location", "window.location", "document.cookie", "localStorage.getItem", "sessionStorage.getItem", "innerHTML", "outerHTML", "document.write", # ... and more ]
### **How to Use inj.py**
1. **Download the script**:
wget https://raw.githubusercontent.com/Hackertips-today/infosec/refs/heads/main/inj3.py -O inj.py
2. **Make it executable**:
chmod +x inj.py
3. **Run the script against a target**:
python3 inj.py https://somesite.com
or scan a local `.js` file:
python3 inj.py /path/to/file.js
You Should Know: Practical Security Testing with inj.py
- Check for DOM-Based XSS: Inspect `innerHTML` and `document.write` usage.
- Cookie Manipulation: Detect insecure `document.cookie` handling.
- Local Storage Risks: Identify
localStorage/sessionStorageleaks. - URL-Based Attacks: Monitor `window.location` and `document.URL` usage.
#### **Example Exploitation (For Educational Purposes)**
If a site uses eval(location.hash.substring(1)), an attacker could craft:
https://vulnerable-site.com/#alert('XSS')
#### **Mitigation Steps**
- Sanitize inputs with libraries like DOMPurify.
- Use Content Security Policy (CSP) headers:
Content-Security-Policy: script-src 'self'
- Avoid `eval()` and unsafe DOM methods.
### **What Undercode Say**
This tool is invaluable for bug hunters and penetration testers. Always verify findings manually to avoid false positives. Enhance your scans with:
curl -s http://target.com | grep -E "document.write|innerHTML"
For deeper analysis, combine with Burp Suite or OWASP ZAP.
### **Expected Output:**
A report listing vulnerable JS methods and their locations, aiding in securing web applications.
**Reference:**
References:
Reported By: Activity 7311374743285223425 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
