XSpear 1.1.5 → 1.1.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.idea/workspace.xml +62 -64
- data/README.md +6 -2
- data/exe/XSpear +2 -2
- data/lib/XSpear.rb +3 -1
- data/lib/XSpear/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 5011ecb6f122ed96cc433874fb2199067b1c699e6e435e4d691d8b0ef887e3d8
|
|
4
|
+
data.tar.gz: 4789d6740fc2eed284ed82d5af26cf399dc8f787a88ae4be34c3330a9205e322
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: '09b3602b977bc921d6e5e5da1c6d75ead824d0eae63775462b964ef7c54e6060765914c6f82c5fe10f4b5276c717889882e8dd13e2941663ee771f78ea3494cc'
|
|
7
|
+
data.tar.gz: eb25a303b66f034bad37f77dc1c89726867bea41045f7c5a119bc99fba4602e97ce91b63eacada0df68cded06c6f0a67c79ec50681583a97f97aded2069ab524
|
data/.idea/workspace.xml
CHANGED
|
@@ -1,10 +1,8 @@
|
|
|
1
1
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
2
2
|
<project version="4">
|
|
3
3
|
<component name="ChangeListManager">
|
|
4
|
-
<list default="true" id="4ee2e581-45d7-4c90-b6a1-e92e4b5829dd" name="Default Changelist" comment="">
|
|
5
|
-
<change beforePath="$PROJECT_DIR
|
|
6
|
-
<change beforePath="$PROJECT_DIR$/README.md" beforeDir="false" afterPath="$PROJECT_DIR$/README.md" afterDir="false" />
|
|
7
|
-
<change beforePath="$PROJECT_DIR$/lib/XSpear.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear.rb" afterDir="false" />
|
|
4
|
+
<list default="true" id="4ee2e581-45d7-4c90-b6a1-e92e4b5829dd" name="Default Changelist" comment="(1.1.6) Add Event handler pattern (whatthe=""onload)">
|
|
5
|
+
<change beforePath="$PROJECT_DIR$/exe/XSpear" beforeDir="false" afterPath="$PROJECT_DIR$/exe/XSpear" afterDir="false" />
|
|
8
6
|
<change beforePath="$PROJECT_DIR$/lib/XSpear/version.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear/version.rb" afterDir="false" />
|
|
9
7
|
</list>
|
|
10
8
|
<option name="EXCLUDED_CONVERTED_TO_IGNORED" value="true" />
|
|
@@ -19,10 +17,19 @@
|
|
|
19
17
|
<component name="FileEditorManager">
|
|
20
18
|
<leaf SIDE_TABS_SIZE_LIMIT_KEY="300">
|
|
21
19
|
<file pinned="false" current-in-tab="true">
|
|
20
|
+
<entry file="file://$PROJECT_DIR$/exe/XSpear">
|
|
21
|
+
<provider selected="true" editor-type-id="text-editor">
|
|
22
|
+
<state relative-caret-position="466">
|
|
23
|
+
<caret line="79" column="12" lean-forward="true" selection-start-line="79" selection-start-column="12" selection-end-line="79" selection-end-column="12" />
|
|
24
|
+
</state>
|
|
25
|
+
</provider>
|
|
26
|
+
</entry>
|
|
27
|
+
</file>
|
|
28
|
+
<file pinned="false" current-in-tab="false">
|
|
22
29
|
<entry file="file://$PROJECT_DIR$/README.md">
|
|
23
30
|
<provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
|
|
24
31
|
<state split_layout="SPLIT">
|
|
25
|
-
<first_editor relative-caret-position="
|
|
32
|
+
<first_editor relative-caret-position="179">
|
|
26
33
|
<caret line="12" column="72" selection-start-line="12" selection-start-column="72" selection-end-line="12" selection-end-column="72" />
|
|
27
34
|
</first_editor>
|
|
28
35
|
<second_editor />
|
|
@@ -33,8 +40,8 @@
|
|
|
33
40
|
<file pinned="false" current-in-tab="false">
|
|
34
41
|
<entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
|
|
35
42
|
<provider selected="true" editor-type-id="text-editor">
|
|
36
|
-
<state relative-caret-position="
|
|
37
|
-
<caret line="
|
|
43
|
+
<state relative-caret-position="360">
|
|
44
|
+
<caret line="526" selection-start-line="526" selection-end-line="526" />
|
|
38
45
|
</state>
|
|
39
46
|
</provider>
|
|
40
47
|
</entry>
|
|
