我在节点中有一个Web服务器。在服务器端,我要检查XSS。我也用硒。这是代码的一部分
/* global */
const webdriver = require('selenium-webdriver')
const By = require('selenium-webdriver')
const firefox = require('selenium-webdriver/firefox')
var options = new firefox.Options();
options.addArguments('-headless');
var path = require('geckodriver').path;
let driver = new webdriver.Builder()
//.forBrowser('firefox')
.withCapabilities({'browserName': 'firefox',
'UNHANDLED_PROMPT_BEHAVIOR': 'IGNORE'})
.setFirefoxOptions(options)
.build();
/*xss page render*/
router.get('/xss1', function(req, res) {
var payload;
if(req.query.payload && req.query.payload.length > 0){
payload = filterXSS1(req.query.payload); //no infinite loop
checkXSS(payload)//loops making same GET requests
}
else {
payload = "";
}
res.setHeader('X-XSS-Protection', '0');
res.render('/xss', { 'title': 'XSS',
'payload': payload
});
});
/*Selenium to check alert. infinite loop*/
function checkXSS(payload) {
console.log('checking payload')
var url = '<url>?payload=' + payload
driver.get(url).catch(function(error){
console.log(error)
});
}
问题是,如果有效载荷不是XSS,则应用程序会陷入无限循环,并发出相同的GET请求。如果它是XSS有效负载,它将抛出异常并等待下一个请求。我想这与硒driver.get行为有关。但是我该如何处理呢?