cross 0.71.0 → 0.75.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +2 -1
- data/bin/cross +13 -6
- data/cross.gemspec +5 -2
- data/lib/cross.rb +0 -1
- data/lib/cross/engine.rb +6 -7
- data/lib/cross/version.rb +1 -1
- data/lib/cross/xss.rb +4 -0
- metadata +4 -5
- data/lib/cross/url.rb +0 -74
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: cdf85e6db97ddb73397f4ff468421d5bde9f6de4
|
4
|
+
data.tar.gz: 6df08d84bfa7a317ecc44561142a6d37e665d16e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: cefefee84df4fdc1aa9a66e378b32a75ea31cfddc122d9e38075139eab4c95d071e11c4477e31e9add7a6c60d61c88ab0578b0d06b34083d64d447abc39fc0dd
|
7
|
+
data.tar.gz: b4922ccdd23610f60f3eecdd3f751e21fdf2733337d95db9d086aa94ebbf08b338a6450477130ad1a9f64fca6f9162db6550c0428397d1f11a392ea75839a396
|
data/.gitignore
CHANGED
data/bin/cross
CHANGED
@@ -14,6 +14,7 @@ opts = GetoptLong.new(
|
|
14
14
|
[ '--version', '-v', GetoptLong::NO_ARGUMENT ],
|
15
15
|
['--debug', '-D', GetoptLong::NO_ARGUMENT ],
|
16
16
|
['--oneshot', '-1', GetoptLong::NO_ARGUMENT ],
|
17
|
+
['--evasion', '-e', GetoptLong::NO_ARGUMENT ],
|
17
18
|
['--sample-post', '-S', GetoptLong::REQUIRED_ARGUMENT ],
|
18
19
|
['--tamper', '-t', GetoptLong::REQUIRED_ARGUMENT ],
|
19
20
|
['--exploit-url', '-u', GetoptLong::NO_ARGUMENT ],
|
@@ -38,6 +39,7 @@ opts.each do |opt, arg|
|
|
38
39
|
puts "usage: cross [-D1StucUPhv] target"
|
39
40
|
puts " -D: turns debug on"
|
40
41
|
puts " -1: random select a XSS attack pattern"
|
42
|
+
puts " -e: list evasion list"
|
41
43
|
puts " -S arg: when tampering posts, arg is a valid POST body used as reference. It can be also a text file containg the POST parameters."
|
42
44
|
puts " -t arg: tells cross to tamper the given parameter. It must be used with -S flag turned on"
|
43
45
|
puts " -u: exploits the URL string instead of looking at the form values"
|
@@ -65,10 +67,15 @@ opts.each do |opt, arg|
|
|
65
67
|
options[:auth][:username]=arg
|
66
68
|
when '--password'
|
67
69
|
options[:auth][:password]=arg
|
70
|
+
when '--evasion'
|
71
|
+
Cross::Attack::XSS::EVASION.each do |evasion|
|
72
|
+
$logger.log evasion
|
73
|
+
end
|
68
74
|
end
|
69
75
|
end
|
70
76
|
|
71
77
|
$logger.helo "cross", Cross::VERSION
|
78
|
+
$logger.toggle_syslog
|
72
79
|
$logger.die "missing target" if ARGV.length != 1
|
73
80
|
$logger.die "-S and -t flag must be used together" if (options[:sample_post].empty? && ! options[:parameter_to_tamper].empty?) or (! options[:sample_post].empty? && options[:parameter_to_tamper].empty?)
|
74
81
|
|
@@ -80,14 +87,14 @@ engine.start(options)
|
|
80
87
|
found = false
|
81
88
|
|
82
89
|
engine.inject
|
83
|
-
|
90
|
+
$logger.log "#{Cross::Attack::XSS.count} attack payloads sent"
|
84
91
|
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
92
|
+
unless engine.results.empty?
|
93
|
+
$logger.ok "Canary found in output page. Suspected XSS"
|
94
|
+
engine.results.each do |res|
|
95
|
+
$logger.log res[:evidence]
|
96
|
+
end
|
89
97
|
end
|
90
98
|
|
91
|
-
|
92
99
|
$logger.err "Canary not found" if engine.results.empty?