@@ -57,15 +64,6 @@
|
|
|
57
64
|
</provider>
|
|
58
65
|
</entry>
|
|
59
66
|
</file>
|
|
60
|
-
<file pinned="false" current-in-tab="false">
|
|
61
|
-
<entry file="file://$PROJECT_DIR$/lib/XSpear/banner.rb">
|
|
62
|
-
<provider selected="true" editor-type-id="text-editor">
|
|
63
|
-
<state relative-caret-position="150">
|
|
64
|
-
<caret line="10" column="35" selection-start-line="10" selection-start-column="35" selection-end-line="10" selection-end-column="35" />
|
|
65
|
-
</state>
|
|
66
|
-
</provider>
|
|
67
|
-
</entry>
|
|
68
|
-
</file>
|
|
69
67
|
<file pinned="false" current-in-tab="false">
|
|
70
68
|
<entry file="file://$PROJECT_DIR$/lib/XSpear/log.rb">
|
|
71
69
|
<provider selected="true" editor-type-id="text-editor">
|
|
@@ -113,12 +111,12 @@
|
|
|
113
111
|
<list>
|
|
114
112
|
<option value="$PROJECT_DIR$/lib/XSpear/log.rb" />
|
|
115
113
|
<option value="$PROJECT_DIR$/XSpear.gemspec" />
|
|
116
|
-
<option value="$PROJECT_DIR$/exe/XSpear" />
|
|
117
114
|
<option value="$PROJECT_DIR$/lib/XSpear/banner.rb" />
|
|
118
115
|
<option value="$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb" />
|
|
116
|
+
<option value="$PROJECT_DIR$/README.md" />
|
|
119
117
|
<option value="$PROJECT_DIR$/lib/XSpear/version.rb" />
|
|
120
118
|
<option value="$PROJECT_DIR$/lib/XSpear.rb" />
|
|
121
|
-
<option value="$PROJECT_DIR$/
|
|
119
|
+
<option value="$PROJECT_DIR$/exe/XSpear" />
|
|
122
120
|
</list>
|
|
123
121
|
</option>
|
|
124
122
|
</component>
|
|
@@ -235,28 +233,7 @@
|
|
|
235
233
|
<workItem from="1563809961097" duration="4237000" />
|
|
236
234
|
<workItem from="1563893538891" duration="11917000" />
|
|
237
235
|
<workItem from="1564151699165" duration="2494000" />
|
|
238
|
-
<workItem from="1564413097342" duration="
|
|
239
|
-
</task>
|
|
240
|
-
<task id="LOCAL-00009" summary="Edit readme">
|
|
241
|
-
<created>1563202605282</created>
|
|
242
|
-
<option name="number" value="00009" />
|
|
243
|
-
<option name="presentableId" value="LOCAL-00009" />
|
|
244
|
-
<option name="project" value="LOCAL" />
|
|
245
|
-
<updated>1563202605282</updated>
|
|
246
|
-
</task>
|
|
247
|
-
<task id="LOCAL-00010" summary="Edit readme">
|
|
248
|
-
<created>1563202838235</created>
|
|
249
|
-
<option name="number" value="00010" />
|
|
250
|
-
<option name="presentableId" value="LOCAL-00010" />
|
|
251
|
-
<option name="project" value="LOCAL" />
|
|
252
|
-
<updated>1563202838235</updated>
|
|
253
|
-
</task>
|
|
254
|
-
<task id="LOCAL-00011" summary="Edit readme">
|
|
255
|
-
<created>1563203220735</created>
|
|
256
|
-
<option name="number" value="00011" />
|
|
257
|
-
<option name="presentableId" value="LOCAL-00011" />
|
|
258
|
-
<option name="project" value="LOCAL" />
|
|
259
|
-
<updated>1563203220735</updated>
|
|
236
|
+
<workItem from="1564413097342" duration="9628000" />
|
|
260
237
|
</task>
|
|
261
238
|
<task id="LOCAL-00012" summary="Add json report and new build binary, edit readme">
|
|
262
239
|
<created>1563293661569</created>
|
|
@@ -580,11 +557,32 @@
|
|
|
580
557
|
<option name="project" value="LOCAL" />
|
|
581
558
|
<updated>1565283263992</updated>
|
|
582
559
|
</task>
|
|
583
|
-
<
|
|
560
|
+
<task id="LOCAL-00058" summary="(1.1.5)(Fixed #21) not reflected params , no testing. but alway blind xss, other bug fix">
|
|
561
|
+
<created>1565795156071</created>
|
|
562
|
+
<option name="number" value="00058" />
|
|
563
|
+
<option name="presentableId" value="LOCAL-00058" />
|
|
564
|
+
<option name="project" value="LOCAL" />
|
|
565
