This tool is designed to help penetration testers to access a large number of anchor paths in the JS and other files of a website in bulk, and to take screenshots of all anchor pages, and finally output reports through html files.
pip install -r requirements.txt
git clone https://github.com/BetterDefender/anchorScan.git
Since this tool uses Selenium to set up a headless browser, you will need to install a browser driver called Chrome Headless before you can use it.
For Windows:
- Install the latest version of Chrome browser on your computer
- Download Chrome Headless driver at http://chromedriver.chromium.org/downloads
- Decompress the downloaded zip file
- Add the extracted folder to the environment variables for easy invocation in the command line
For Mac:
- Open a terminal.
- Use the following command to install Homebrew.(Skip this step if already installed)
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
- Install Chrome using the following command. (Skip this step if already installed)
brew cask install google-chrome
- Install the Chrome Headless driver using the following command.
brew install chromedriver
For Linux:
Download Chrome Headless driver at http://chromedriver.chromium.org/downloads.
To install the Chrome Headless driver on your Linux system, the following conditions need to be met.
- You already have Google Chrome installed on your Linux system.
- You have downloaded the latest version of Chrome Headless driver.
Then, you can follow the steps below to install the Chrome Headless driver.
- Extract the downloaded driver file to your preferred directory.
- Go to the extracted directory and add the driver to the system path using the following command.
sudo mv chromedriver /usr/local/bin/chromedriver
- Use the following command to grant execute privileges.
sudo chmod +x /usr/local/bin/chromedriver
python3 anchorScan.py -u http://www.example.com/abc/#/
-u
Target Site,URL to scan
-t
Timeout in seconds,Default is 3 seconds
The uri.txt file needs to be filled in with the anchor points that need to be accessed.
For example:
/test/edit
/test/view
/test/add
When the script is executed, the page will automatically survive the report in html format in the reports directory,screenshots will be saved in the images folder.
HTML report:
- URL access requires a incognito browser window, otherwise the target anchor point may not be accessed properly.
- You can also open the specified anchor page by typing 'windows.location.hash' into the console in the incognito window.