|
93
100
|
$logger.bye
|
data/cross.gemspec
CHANGED
@@ -1,5 +1,8 @@
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
2
|
-
|
2
|
+
lib = File.expand_path('../lib', __FILE__)
|
3
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
4
|
+
require 'cross/version'
|
5
|
+
|
3
6
|
|
4
7
|
Gem::Specification.new do |gem|
|
5
8
|
gem.authors = ["Paolo Perego"]
|
@@ -23,5 +26,5 @@ Gem::Specification.new do |gem|
|
|
23
26
|
gem.add_dependency "logger"
|
24
27
|
gem.add_dependency "rainbow"
|
25
28
|
|
26
|
-
gem.add_dependency "codesake-commons"
|
29
|
+
gem.add_dependency "codesake-commons", ">= 0.89.0"
|
27
30
|
end
|
data/lib/cross.rb
CHANGED
data/lib/cross/engine.rb
CHANGED
@@ -1,7 +1,6 @@
|
|
1
1
|
require 'mechanize'
|
2
2
|
require 'logger'
|
3
3
|
require 'singleton'
|
4
|
-
require 'URI'
|
5
4
|
|
6
5
|
require 'cross/xss'
|
7
6
|
|
@@ -28,11 +27,11 @@ module Cross
|
|
28
27
|
# Starts the engine
|
29
28
|
def start(options = {:exploit_url=>false, :debug=>false, :oneshot=>false, :sample_post=>"", :parameter_to_tamper=>"", :auth=>{:username=>nil, :password=>nil}, :target=>""})
|
30
29
|
@agent = Mechanize.new {|a| a.log = Logger.new(create_log_filename(options[:target]))}
|
31
|
-
@agent.
|
30
|
+
@agent.user_agent = "cross v#{Cross::VERSION}"
|
32
31
|
@agent.agent.http.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
33
32
|
@options = options
|
34
33
|
@target = options[:target]
|
35
|
-
@results =
|
34
|
+
@results = []
|
36
35
|
end
|
37
36
|
|
38
37
|
|
@@ -67,7 +66,7 @@ module Cross
|
|
67
66
|
if @options[:exploit_url]
|
68
67
|
# You ask to exploit the url, so I won't check for form values
|
69
68
|
|
70
|
-
theurl=
|
69
|
+
theurl= Codesake::Core::Url.new(@target)
|
71
70
|
|
72
71
|
attack_url(theurl, Cross::Attack::XSS.rand) if oneshot?
|
73
72
|
|
@@ -123,7 +122,7 @@ module Cross
|
|
123
122
|
! ( @options[:auth][:username].nil? && @options[:auth][:password].nil? )
|
124
123
|
end
|
125
124
|
|
126
|
-
def attack_url(url =
|
125
|
+
def attack_url(url = Codesake::Core::Url.new, pattern)
|
127
126
|
$logger.log "using attack vector: #{pattern}" if debug?
|
128
127
|
url.params.each do |par|
|
129
128
|
|
@@ -178,7 +177,7 @@ module Cross
|
|
178
177
|
scripts.each do |sc|
|
179
178
|
if sc.children.text.include?("alert(#{Cross::Attack::XSS::CANARY})")
|
180
179
|
$logger.log(page.body) if @debug
|
181
|
-
@results << {:page=>page.
|
180
|
+
@results << {:page=>page.uri.to_s, :method=>:post, :evidence=>sc.children.text}
|
182
181
|
return true
|
183
182
|
end
|
184
183
|
end
|
@@ -188,7 +187,7 @@ module Cross
|
|
188
187
|
inputs.each do |input|
|
189
188
|
if ! input['onmouseover'].nil? && input['onmouseover'].include?("alert(#{Cross::Attack::XSS::CANARY})")
|
190
189
|
$logger.log(page.body) if @debug
|
191
|
-
@results << {:page=>page.
