XSpear 1.1.5 → 1.1.6

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: cfc44f2d92f1b26e5d333eeb40c8d6ec91f18acb718a91fa034d3ca69682dbf0
4
- data.tar.gz: ac964e34502fd47bad4e4eafa0e7ae58505a67de2f47d2ddce1e2606607570db
3
+ metadata.gz: 5011ecb6f122ed96cc433874fb2199067b1c699e6e435e4d691d8b0ef887e3d8
4
+ data.tar.gz: 4789d6740fc2eed284ed82d5af26cf399dc8f787a88ae4be34c3330a9205e322
5
5
  SHA512:
6
- metadata.gz: 54837391e4c4da2517b10248cbdcb537745830ae213e8c131db450de1e5d97dd6576e15f4e76f43fd2d0f1f53f73d4b37a2c6f7521b4dff6460b9c2bb9646a74
7
- data.tar.gz: 794f40198ac102353e135e30f1363af28b139c531bf1bc7da4286223230d38d9b9fa1e8d46b0371c42d50f592e763d5e4eceeb4fd44dc1ae68815df8492e8f29
6
+ metadata.gz: '09b3602b977bc921d6e5e5da1c6d75ead824d0eae63775462b964ef7c54e6060765914c6f82c5fe10f4b5276c717889882e8dd13e2941663ee771f78ea3494cc'
7
+ data.tar.gz: eb25a303b66f034bad37f77dc1c89726867bea41045f7c5a119bc99fba4602e97ce91b63eacada0df68cded06c6f0a67c79ec50681583a97f97aded2069ab524
data/.idea/workspace.xml CHANGED
@@ -1,10 +1,8 @@
1
1
  <?xml version="1.0" encoding="UTF-8"?>
2
2
  <project version="4">
3
3
  <component name="ChangeListManager">
4
- <list default="true" id="4ee2e581-45d7-4c90-b6a1-e92e4b5829dd" name="Default Changelist" comment="">
5
- <change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
6
- <change beforePath="$PROJECT_DIR$/README.md" beforeDir="false" afterPath="$PROJECT_DIR$/README.md" afterDir="false" />
7
- <change beforePath="$PROJECT_DIR$/lib/XSpear.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear.rb" afterDir="false" />
4
+ <list default="true" id="4ee2e581-45d7-4c90-b6a1-e92e4b5829dd" name="Default Changelist" comment="(1.1.6) Add Event handler pattern (whatthe=&quot;&quot;onload)">
5
+ <change beforePath="$PROJECT_DIR$/exe/XSpear" beforeDir="false" afterPath="$PROJECT_DIR$/exe/XSpear" afterDir="false" />
8
6
  <change beforePath="$PROJECT_DIR$/lib/XSpear/version.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear/version.rb" afterDir="false" />
9
7
  </list>
10
8
  <option name="EXCLUDED_CONVERTED_TO_IGNORED" value="true" />
@@ -19,10 +17,19 @@
19
17
  <component name="FileEditorManager">
20
18
  <leaf SIDE_TABS_SIZE_LIMIT_KEY="300">
21
19
  <file pinned="false" current-in-tab="true">
20
+ <entry file="file://$PROJECT_DIR$/exe/XSpear">
21
+ <provider selected="true" editor-type-id="text-editor">
22
+ <state relative-caret-position="466">
23
+ <caret line="79" column="12" lean-forward="true" selection-start-line="79" selection-start-column="12" selection-end-line="79" selection-end-column="12" />
24
+ </state>
25
+ </provider>
26
+ </entry>
27
+ </file>
28
+ <file pinned="false" current-in-tab="false">
22
29
  <entry file="file://$PROJECT_DIR$/README.md">
23
30
  <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
24
31
  <state split_layout="SPLIT">
25
- <first_editor relative-caret-position="180">
32
+ <first_editor relative-caret-position="179">
26
33
  <caret line="12" column="72" selection-start-line="12" selection-start-column="72" selection-end-line="12" selection-end-column="72" />
27
34
  </first_editor>
28
35
  <second_editor />
@@ -33,8 +40,8 @@
33
40
  <file pinned="false" current-in-tab="false">
34
41
  <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
35
42
  <provider selected="true" editor-type-id="text-editor">
36
- <state relative-caret-position="134">
37
