Well to be clear about my exact requirement. I want to implement a DOM-based XSS Scanner using PhantomJS, because the only to test for DOM-XSS is to execute the JS in the the payloads. Just to be more explanatory I want to test for DOM-based Cross Site Scripting Vulnerabilities. For example consider the following vulnerable scripts
function timedMsg(callback)
{
if(callback){
var t=setTimeout(callback,1000);
return 0;
}
}
function fire()
{
var call = location.hash.split("#")[1];
timedMsg(call);
}
------END OF VULNERABLE CODE #2------
------START OF VULNERABLE CODE #3------
<script type="text/javascript">
var redir = location.hash.split("#")[1];
x = document.getElementById('anchor');
x.setAttribute('href',redir);
</script>
------END OF VULNERABLE CODE #3------
So in the above examples I have listed the vulnerable functions as well as their corresponding payloads which will let you test the XSS condition in the browser. But if you try to access the page with PhantomJS, for example,
http://domain.com/page.html#<script>alert(1)</script> (Payload #1) will become
www.domain.com/page.html#%3cscript%3ealert(1)%3c/script%3e. And this doesn't execute the javascript payload, so the test will fail. And I can't do a decodeURIComponent because I'm just testing the pages for the existence of this vulnerability. Hope someone gets what I'm trying to mean. I know this can be easily done with a browser add-on but I want to research on a server-side automated solution. As a work around I coded another page, lets call it "loader" page, like this:
<body>
<script>
param=decodeURIComponent(location.hash.split("#")[1]);
url=decodeURIComponent(param.split("|")[0]);
vector=decodeURIComponent(param.split("|")[1]);
document.location=url+"#"+vector;
</script>
</body>
Though this works in the browser, it isn't working quite well within PhantomJS. And yeah, the alert(1) is just an example I will be using a proxied function. Any help would be really really appreciated.
Thanks
Nishant