# XSpear XSpear is XSS Scanner on ruby gems ## Key features - Pattern matching based XSS scanning - Detect `alert` `confirm` `prompt` event on headless browser (with Selenium) - Testing request/response for XSS protection bypass and reflected params
+ Reflected Params + Filtered test `event handler` `HTML tag` `Special Char` - Testing Blind XSS (with XSS Hunter , ezXSS, HBXSS, Etc all url base blind test...) - Dynamic/Static Analysis + Find SQL Error pattern + Analysis Security headers(`CSP` `HSTS` `X-frame-options`, `XSS-protection` etc.. ) + Analysis Other headers..(Server version, Content-Type, etc...) - Scanning from Raw file(Burp suite, ZAP Request) - XSpear running on ruby code(with Gem library) - Show `table base cli-report` and `filtered rule`, `testing raw query`(url) - Testing at selected parameters - Support output format `cli` `json` + cli: summary, filtered rule(params), Raw Query - Support Verbose level (quit / nomal / raw data) - Support custom callback code to any test various attack vectors ## Installation Install it yourself as: $ gem install XSpear Or install it yourself as (local file): $ gem install XSpear-{version}.gem Add this line to your application's Gemfile: ```ruby gem 'XSpear' ``` And then execute: $ bundle ### Dependency gems `colorize` `selenium-webdriver` `terminal-table`
If you configured it to install automatically in the Gem library, but it behaves abnormally, install it with the following command. ``` $ gem install colorize $ gem install selenium-webdriver $ gem install terminal-table ``` ## Usage on cli ``` Usage: xspear -u [target] -[options] [value] [ e.g ] $ ruby a.rb -u 'https://www.hahwul.com/?q=123' --cookie='role=admin' [ Options ] -u, --url=target_URL [required] Target Url -d, --data=POST Body [optional] POST Method Body data --headers=HEADERS [optional] Add HTTP Headers --cookie=COOKIE [optional] Add Cookie --raw=FILENAME [optional] Load raw file(e.g raw_sample.txt) -p, --param=PARAM [optional] Test paramters -b, --BLIND=URL [optional] Add vector of Blind XSS + with XSS Hunter, ezXSS, HBXSS, etc... + e.g : -b https://hahwul.xss.ht -t, --threads=NUMBER [optional] thread , default: 10 -o, --output=FILENAME [optional] Save JSON Result -v, --verbose=1~3 [optional] Show log depth + Default value: 2 + v=1 : quite mode + v=2 : show scanning log + v=3 : show detail log(req/res) -h, --help Prints this help --version Show XSpear version --update Update with online ``` ### Result types - (I)NFO: Get information ( e.g sql error , filterd rule, reflected params, etc..) - (V)UNL: Vulnerable XSS, Checked alert/prompt/confirm with Selenium - (L)OW: Low level issue - (M)EDIUM: medium level issue - (H)IGH: high level issue ### Case by Case **Scanning XSS** ``` $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy" ``` **json output** ``` $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy" -o json -v 1 ``` **detail log** ``` $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy" -v 3 ``` **set thread** ``` $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -t 30 ``` **testing at selected parameters** ``` $ xspear -u "http://testphp.vulnweb.com/search.php?test=query&cat=123&ppl=1fhhahwul" -p cat,test ``` **testing blind xss** ``` $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -b "https://hahwul.xss.ht" ``` etc... ### Sample log **Scanning XSS** ``` xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=z" ) ( ( /( )\ ) )\())(()/( ( ) ( ((_)\ /(_))` ) ))\ ( /( )( __((_)(_)) /(/( /((_))(_))(()\ \ \/ // __|((_)_\ (_)) ((_)_ ((_) > < \__ \| '_ \)/ -_)/ _` || '_| /_/\_\|___/| .__/ \___|\__,_||_| /> |_| \ /< {\\\\\\\\\\\\\BYHAHWUL\\\\\\\\\\\(0):::<======================- / \< \> [ v1.0.7 ] [*] creating a test query. [*] test query generation is complete. [149 query] [*] starting test and analysis. [10 threads] [I] [00:37:34] reflected 'XsPeaR [-] [00:37:34] 'cat' Not reflected |XsPeaR [I] [00:37:34] [param: cat][Found SQL Error Pattern] [-] [00:37:34] 'STATIC' not reflected [I] [00:37:34] reflected "XsPeaR [-] [00:37:34] 'cat' Not reflected ;XsPeaR [I] [00:37:34] reflected `XsPeaR ...snip... [H] [00:37:44] reflected ">