- <caret line="76" column="9" lean-forward="true" selection-start-line="76" selection-start-column="9" selection-end-line="76" selection-end-column="9" />
43
+ <state relative-caret-position="360">
44
+ <caret line="526" selection-start-line="526" selection-end-line="526" />
38
45
  </state>
39
46
  </provider>
40
47
  </entry>
@@ -57,15 +64,6 @@
57
64
  </provider>
58
65
  </entry>
59
66
  </file>
60
- <file pinned="false" current-in-tab="false">
61
- <entry file="file://$PROJECT_DIR$/lib/XSpear/banner.rb">
62
- <provider selected="true" editor-type-id="text-editor">
63
- <state relative-caret-position="150">
64
- <caret line="10" column="35" selection-start-line="10" selection-start-column="35" selection-end-line="10" selection-end-column="35" />
65
- </state>
66
- </provider>
67
- </entry>
68
- </file>
69
67
  <file pinned="false" current-in-tab="false">
70
68
  <entry file="file://$PROJECT_DIR$/lib/XSpear/log.rb">
71
69
  <provider selected="true" editor-type-id="text-editor">
@@ -113,12 +111,12 @@
113
111
  <list>
114
112
  <option value="$PROJECT_DIR$/lib/XSpear/log.rb" />
115
113
  <option value="$PROJECT_DIR$/XSpear.gemspec" />
116
- <option value="$PROJECT_DIR$/exe/XSpear" />
117
114
  <option value="$PROJECT_DIR$/lib/XSpear/banner.rb" />
118
115
  <option value="$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb" />
116
+ <option value="$PROJECT_DIR$/README.md" />
119
117
  <option value="$PROJECT_DIR$/lib/XSpear/version.rb" />
120
118
  <option value="$PROJECT_DIR$/lib/XSpear.rb" />
121
- <option value="$PROJECT_DIR$/README.md" />
119
+ <option value="$PROJECT_DIR$/exe/XSpear" />
122
120
  </list>
123
121
  </option>
124
122
  </component>
@@ -235,28 +233,7 @@
235
233
  <workItem from="1563809961097" duration="4237000" />
236
234
  <workItem from="1563893538891" duration="11917000" />
237
235
  <workItem from="1564151699165" duration="2494000" />
238
- <workItem from="1564413097342" duration="8852000" />
239
- </task>
240
- <task id="LOCAL-00009" summary="Edit readme">
241
- <created>1563202605282</created>
242
- <option name="number" value="00009" />
243
- <option name="presentableId" value="LOCAL-00009" />
244
- <option name="project" value="LOCAL" />
245
- <updated>1563202605282</updated>
246
- </task>
247
- <task id="LOCAL-00010" summary="Edit readme">
248
- <created>1563202838235</created>
249
- <option name="number" value="00010" />
250
- <option name="presentableId" value="LOCAL-00010" />
251
- <option name="project" value="LOCAL" />
252
- <updated>1563202838235</updated>
253
- </task>
254
- <task id="LOCAL-00011" summary="Edit readme">
255
- <created>1563203220735</created>
256
- <option name="number" value="00011" />
257
- <option name="presentableId" value="LOCAL-00011" />
258
- <option name="project" value="LOCAL" />
259
- <updated>1563203220735</updated>
236
+ <workItem from="1564413097342" duration="9628000" />
260
237
  </task>
261
238
  <task id="LOCAL-00012" summary="Add json report and new build binary, edit readme">
262
239
  <created>1563293661569</created>
@@ -580,11 +557,32 @@
580
557
  <option name="project" value="LOCAL" />
581
558
  <updated>1565283263992</updated>
582
559
  </task>
583
- <option name="localTasksCounter" value="58" />
560
+ <task id="LOCAL-00058" summary="(1.1.5)(Fixed #21) not reflected params , no testing. but alway blind xss, other bug fix">
561
+ <created>1565795156071</created>
562
+ <option name="number" value="00058" />
563
+ <option name="presentableId" value="LOCAL-00058" />
564
