Force raw URL fragment while accessing through PhantomJS

[Nishant Das Patnaik]

Hello All,

My name is Nishant. I'm new to PhantomJS. I'm trying to use PhantomJS for some research. I wanted to figure out that is there a way by which I can force PhantomJS *not to* URL encode, the URL I'm trying to access, especially the URL fragment part. For example for my automation I need the following

"http://www.some.domain.com/path/page.html#some value's here" which PantomJS encodes to  "http://www.some.domain.com/path/page.html#some%20value%27s%20here" and then access the page. Is there a way to stop this behavior?

Any guidance will really help.

Thanks

[James Greene]

Well, I'm not sure why my answer got deleted, but here goes again....

That's pretty standard browser behavior from what I recall, isn't it?

Anyway, you can easily get the value you want back by calling decodeURIComponent on the hash where needed:

window.location.hash

"#some%20value%27s%20here"

decodeURIComponent(window.location.hash)

"#some value's here"

decodeURIComponent(window.location.hash.substring(1))

"some value's here"

~~James

[Nishant Das Patnaik]

Well to be clear about my exact requirement. I want to implement a DOM-based XSS Scanner using PhantomJS, because the only to test for DOM-XSS is to execute the JS in the the payloads. Just to be more explanatory I want to test for DOM-based Cross Site Scripting Vulnerabilities. For example consider the following vulnerable scripts

------START OF VULNERABLE CODE #1------

<script>

var param = location.hash.split("#")[1];

document.write("Hello " + param + "!");

</script>

-----END OF VULNERABLE CODE #1------

Payload #1: www.domain.com/page.html#<script>alert(1)</script>

------START OF VULNERABLE CODE #2------

function timedMsg(callback)

{

if(callback){

var t=setTimeout(callback,1000);

return 0;

}

}

function fire()

{

var call = location.hash.split("#")[1];

timedMsg(call);

}

------END OF VULNERABLE CODE #2------

Payload #2: www.domain.com/page.html#alert(1)

------START OF VULNERABLE CODE #3------

<script type="text/javascript">

var redir = location.hash.split("#")[1];

x = document.getElementById('anchor');

x.setAttribute('href',redir);

</script>

------END OF VULNERABLE CODE #3------

Payload #3: www.domain.com/page.html#javascript:alert(1)

So in the above examples I have listed the vulnerable functions as well as their corresponding payloads which will let you test the XSS condition in the browser. But if you try to access the page with PhantomJS, for example, http://domain.com/page.html#<script>alert(1)</script> (Payload #1) will become www.domain.com/page.html#%3cscript%3ealert(1)%3c/script%3e. And this doesn't execute the javascript payload, so the test will fail. And I can't do a decodeURIComponent because I'm just testing the pages for the existence of this vulnerability. Hope someone gets what I'm trying to mean. I know this can be easily done with a browser add-on but I want to research on a server-side automated solution. As a work around I coded another page, lets call it "loader" page, like this:

<body>

<script>

param=decodeURIComponent(location.hash.split("#")[1]);

url=decodeURIComponent(param.split("|")[0]);

vector=decodeURIComponent(param.split("|")[1]);

document.location=url+"#"+vector;

</script>

</body>

And from PhantomJS I would call something like this: page.open("http://domain.com/loader.html#http://otherdomain.com/vulnpage.html|<script>alert(1)</script>, function(...

Though this works in the browser, it isn't working quite well within PhantomJS. And yeah, the alert(1) is just an example I will be using a proxied function. Any help would be really really appreciated.

Thanks

Nishant

[James Greene]

That's a very interesting test scenario! Unfortunately, I personally do not know how/where URL handling works in PhantomJS. I'm assuming we are just deferring to QtWebKit but it us possible that our custom extension of QWebPage is messing something up or not implementing something it needs to. I'll have to defer this one to someone more immediately familiar with the inner workings. Sorry!
~~James

[kin...@gmail.com]

is there any way to solve this issue?

phantomjs works different with chrome or other modern browsers.