|
+
<updated>1565795156071</updated>
|
|
566
|
+
</task>
|
|
567
|
+
<task id="LOCAL-00059" summary="(1.1.5) Released 1.1.5">
|
|
568
|
+
<created>1565795193246</created>
|
|
569
|
+
<option name="number" value="00059" />
|
|
570
|
+
<option name="presentableId" value="LOCAL-00059" />
|
|
571
|
+
<option name="project" value="LOCAL" />
|
|
572
|
+
<updated>1565795193247</updated>
|
|
573
|
+
</task>
|
|
574
|
+
<task id="LOCAL-00060" summary="(1.1.6) Add Event handler pattern (whatthe=""onload)">
|
|
575
|
+
<created>1565965741653</created>
|
|
576
|
+
<option name="number" value="00060" />
|
|
577
|
+
<option name="presentableId" value="LOCAL-00060" />
|
|
578
|
+
<option name="project" value="LOCAL" />
|
|
579
|
+
<updated>1565965741653</updated>
|
|
580
|
+
</task>
|
|
581
|
+
<option name="localTasksCounter" value="61" />
|
|
584
582
|
<servers />
|
|
585
583
|
</component>
|
|
586
584
|
<component name="TimeTrackingManager">
|
|
587
|
-
<option name="totallyTimeSpent" value="
|
|
585
|
+
<option name="totallyTimeSpent" value="48598000" />
|
|
588
586
|
</component>
|
|
589
587
|
<component name="TodoView">
|
|
590
588
|
<todo-panel id="selected-file">
|
|
@@ -599,7 +597,7 @@
|
|
|
599
597
|
<frame x="-1920" y="-643" width="1920" height="1080" extended-state="0" />
|
|
600
598
|
<editor active="true" />
|
|
601
599
|
<layout>
|
|
602
|
-
<window_info content_ui="combo" id="Project" order="0" visible="true" weight="0.14643237" />
|
|
600
|
+
<window_info active="true" content_ui="combo" id="Project" order="0" visible="true" weight="0.14643237" />
|
|
603
601
|
<window_info id="Structure" order="1" side_tool="true" weight="0.25" />
|
|
604
602
|
<window_info id="Favorites" order="2" side_tool="true" />
|
|
605
603
|
<window_info anchor="bottom" id="Message" order="0" />
|
|
@@ -612,7 +610,7 @@
|
|
|
612
610
|
<window_info anchor="bottom" id="Docker" order="7" show_stripe_button="false" />
|
|
613
611
|
<window_info anchor="bottom" id="Database Changes" order="8" />
|
|
614
612
|
<window_info anchor="bottom" id="Version Control" order="9" />
|
|
615
|
-
<window_info
|
|
613
|
+
<window_info anchor="bottom" id="Terminal" order="10" visible="true" weight="0.34059405" />
|
|
616
614
|
<window_info anchor="bottom" id="Event Log" order="11" side_tool="true" />
|
|
617
615
|
<window_info anchor="bottom" id="Messages" order="12" weight="0.32953367" />
|
|
618
616
|
<window_info anchor="right" id="Commander" internal_type="SLIDING" order="0" type="SLIDING" weight="0.4" />
|
|
@@ -625,9 +623,6 @@
|
|
|
625
623
|
<option name="version" value="1" />
|
|
626
624
|
</component>
|
|
627
625
|
<component name="VcsManagerConfiguration">
|
|
628
|
-
<MESSAGE value="(1.0.6)[fixed #4] Report 객체 수정" />
|
|
629
|
-
<MESSAGE value="(1.0.6)[fixed #8] Added response header analysis module" />
|
|
630
|
-
<MESSAGE value="(1.0.6)[fixed #9] Added method in report-cli" />
|
|
631
626
|
<MESSAGE value="(1.0.6) Edit report & scanning format" />
|
|
632
627
|
<MESSAGE value="(1.0.6)[fixed #5] Add blind-xss other pattern" />
|
|
633
628
|
<MESSAGE value="(1.0.6) Releases 1.0.6 version" />
|
|
@@ -650,7 +645,10 @@
|
|
|
650
645
|
<MESSAGE value="(1.1.4) [Fixed #20 #22] Modified JSON Format&Remove Color in XSpearReporter" />
|
|
651
646
|
<MESSAGE value="(1.1.4) [Fixed #19] Add http.code, message log, edit log format on verbose=3" />
|
|
652
647
|
<MESSAGE value="(1.1.4) Released 1.1.4" />
|
|
653
|
-
<
|
|
648
|
+
<MESSAGE value="(1.1.5)(Fixed #21) not reflected params , no testing. but alway blind xss, other bug fix" />