+ <option name="project" value="LOCAL" />
565
+ <updated>1565795156071</updated>
566
+ </task>
567
+ <task id="LOCAL-00059" summary="(1.1.5) Released 1.1.5">
568
+ <created>1565795193246</created>
569
+ <option name="number" value="00059" />
570
+ <option name="presentableId" value="LOCAL-00059" />
571
+ <option name="project" value="LOCAL" />
572
+ <updated>1565795193247</updated>
573
+ </task>
574
+ <task id="LOCAL-00060" summary="(1.1.6) Add Event handler pattern (whatthe=&quot;&quot;onload)">
575
+ <created>1565965741653</created>
576
+ <option name="number" value="00060" />
577
+ <option name="presentableId" value="LOCAL-00060" />
578
+ <option name="project" value="LOCAL" />
579
+ <updated>1565965741653</updated>
580
+ </task>
581
+ <option name="localTasksCounter" value="61" />
584
582
  <servers />
585
583
  </component>
586
584
  <component name="TimeTrackingManager">
587
- <option name="totallyTimeSpent" value="47822000" />
585
+ <option name="totallyTimeSpent" value="48598000" />
588
586
  </component>
589
587
  <component name="TodoView">
590
588
  <todo-panel id="selected-file">
@@ -599,7 +597,7 @@
599
597
  <frame x="-1920" y="-643" width="1920" height="1080" extended-state="0" />
600
598
  <editor active="true" />
601
599
  <layout>
602
- <window_info content_ui="combo" id="Project" order="0" visible="true" weight="0.14643237" />
600
+ <window_info active="true" content_ui="combo" id="Project" order="0" visible="true" weight="0.14643237" />
603
601
  <window_info id="Structure" order="1" side_tool="true" weight="0.25" />
604
602
  <window_info id="Favorites" order="2" side_tool="true" />
605
603
  <window_info anchor="bottom" id="Message" order="0" />
@@ -612,7 +610,7 @@
612
610
  <window_info anchor="bottom" id="Docker" order="7" show_stripe_button="false" />
613
611
  <window_info anchor="bottom" id="Database Changes" order="8" />
614
612
  <window_info anchor="bottom" id="Version Control" order="9" />
615
- <window_info active="true" anchor="bottom" id="Terminal" order="10" visible="true" weight="0.34059405" />
613
+ <window_info anchor="bottom" id="Terminal" order="10" visible="true" weight="0.34059405" />
616
614
  <window_info anchor="bottom" id="Event Log" order="11" side_tool="true" />
617
615
  <window_info anchor="bottom" id="Messages" order="12" weight="0.32953367" />
618
616
  <window_info anchor="right" id="Commander" internal_type="SLIDING" order="0" type="SLIDING" weight="0.4" />
@@ -625,9 +623,6 @@
625
623
  <option name="version" value="1" />
626
624
  </component>
627
625
  <component name="VcsManagerConfiguration">
628
- <MESSAGE value="(1.0.6)[fixed #4] Report 객체 수정" />
629
- <MESSAGE value="(1.0.6)[fixed #8] Added response header analysis module" />
630
- <MESSAGE value="(1.0.6)[fixed #9] Added method in report-cli" />
631
626
  <MESSAGE value="(1.0.6) Edit report &amp; scanning format" />
632
627
  <MESSAGE value="(1.0.6)[fixed #5] Add blind-xss other pattern" />
633
628
  <MESSAGE value="(1.0.6) Releases 1.0.6 version" />
@@ -650,7 +645,10 @@
650
645
  <MESSAGE value="(1.1.4) [Fixed #20 #22] Modified JSON Format&amp;Remove Color in XSpearReporter" />
651
646
  <MESSAGE value="(1.1.4) [Fixed #19] Add http.code, message log, edit log format on verbose=3" />
652
647
  <MESSAGE value="(1.1.4) Released 1.1.4" />
653
- <option name="LAST_COMMIT_MESSAGE" value="(1.1.4) Released 1.1.4" />
648
+ <MESSAGE value="(1.1.5)(Fixed #21) not reflected params , no testing. but alway blind xss, other bug fix" />
