RubyGems - cross - Versions diffs - 0.71.0 → 0.75.0 - Mend

cross 0.71.0 → 0.75.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4d3b0fa8038e923a78169091deade7936f0a2d66
-  data.tar.gz: fb09d7896889725c4dc6e2d88587d51247ea29a1
+  metadata.gz: cdf85e6db97ddb73397f4ff468421d5bde9f6de4
+  data.tar.gz: 6df08d84bfa7a317ecc44561142a6d37e665d16e
 SHA512:
-  metadata.gz: b755291350494991b333fee9d5546a2a2449556ea8e66b59258ae3ff709f523e1133285b65b0cacfa343c3d33a9fc47b89c7d576495c486551b7e057b3d30c9c
-  data.tar.gz: 334a929b2c037787a53c35d8ce4024dc431bb6ababc6fbe4e60b582bd8f02cc77d8a7ad4f88f6c33433b056bffd27a39c376297e3598c3a6e96da50fd6342b64
+  metadata.gz: cefefee84df4fdc1aa9a66e378b32a75ea31cfddc122d9e38075139eab4c95d071e11c4477e31e9add7a6c60d61c88ab0578b0d06b34083d64d447abc39fc0dd
+  data.tar.gz: b4922ccdd23610f60f3eecdd3f751e21fdf2733337d95db9d086aa94ebbf08b338a6450477130ad1a9f64fca6f9162db6550c0428397d1f11a392ea75839a396

data/.gitignore CHANGED

@@ -1,4 +1,5 @@
-*.swp
+*.txt
+*.sw?
 *.log
 *.gem
 *.rbc

data/bin/cross CHANGED

@@ -14,6 +14,7 @@ opts = GetoptLong.new(
   [ '--version', '-v', GetoptLong::NO_ARGUMENT ],
   ['--debug', '-D', GetoptLong::NO_ARGUMENT ],
   ['--oneshot', '-1', GetoptLong::NO_ARGUMENT ],
+  ['--evasion', '-e', GetoptLong::NO_ARGUMENT ],
   ['--sample-post', '-S', GetoptLong::REQUIRED_ARGUMENT ],
   ['--tamper', '-t', GetoptLong::REQUIRED_ARGUMENT ],
   ['--exploit-url', '-u', GetoptLong::NO_ARGUMENT ],
@@ -38,6 +39,7 @@ opts.each do |opt, arg|
     puts "usage: cross [-D1StucUPhv] target"
     puts "     -D: turns debug on"
     puts "     -1: random select a XSS attack pattern"
+    puts "     -e: list evasion list"
     puts "     -S arg: when tampering posts, arg is a valid POST body used as reference. It can be also a text file containg the POST parameters."
     puts "     -t arg: tells cross to tamper the given parameter. It must be used with -S flag turned on"
     puts "     -u: exploits the URL string instead of looking at the form values"
@@ -65,10 +67,15 @@ opts.each do |opt, arg|
     options[:auth][:username]=arg
   when '--password'
     options[:auth][:password]=arg
+  when '--evasion'
+    Cross::Attack::XSS::EVASION.each do |evasion|
+      $logger.log evasion
+    end
   end
 end
 $logger.helo "cross", Cross::VERSION
+$logger.toggle_syslog
 $logger.die "missing target" if ARGV.length != 1
 $logger.die "-S and -t flag must be used together" if (options[:sample_post].empty? && ! options[:parameter_to_tamper].empty?) or (! options[:sample_post].empty? && options[:parameter_to_tamper].empty?)
@@ -80,14 +87,14 @@ engine.start(options)
 found = false
 engine.inject
-unless engine.results.empty?
+$logger.log "#{Cross::Attack::XSS.count} attack payloads sent"
-$logger.ok "Canary found in output page. Suspected XSS"
-engine.results.each do |res|
-  $logger.log res[:evidence]
-end
+unless engine.results.empty?
+  $logger.ok "Canary found in output page. Suspected XSS"
+  engine.results.each do |res|
+    $logger.log res[:evidence]
+  end
 end
 $logger.err "Canary not found" if engine.results.empty?
 $logger.bye

data/cross.gemspec CHANGED

@@ -1,5 +1,8 @@
 # -*- encoding: utf-8 -*-
-require File.expand_path('../lib/cross/version', __FILE__)
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'cross/version'
 Gem::Specification.new do |gem|
   gem.authors       = ["Paolo Perego"]
@@ -23,5 +26,5 @@ Gem::Specification.new do |gem|
   gem.add_dependency "logger"
   gem.add_dependency "rainbow"
-  gem.add_dependency "codesake-commons"
+  gem.add_dependency "codesake-commons", ">= 0.89.0"
 end

data/lib/cross.rb CHANGED

@@ -1,3 +1,2 @@
 require 'cross/version'
 require 'cross/engine'
-require 'cross/url'