|
|
649
|
+
<MESSAGE value="(1.1.5) Released 1.1.5" />
|
|
650
|
+
<MESSAGE value="(1.1.6) Add Event handler pattern (whatthe=""onload)" />
|
|
651
|
+
<option name="LAST_COMMIT_MESSAGE" value="(1.1.6) Add Event handler pattern (whatthe=""onload)" />
|
|
654
652
|
</component>
|
|
655
653
|
<component name="editorHistoryManager">
|
|
656
654
|
<entry file="file://$USER_HOME$/.rvm/gems/ruby-2.4.6/gems/bundler-2.0.1/lib/bundler/rubygems_integration.rb">
|
|
@@ -666,13 +664,6 @@
|
|
|
666
664
|
<entry file="file://$PROJECT_DIR$/bin/setup">
|
|
667
665
|
<provider selected="true" editor-type-id="text-editor" />
|
|
668
666
|
</entry>
|
|
669
|
-
<entry file="file://$PROJECT_DIR$/exe/XSpear">
|
|
670
|
-
<provider selected="true" editor-type-id="text-editor">
|
|
671
|
-
<state relative-caret-position="570">
|
|
672
|
-
<caret line="38" column="77" selection-start-line="38" selection-start-column="77" selection-end-line="38" selection-end-column="77" />
|
|
673
|
-
</state>
|
|
674
|
-
</provider>
|
|
675
|
-
</entry>
|
|
676
667
|
<entry file="file://$PROJECT_DIR$/spec/XSpear_spec.rb">
|
|
677
668
|
<provider selected="true" editor-type-id="text-editor" />
|
|
678
669
|
</entry>
|
|
@@ -717,6 +708,16 @@
|
|
|
717
708
|
</state>
|
|
718
709
|
</provider>
|
|
719
710
|
</entry>
|
|
711
|
+
<entry file="file://$PROJECT_DIR$/README.md">
|
|
712
|
+
<provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
|
|
713
|
+
<state split_layout="SPLIT">
|
|
714
|
+
<first_editor relative-caret-position="179">
|
|
715
|
+
<caret line="12" column="72" selection-start-line="12" selection-start-column="72" selection-end-line="12" selection-end-column="72" />
|
|
716
|
+
</first_editor>
|
|
717
|
+
<second_editor />
|
|
718
|
+
</state>
|
|
719
|
+
</provider>
|
|
720
|
+
</entry>
|
|
720
721
|
<entry file="file://$PROJECT_DIR$/lib/XSpear/version.rb">
|
|
721
722
|
<provider selected="true" editor-type-id="text-editor">
|
|
722
723
|
<state relative-caret-position="15">
|
|
@@ -726,18 +727,15 @@
|
|
|
726
727
|
</entry>
|
|
727
728
|
<entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
|
|
728
729
|
<provider selected="true" editor-type-id="text-editor">
|
|
729
|
-
<state relative-caret-position="
|
|
730
|
-
<caret line="
|
|
730
|
+
<state relative-caret-position="360">
|
|
731
|
+
<caret line="526" selection-start-line="526" selection-end-line="526" />
|
|
731
732
|
</state>
|
|
732
733
|
</provider>
|
|
733
734
|
</entry>
|
|
734
|
-
<entry file="file://$PROJECT_DIR$/
|
|
735
|
-
<provider selected="true" editor-type-id="
|
|
736
|
-
<state
|
|
737
|
-
<
|
|
738
|
-
<caret line="12" column="72" selection-start-line="12" selection-start-column="72" selection-end-line="12" selection-end-column="72" />
|
|
739
|
-
</first_editor>
|
|
740
|
-
<second_editor />
|
|
735
|
+
<entry file="file://$PROJECT_DIR$/exe/XSpear">
|
|
736
|
+
<provider selected="true" editor-type-id="text-editor">
|
|
737
|
+
<state relative-caret-position="466">
|
|
738
|
+
<caret line="79" column="12" lean-forward="true" selection-start-line="79" selection-start-column="12" selection-end-line="79" selection-end-column="12" />
|
|
741
739
|
</state>
|
|
742
740
|
</provider>
|
|
743
741
|
</entry>
|
data/README.md
CHANGED
|
@@ -331,5 +331,9 @@ The gem is available as open source under the terms of the [MIT License](https:/
|
|
|
331
331
|
Everyone interacting in the XSpear project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/XSpear/blob/master/CODE_OF_CONDUCT.md).