|
190
|
+
@results << {:page=>page.uri.to_s, :method=>:post, :evidence=> input['onmouseover']}
|
192
191
|
return true
|
193
192
|
end
|
194
193
|
end
|
data/lib/cross/version.rb
CHANGED
data/lib/cross/xss.rb
CHANGED
@@ -6,6 +6,7 @@ module Cross
|
|
6
6
|
|
7
7
|
CANARY = 666
|
8
8
|
EVASIONS = [
|
9
|
+
"\"/><script>alert(#{Cross::Attack::XSS::CANARY});</script>",
|
9
10
|
"a onmouseover=alert(#{Cross::Attack::XSS::CANARY})",
|
10
11
|
"<script>alert(#{Cross::Attack::XSS::CANARY})</script>",
|
11
12
|
"<script>alert(#{Cross::Attack::XSS::CANARY});</script>",
|
@@ -72,6 +73,9 @@ module Cross
|
|
72
73
|
Cross::Attack::XSS::EVASIONS[SecureRandom.random_number(Cross::Attack::XSS::EVASIONS.size)]
|
73
74
|
end
|
74
75
|
|
76
|
+
def self.count
|
77
|
+
Cross::Attack::XSS::EVASIONS.count
|
78
|
+
end
|
75
79
|
|
76
80
|
def self.each
|
77
81
|
Cross::Attack::XSS::EVASIONS.each do |pattern|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cross
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.75.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Paolo Perego
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2013-
|
11
|
+
date: 2013-12-18 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -100,14 +100,14 @@ dependencies:
|
|
100
100
|
requirements:
|
101
101
|
- - '>='
|
102
102
|
- !ruby/object:Gem::Version
|
103
|
-
version:
|
103
|
+
version: 0.89.0
|
104
104
|
type: :runtime
|
105
105
|
prerelease: false
|
106
106
|
version_requirements: !ruby/object:Gem::Requirement
|
107
107
|
requirements:
|
108
108
|
- - '>='
|
109
109
|
- !ruby/object:Gem::Version
|
110
|
-
version:
|
110
|
+
version: 0.89.0
|
111
111
|
description: cross is a cross site scripting testing tool
|
112
112
|
email:
|
113
113
|
- thesp0nge@gmail.com
|
@@ -130,7 +130,6 @@ files:
|
|
130
130
|
- cross.gemspec
|
131
131
|
- lib/cross.rb
|
132
132
|
- lib/cross/engine.rb
|
133
|
-
- lib/cross/url.rb
|
134
133
|
- lib/cross/version.rb
|
135
134
|
- lib/cross/xss.rb
|
136
135
|
- spec/cross_spec.rb
|
data/lib/cross/url.rb
DELETED
@@ -1,74 +0,0 @@
|
|
1
|
-
module Cross
|
2
|
-
class Url
|
3
|
-
|
4
|
-
attr_reader :url
|
5
|
-
attr_reader :base_url
|
6
|
-
attr_reader :params
|
7
|
-
attr_reader :original_params
|
8
|
-
|
9
|
-
def initialize(url)
|
10
|
-
@url = url
|
11
|
-
@params = []
|
12
|
-
@original_params = []
|
13
|
-
@base_url = url.split('?')[0]
|
14
|
-
if has_params?
|
15
|
-
p_array = url.split('?')[1].split('&')
|
16
|
-
p_array.each do |p|
|
17
|
-
pp = p.split('=')
|
18
|
-
param = {}
|
19
|
-
param[:name] = pp[0]
|
20
|
-
param[:value] = pp[1] unless pp[1].nil?
|
21
|
-
|
22
|
-
@params << param
|
23
|
-
@original_params << param.dup
|
24
|
-
end
|
25
|
-
@original_params.freeze
|
26
|
-
end
|
27
|
-
end
|
28
|
-
|
29
|
-
def to_s
|
30
|
-
"#{@base_url}?#{params_to_url}"
|
31
|
-
end
|
32
|
-
|
33
|
-
def fuzz(name, value)
|
34
|
-
set(name, value)
|
35
|
-
"#{@base_url}?#{params_to_url}"
|
36
|
-
end
|
37
|
-
|
38
|
-
def get(name)
|
39
|
-
value = nil
|
40
|
-
@params.each do |p|
|
41
|
-
value = p[:value] if p[:name] == name
|
42
|
-
end
|
43
|
-
value
|
44
|
-
end
|
45
|
-
|
46
|
-
def set(name, value)
|
47
|
-
@params.each do |p|
|
48
|
-
p[:value] = value if p[:name] == name
|
49
|
-
end
|
50
|
-
end
|
51
|
-
|
52
|
-
def reset
|
53
|
-
@params = []
|
54
|
-
@original_params.each do |p|
|
55
|
-
@params << p.dup
|
56
|
-
end
|
57
|
-
end
|
58
|
-
|
59
|
-
def has_params?
|
60
|
-
! @url.split('?')[1].nil?
|
61
|
-
end
|
62
|
-
def params_to_url
|
63
|
-
ret = ""
|
64
|
-
@params.each do |p|
|
65
|
-
ret += "#{p[:name]}=#{p[:value]}"
|
66
|
-
if !(p == @params.last)
|
67
|
-
ret +="&"
|
68
|
-
end
|
69
|
-
end
|
70
|
-
ret
|
71
|
-
|
72
|
-
end
|
73
|
-
end
|
74
|
-
end
|