649
+ <MESSAGE value="(1.1.5) Released 1.1.5" />
650
+ <MESSAGE value="(1.1.6) Add Event handler pattern (whatthe=&quot;&quot;onload)" />
651
+ <option name="LAST_COMMIT_MESSAGE" value="(1.1.6) Add Event handler pattern (whatthe=&quot;&quot;onload)" />
654
652
  </component>
655
653
  <component name="editorHistoryManager">
656
654
  <entry file="file://$USER_HOME$/.rvm/gems/ruby-2.4.6/gems/bundler-2.0.1/lib/bundler/rubygems_integration.rb">
@@ -666,13 +664,6 @@
666
664
  <entry file="file://$PROJECT_DIR$/bin/setup">
667
665
  <provider selected="true" editor-type-id="text-editor" />
668
666
  </entry>
669
- <entry file="file://$PROJECT_DIR$/exe/XSpear">
670
- <provider selected="true" editor-type-id="text-editor">
671
- <state relative-caret-position="570">
672
- <caret line="38" column="77" selection-start-line="38" selection-start-column="77" selection-end-line="38" selection-end-column="77" />
673
- </state>
674
- </provider>
675
- </entry>
676
667
  <entry file="file://$PROJECT_DIR$/spec/XSpear_spec.rb">
677
668
  <provider selected="true" editor-type-id="text-editor" />
678
669
  </entry>
@@ -717,6 +708,16 @@
717
708
  </state>
718
709
  </provider>
719
710
  </entry>
711
+ <entry file="file://$PROJECT_DIR$/README.md">
712
+ <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
713
+ <state split_layout="SPLIT">
714
+ <first_editor relative-caret-position="179">
715
+ <caret line="12" column="72" selection-start-line="12" selection-start-column="72" selection-end-line="12" selection-end-column="72" />
716
+ </first_editor>
717
+ <second_editor />
718
+ </state>
719
+ </provider>
720
+ </entry>
720
721
  <entry file="file://$PROJECT_DIR$/lib/XSpear/version.rb">
721
722
  <provider selected="true" editor-type-id="text-editor">
722
723
  <state relative-caret-position="15">
@@ -726,18 +727,15 @@
726
727
  </entry>
727
728
  <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
728
729
  <provider selected="true" editor-type-id="text-editor">
729
- <state relative-caret-position="134">
730
- <caret line="76" column="9" lean-forward="true" selection-start-line="76" selection-start-column="9" selection-end-line="76" selection-end-column="9" />
730
+ <state relative-caret-position="360">
731
+ <caret line="526" selection-start-line="526" selection-end-line="526" />
731
732
  </state>
732
733
  </provider>
733
734
  </entry>
734
- <entry file="file://$PROJECT_DIR$/README.md">
735
- <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
736
- <state split_layout="SPLIT">
737
- <first_editor relative-caret-position="180">
738
- <caret line="12" column="72" selection-start-line="12" selection-start-column="72" selection-end-line="12" selection-end-column="72" />
739
- </first_editor>
740
- <second_editor />
735
+ <entry file="file://$PROJECT_DIR$/exe/XSpear">
736
+ <provider selected="true" editor-type-id="text-editor">
737
+ <state relative-caret-position="466">
738
+ <caret line="79" column="12" lean-forward="true" selection-start-line="79" selection-start-column="12" selection-end-line="79" selection-end-column="12" />
741
739
  </state>
742
740
  </provider>
743
741
  </entry>
data/README.md CHANGED
@@ -331,5 +331,9 @@ The gem is available as open source under the terms of the [MIT License](https:/
331
331
  Everyone interacting in the XSpear project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/XSpear/blob/master/CODE_OF_CONDUCT.md).