|
|
332
332
|
|
|
333
333
|
## ScreenShot
|
|
334
|
-
<
|
|
335
|
-
<img src="https://user-images.githubusercontent.com/13212227/
|
|
334
|
+
< CLI-Report 1 >
|
|
335
|
+
<img src="https://user-images.githubusercontent.com/13212227/63032408-b800cf00-bef0-11e9-8a7a-4325eecae486.png" width=100%>
|
|
336
|
+
< CLI-Report 2 >
|
|
337
|
+
<img src="https://user-images.githubusercontent.com/13212227/63032409-b8996580-bef0-11e9-93cd-dbabbd5f4ea1.png" width=100%>
|
|
338
|
+
< JSON Report >
|
|
339
|
+
<img src="https://user-images.githubusercontent.com/13212227/63032411-b8996580-bef0-11e9-8aee-0b80fe87f50d.png" width=100%>
|
data/exe/XSpear
CHANGED
|
@@ -13,7 +13,7 @@ class Parser
|
|
|
13
13
|
exit
|
|
14
14
|
end
|
|
15
15
|
opt_parser = OptionParser.new do |opts|
|
|
16
|
-
opts.banner = "Usage: xspear -u [target] -[options] [value]\n[ e.g ]\n$
|
|
16
|
+
opts.banner = "Usage: xspear -u [target] -[options] [value]\n[ e.g ]\n$ xspear -u 'https://www.hahwul.com/?q=123' --cookie='role=admin'\n\n[ Options ]"
|
|
17
17
|
|
|
18
18
|
|
|
19
19
|
opts.on('-u', '--url=target_URL', '[required] Target Url') do |n|
|
|
@@ -79,7 +79,7 @@ class Parser
|
|
|
79
79
|
puts XSpear::VERSION
|
|
80
80
|
exit
|
|
81
81
|
end
|
|
82
|
-
opts.on('--update', '
|
|
82
|
+
opts.on('--update', 'Show how to update') do
|
|
83
83
|
puts "[RubyGem user] : $ gem update XSpear"
|
|
84
84
|
puts "[Soft | Developer & Git clone user] : $ git pull -v "
|
|
85
85
|
puts "[Hard | Developer & Git clone user] : $ git reset --hard HEAD; git pull -v "
|
data/lib/XSpear.rb
CHANGED
|
@@ -367,7 +367,8 @@ class XspearScan
|
|
|
367
367
|
'onpointerout',
|
|
368
368
|
'onpointerup',
|
|
369
369
|
'onloadstart',
|
|
370
|
-
'onloadend'
|
|
370
|
+
'onloadend',
|
|
371
|
+
'whatthe=""onload'
|
|
371
372
|
]
|
|
372
373
|
tags = [
|
|
373
374
|
"script",
|
|
@@ -521,6 +522,7 @@ class XspearScan
|
|
|
521
522
|
r.push makeQueryPattern('x', '"\'><details/open/ontoggle="alert(45)">', '<details/open/ontoggle="alert(45)">', 'h', "triggered ".yellow+"<details/open/ontoggle=\"alert(45)\">".red, CallbackXSSSelenium)
|
|
522
523
|
r.push makeQueryPattern('x', '"\'><audio src onloadstart=alert(45)>', '<audio src onloadstart=alert(45)>', 'h', "triggered ".yellow+"<audio src onloadstart=alert(45)>".red, CallbackXSSSelenium)
|
|
523
524
|
r.push makeQueryPattern('x', '"\'><marquee onstart=alert(45)>', '<marquee onstart=alert(45)>', 'h', "triggered ".yellow+"<marquee onstart=alert(45)>".red, CallbackXSSSelenium)
|
|
525
|
+
r.push makeQueryPattern('x', '"\'><svg/whatthe=""onload=alert(45)>', '<svg/whatthe=""onload=alert(45)>', 'h', "triggered ".yellow+"<svg/whatthe=""onload=alert(45)>".red, CallbackXSSSelenium)
|
|
524
526
|
|
|
525
527
|
|
|
526
528
|
# Check Selenium XSS Polyglot
|
data/lib/XSpear/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: XSpear
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.1.
|
|
4
|
+
version: 1.1.6
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- hahwul
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-08-
|
|
11
|
+
date: 2019-08-16 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: colorize
|