cross 0.20.0

data/.document

@@ -0,0 +1,5 @@
+lib/**/*.rb
+bin/*
+- 
+features/**/*.feature
+LICENSE.txt

data/.gitignore

@@ -0,0 +1,19 @@
+*.swp
+cross.log
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/.rspec

@@ -0,0 +1 @@
+--color

data/.rvmrc

@@ -0,0 +1,2 @@
+rvm use 1.9.3@cross
+

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in cross.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2011 Paolo Perego
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,29 @@
+# Cross
+
+TODO: Write a gem description
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'cross'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install cross
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Added some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/README.rdoc

@@ -0,0 +1,43 @@
+= cross
+
+cross is a simple and easy to use cross site scripting spotting tool. The idea
+is to use mechanize to submit attack patterns to forms and read the
+payload in the resulting page using nokogiri and xpath queries.
+
+Having the result page full HTML understood my lead to have low false positives
+rate.
+
+{<img src="http://travis-ci.org/thesp0nge/cross.png" />}[http://travis-ci.org/thesp0nge/cross]
+== Version
+
+current cross version is: 0.0.0
+
+== Wishlist
+
+cross latest goal is automate the search for XSS in a web application, providing APIs for being called by other tools.
+
+To accomplish this, I'd like to add in the very near future:
+
+* honoring sitemap.xml - given the web application URL, if the sitemap.xml has
+  been found, cross will limit the scan in this link list (you'll be able to
+  override this, I'll introduce it to limit the impact of crawling a website
+  when URLs are dynamically generated).
+* save file in a SQL form - cross will be ORM agnostic, I'll provide a SQLite3 driver as default.
+* HTML5 & CSS3 reporting - even hackers want good looking web2.0 reports
+* ...
+
+== Contributing to cross
+ 
+* Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet
+* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it
+* Fork the project
+* Start a feature/bugfix branch
+* Commit and push until you are happy with your contribution
+* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
+* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
+
+== Copyright
+
+Copyright (c) 2011 Paolo Perego. See LICENSE for
+further details.
+

data/Rakefile

@@ -0,0 +1,8 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new
+
+task :default => :spec
+task :test => :spec

data/VERSION

@@ -0,0 +1 @@
+0.10.0

data/bin/cross

@@ -0,0 +1,44 @@
+#!/usr/bin/env ruby
+
+require 'rainbow'
+require 'logger'
+require 'mechanize'
+require 'cross'
+require 'getoptlong'
+
+opts = GetoptLong.new(
+  [ '--help', '-h', GetoptLong::NO_ARGUMENT ],
+  [ '--version', '-v', GetoptLong::NO_ARGUMENT ],
+  ['--debug', '-D', GetoptLong::NO_ARGUMENT ],
+  ['--exploit-url', '-u', GetoptLong::NO_ARGUMENT]
+)
+trap("INT") { puts '['+'INTERRUPTED'.color(:red)+']'; exit -1 }
+
+options={:exploit_url=>false, :debug=>false}
+
+opts.each do |opt, arg| 
+  case opt
+  when '--help'
+    puts "usage: cross [-uDhv] target"
+    puts "     -u: exploits the URL string instead of looking at the form values"
+    puts "     -D: turns debug on"
+    puts "     -v: shows version"
+    puts "     -h: this help"
+    exit 0
+  when '--version'
+    puts "cross " + Cross::VERSION
+    exit 0
+   when '--debug'
+     options[:debug]=true
+   when '--exploit-url'
+     options[:exploit_url]=true
+  end
+end
+
+puts "cross " + Cross::VERSION + " (C) 2011, 2012 - paolo@armoredcode.com"
+
+engine = Cross::Engine.instance
+engine.start(options)
+
+raise "cross: missing target" if ARGV.length != 1
+puts "Canary found in output page. Suspected XSS" if engine.inject(ARGV.shift)

data/cross.gemspec

@@ -0,0 +1,25 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/cross/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Paolo Perego"]
+  gem.email         = ["thesp0nge@gmail.com"]
+  gem.description   = %q{cross is a cross site scripting testing tool}
+  gem.summary       = %q{cross is a cross site scripting testing tool}
+  gem.homepage      = ""
+
+  gem.files         = `git ls-files`.split($\)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.name          = "cross"
+  gem.require_paths = ["lib"]
+  gem.version       = Cross::VERSION
+
+
+  gem.add_development_dependency "rake"
+  gem.add_development_dependency "rspec"
+  gem.add_dependency "rest-open-uri"
+  gem.add_dependency "mechanize"
+  gem.add_dependency "logger"
+  gem.add_dependency "rainbow"
+end