332
332
 
333
333
  ## ScreenShot
334
- <img src="https://user-images.githubusercontent.com/13212227/61727892-1681d400-adaf-11e9-832d-37547006f778.png" width=100%>
335
- <img src="https://user-images.githubusercontent.com/13212227/61311071-8b459300-a830-11e9-8e60-c08e984fdacb.png" width=100%>
334
+ < CLI-Report 1 >
335
+ <img src="https://user-images.githubusercontent.com/13212227/63032408-b800cf00-bef0-11e9-8a7a-4325eecae486.png" width=100%>
336
+ < CLI-Report 2 >
337
+ <img src="https://user-images.githubusercontent.com/13212227/63032409-b8996580-bef0-11e9-93cd-dbabbd5f4ea1.png" width=100%>
338
+ < JSON Report >
339
+ <img src="https://user-images.githubusercontent.com/13212227/63032411-b8996580-bef0-11e9-8aee-0b80fe87f50d.png" width=100%>
data/exe/XSpear CHANGED
@@ -13,7 +13,7 @@ class Parser
13
13
  exit
14
14
  end
15
15
  opt_parser = OptionParser.new do |opts|
16
- opts.banner = "Usage: xspear -u [target] -[options] [value]\n[ e.g ]\n$ ruby a.rb -u 'https://www.hahwul.com/?q=123' --cookie='role=admin'\n\n[ Options ]"
16
+ opts.banner = "Usage: xspear -u [target] -[options] [value]\n[ e.g ]\n$ xspear -u 'https://www.hahwul.com/?q=123' --cookie='role=admin'\n\n[ Options ]"
17
17
 
18
18
 
19
19
  opts.on('-u', '--url=target_URL', '[required] Target Url') do |n|
@@ -79,7 +79,7 @@ class Parser
79
79
  puts XSpear::VERSION
80
80
  exit
81
81
  end
82
- opts.on('--update', 'Update with online') do
82
+ opts.on('--update', 'Show how to update') do
83
83
  puts "[RubyGem user] : $ gem update XSpear"
84
84
  puts "[Soft | Developer & Git clone user] : $ git pull -v "
85
85
  puts "[Hard | Developer & Git clone user] : $ git reset --hard HEAD; git pull -v "
data/lib/XSpear.rb CHANGED
@@ -367,7 +367,8 @@ class XspearScan
367
367
  'onpointerout',
368
368
  'onpointerup',
369
369
  'onloadstart',
370
- 'onloadend'
370
+ 'onloadend',
371
+ 'whatthe=""onload'
371
372
  ]
372
373
  tags = [
373
374
  "script",
@@ -521,6 +522,7 @@ class XspearScan
521
522
  r.push makeQueryPattern('x', '"\'><details/open/ontoggle="alert(45)">', '<details/open/ontoggle="alert(45)">', 'h', "triggered ".yellow+"<details/open/ontoggle=\"alert(45)\">".red, CallbackXSSSelenium)
522
523
  r.push makeQueryPattern('x', '"\'><audio src onloadstart=alert(45)>', '<audio src onloadstart=alert(45)>', 'h', "triggered ".yellow+"<audio src onloadstart=alert(45)>".red, CallbackXSSSelenium)
523
524
  r.push makeQueryPattern('x', '"\'><marquee onstart=alert(45)>', '<marquee onstart=alert(45)>', 'h', "triggered ".yellow+"<marquee onstart=alert(45)>".red, CallbackXSSSelenium)
525
+ r.push makeQueryPattern('x', '"\'><svg/whatthe=""onload=alert(45)>', '<svg/whatthe=""onload=alert(45)>', 'h', "triggered ".yellow+"<svg/whatthe=""onload=alert(45)>".red, CallbackXSSSelenium)
524
526
 
525
527
 
526
528
  # Check Selenium XSS Polyglot
@@ -1,3 +1,3 @@
1
1
  module XSpear
2
- VERSION = "1.1.5"
2
+ VERSION = "1.1.6"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: XSpear
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.5
4
+ version: 1.1.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - hahwul
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2019-08-14 00:00:00.000000000 Z
11
+ date: 2019-08-16 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: colorize