data/lib/cross/engine.rb CHANGED

@@ -1,7 +1,6 @@
 require 'mechanize'
 require 'logger'
 require 'singleton'
-require 'URI'
 require 'cross/xss'
@@ -28,11 +27,11 @@ module Cross
     # Starts the engine
     def start(options = {:exploit_url=>false, :debug=>false, :oneshot=>false, :sample_post=>"", :parameter_to_tamper=>"", :auth=>{:username=>nil, :password=>nil}, :target=>""})
       @agent = Mechanize.new {|a| a.log = Logger.new(create_log_filename(options[:target]))}
-      @agent.user_agent_alias = 'Mac Safari'
+      @agent.user_agent = "cross v#{Cross::VERSION}"
       @agent.agent.http.verify_mode = OpenSSL::SSL::VERIFY_NONE
       @options = options
       @target = options[:target]
-      @results = {}
+      @results = []
     end
@@ -67,7 +66,7 @@ module Cross
       if @options[:exploit_url]
         # You ask to exploit the url, so I won't check for form values
-        theurl= Cross::Url.new(@target)
+        theurl= Codesake::Core::Url.new(@target)
         attack_url(theurl, Cross::Attack::XSS.rand) if oneshot?
@@ -123,7 +122,7 @@ module Cross
       ! ( @options[:auth][:username].nil?  &&  @options[:auth][:password].nil? )
     end
-    def attack_url(url = Cross::Url.new, pattern)
+    def attack_url(url = Codesake::Core::Url.new, pattern)
       $logger.log "using attack vector: #{pattern}" if debug?
       url.params.each do |par|
@@ -178,7 +177,7 @@ module Cross
         scripts.each do |sc|
           if sc.children.text.include?("alert(#{Cross::Attack::XSS::CANARY})")
             $logger.log(page.body) if @debug
-            @results << {:page=>page.url, :method=>:post, :evidence=>sc.children.text}
+            @results << {:page=>page.uri.to_s, :method=>:post, :evidence=>sc.children.text}
             return true
           end
         end
@@ -188,7 +187,7 @@ module Cross
         inputs.each do |input|
           if ! input['onmouseover'].nil? && input['onmouseover'].include?("alert(#{Cross::Attack::XSS::CANARY})")
             $logger.log(page.body) if @debug
-            @results << {:page=>page.url, :method=>:post, :evidence=> input['onmouseover']}
+            @results << {:page=>page.uri.to_s, :method=>:post, :evidence=> input['onmouseover']}
             return true
           end
         end

data/lib/cross/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Cross
-  VERSION = "0.71.0"
+  VERSION = "0.75.0"
 end

data/lib/cross/xss.rb CHANGED

@@ -6,6 +6,7 @@ module Cross
       CANARY = 666
       EVASIONS = [
+          "\"/><script>alert(#{Cross::Attack::XSS::CANARY});</script>",
           "a onmouseover=alert(#{Cross::Attack::XSS::CANARY})",
           "<script>alert(#{Cross::Attack::XSS::CANARY})</script>",
           "<script>alert(#{Cross::Attack::XSS::CANARY});</script>",
@@ -72,6 +73,9 @@ module Cross
         Cross::Attack::XSS::EVASIONS[SecureRandom.random_number(Cross::Attack::XSS::EVASIONS.size)]
       end
+      def self.count
+        Cross::Attack::XSS::EVASIONS.count
+      end
       def self.each
         Cross::Attack::XSS::EVASIONS.each do |pattern|

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cross
 version: !ruby/object:Gem::Version
-  version: 0.71.0
+  version: 0.75.0
 platform: ruby
 authors:
 - Paolo Perego
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-10-17 00:00:00.000000000 Z
+date: 2013-12-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -100,14 +100,14 @@ dependencies:
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.89.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.89.0
 description: cross is a cross site scripting testing tool
 email:
 - thesp0nge@gmail.com
@@ -130,7 +130,6 @@ files:
 - cross.gemspec
 - lib/cross.rb
 - lib/cross/engine.rb
-- lib/cross/url.rb
 - lib/cross/version.rb
 - lib/cross/xss.rb
 - spec/cross_spec.rb

data/lib/cross/url.rb DELETED

@@ -1,74 +0,0 @@
-module Cross
-  class Url
-    attr_reader :url
-    attr_reader :base_url
-    attr_reader :params
-    attr_reader :original_params
-    def initialize(url)
-      @url = url
-      @params = []
-      @original_params = []
-      @base_url = url.split('?')[0]
-      if has_params?
-        p_array = url.split('?')[1].split('&')
-        p_array.each do |p|
-          pp = p.split('=')
-          param = {}
-          param[:name] = pp[0]
-          param[:value] = pp[1] unless pp[1].nil?
-          @params << param
-          @original_params  << param.dup
-        end
-        @original_params.freeze
-      end
-    end
-    def to_s
-      "#{@base_url}?#{params_to_url}"
-    end
-    def fuzz(name, value)
-      set(name, value)
-      "#{@base_url}?#{params_to_url}"
-    end
-    def get(name)
-      value = nil
-      @params.each do |p|
-        value = p[:value] if p[:name] == name
-      end
-      value
-    end
-    def set(name, value)
-      @params.each do |p|
-        p[:value] = value if p[:name] == name
-      end
-    end
-    def reset
-      @params = []
-      @original_params.each do |p|
-        @params << p.dup
-      end
-    end
-    def has_params?
-      ! @url.split('?')[1].nil?
-    end
-    def params_to_url
-      ret = ""
-      @params.each do |p|
-        ret += "#{p[:name]}=#{p[:value]}"
-        if !(p == @params.last)
-          ret +="&"
-        end
-      end
-      ret
-    end
-  end
-end