data/lib/cross.rb

@@ -0,0 +1,3 @@
+require 'cross/version'
+require 'cross/engine'
+

data/lib/cross/engine.rb

@@ -0,0 +1,75 @@
+require 'mechanize'
+require 'logger'
+require 'singleton'
+
+require 'cross/xss'
+
+module Cross
+  # Engine is the cross class using Mechanize to inject canary and check for
+  # output
+  class Engine
+    include Singleton
+
+    attr_reader :agent
+    attr_accessor :options
+
+    # Starts the engine
+    def start(options={:exploit_url=>false, :debug=>false, :auth=>{}})
+      @agent = Mechanize.new {|a| a.log = Logger.new("cross.log")}
+      @agent.user_agent_alias = 'Mac Safari'
+      @agent.agent.http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      @options = options
+    end 
+
+    def inject(url)
+      if @agent.nil?
+        start
+      end
+
+      if ! @options[:auth].nil?  and ! @options[:auth].empty? 
+        @agent.add_auth(url, @options[:auth][:username], @options[:auth][:password])
+      end
+
+      found = false
+      if @options[:exploit_url]
+        # You ask to exploit the url, so I won't check for form values
+
+        Cross::Attack::XSS.each do |pattern|
+          page = @agent.get(url+pattern)
+
+          if @options[:debug]
+            @agent.log.debug(page.body)
+          end
+          scripts = page.search("//script")
+          scripts.each do |sc|
+            if sc.children.text.include?("alert('cross canary');")
+              found = true
+            end
+            if @options[:debug]
+              @agent.log.debug(sc.children.text)
+            end
+          end
+
+          puts "GET #{url+pattern}: #{found}"
+        end
+
+      else
+        page = @agent.get(url)
+        page.forms.each do |f|
+          f.fields.each do |ff|
+            ff.value = "<script>alert('cross canary');</script>"
+          end
+          pp = @agent.submit(f)
+          scripts = pp.search("//script")
+          scripts.each do |sc|
+            if sc.children.text == "alert('cross canary');"
+              found = true
+            end
+          end
+        end 
+      end
+      found
+    end
+
+  end
+end

data/lib/cross/version.rb

@@ -0,0 +1,3 @@
+module Cross
+  VERSION = "0.20.0"
+end

data/lib/cross/xss.rb

@@ -0,0 +1,22 @@
+module Cross
+  module Attack
+    class XSS
+
+      def self.each
+
+        evasions = [
+          "<script>alert('cross canary');</script>",
+          "/--><script>alert('cross canary');</script>",
+          "/--></ScRiPt><ScRiPt>alert('cross canary');</ScRiPt>",
+          "//;-->alert('cross canary');",
+          "\"//;\nalert('cross canary');"
+        ]
+        evasions.each do |pattern|
+          yield pattern if block_given?
+        end
+      
+      end
+
+    end
+  end
+end

data/spec/cross_spec.rb

@@ -0,0 +1,4 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+
+describe "Cross" do
+end

data/spec/spec_helper.rb

@@ -0,0 +1,12 @@
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'rspec'
+require 'cross'
+
+# Requires supporting files with custom matchers and macros, etc,
+# in ./support/ and its subdirectories.
+Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each {|f| require f}
+
+RSpec.configure do |config|
+  
+end

metadata

@@ -0,0 +1,168 @@
+--- !ruby/object:Gem::Specification
+name: cross
+version: !ruby/object:Gem::Version
+  version: 0.20.0
+  prerelease: 
+platform: ruby
+authors:
+- Paolo Perego
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-07-23 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rest-open-uri
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: mechanize
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: logger
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rainbow
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: cross is a cross site scripting testing tool
+email:
+- thesp0nge@gmail.com
+executables:
+- cross
+extensions: []
+extra_rdoc_files: []
+files:
+- .document
+- .gitignore
+- .rspec
+- .rvmrc
+- Gemfile
+- LICENSE
+- README.md
+- README.rdoc
+- Rakefile
+- VERSION
+- bin/cross
+- cross.gemspec
+- lib/cross.rb
+- lib/cross/engine.rb
+- lib/cross/version.rb
+- lib/cross/xss.rb
+- spec/cross_spec.rb
+- spec/spec_helper.rb
+homepage: ''
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: 487062861682332119
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: 487062861682332119
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: cross is a cross site scripting testing tool
+test_files:
+- spec/cross_spec.rb
+- spec/spec_helper.rb