# XSpear XSpear is XSS Scanner on ruby gems ## Key features - Pattern matching based XSS scanning - Detect `alert` `confirm` `prompt` event on headless browser (with Selenium) - Testing request/response for XSS protection bypass and reflected(or all) params
+ Reflected Params + All params(for blind xss, anytings) + Filtered test `event handler` `HTML tag` `Special Char` `Useful code` - Testing Blind XSS (with XSS Hunter , ezXSS, HBXSS, Etc all url base blind test...) - Dynamic/Static Analysis + Find SQL Error pattern + Analysis Security headers(`CSP` `HSTS` `X-frame-options`, `XSS-protection` etc.. ) + Analysis Other headers..(Server version, Content-Type, etc...) + XSS Testing to URI Path - Scanning from Raw file(Burp suite, ZAP Request) - XSpear running on ruby code(with Gem library) - Show `table base cli-report` and `filtered rule`, `testing raw query`(url) - Testing at selected parameters - Support output format `cli` `json` + cli: summary, filtered rule(params), Raw Query - Support Verbose level (0~3) + 0: quite mode(only result) + 1: show scanning status(default) + 2: show scanning logs + 3: show detail log(req/res) - Support custom callback code to any test various attack vectors - Support Config file ## Installation Install it yourself as: $ gem install XSpear Or install it yourself as (local file): $ gem install XSpear-{version}.gem Add this line to your application's Gemfile: ```ruby gem 'XSpear' ``` And then execute: $ bundle ### Dependency gems `colorize` `selenium-webdriver` `terminal-table`
If you configured it to install automatically in the Gem library, but it behaves abnormally, install it with the following command. ``` $ gem install colorize $ gem install selenium-webdriver $ gem install terminal-table $ gem install progress_bar ``` ## Usage on cli ``` Usage: xspear -u [target] -[options] [value] [ e.g ] $ xspear -u 'https://www.hahwul.com/?q=123' --cookie='role=admin' -v 1 -a $ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 2 [ Options ] -u, --url=target_URL [required] Target Url -d, --data=POST Body [optional] POST Method Body data -a, --test-all-params [optional] test to all params(include not reflected) --headers=HEADERS [optional] Add HTTP Headers --cookie=COOKIE [optional] Add Cookie --raw=FILENAME [optional] Load raw file(e.g raw_sample.txt) -p, --param=PARAM [optional] Test paramters -b, --BLIND=URL [optional] Add vector of Blind XSS + with XSS Hunter, ezXSS, HBXSS, etc... + e.g : -b https://hahwul.xss.ht -t, --threads=NUMBER [optional] thread , default: 10 -o, --output=FORMAT [optional] Output format (cli , json) -c, --config=FILENAME [optional] Using config.json -v, --verbose=0~3 [optional] Show log depth + v=0 : quite mode(only result) + v=1 : show scanning status(default) + v=2 : show scanning logs + v=3 : show detail log(req/res) -h, --help Prints this help --version Show XSpear version --update Show how to update ``` ### Result types - (I)NFO: Get information ( e.g sql error , filterd rule, reflected params, etc..) - (V)UNL: Vulnerable XSS, Checked alert/prompt/confirm with Selenium - (L)OW: Low level issue - (M)EDIUM: medium level issue - (H)IGH: high level issue ### Verbose Mode **[0] quite mode(show only result)** ``` $ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 0 you see report ``` **[1] show progress bar (default)** ``` $ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 1 [*] analysis request.. [*] used test-reflected-params mode(default) [*] creating a test query [for reflected 2 param + blind XSS ] [*] test query generation is complete. [249 query] [*] starting XSS Scanning. [10 threads] [#######################################] [249/249] [100.00%] [01:05] [00:00] [ 3.83/s] ... you see report ``` **[2] show scanning logs** ``` $ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 2 [*] analysis request.. [I] [22:42:41] [200/OK] [param: cat][Found SQL Error Pattern] [-] [22:42:41] [200/OK] 'STATIC' not reflected [-] [22:42:41] [200/OK] 'cat' not reflected [I] [22:42:41] [200/OK] reflected rEfe6[param: cat][reflected parameter] [*] used test-reflected-params mode(default) [*] creating a test query [for reflected 2 param + blind XSS ] [*] test query generation is complete. [249 query] [*] starting XSS Scanning. [10 threads] [I] [22:42:43] [200/OK] reflected onhwul=64[param: cat][reflected EHon{any} pattern] [-] [22:42:54] [200/OK] 'cat' not reflected [-] [22:42:54] [200/OK] 'cat' not reflected [H] [22:42:54] [200/OK] reflected [param: cat][reflected XSS Code] [V] [22:42:59] [200/OK] found alert/prompt/confirm (45) in selenium!! '">[param: cat][triggered ] ... you see report ``` **[3] show scanning detail logs** ``` $ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 3 [*] analysis request.. [-] [22:56:21] [200/OK] http://testphp.vulnweb.com/listproducts.php?cat=123 in url [ Request ] {"accept-encoding"=>["gzip;q=1.0,deflate;q=0.6,identity;q=0.3"], "accept"=>["*/*"], "user-agent"=>["Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0"], "connection"=>["keep-alive"], "host"=>["testphp.vulnweb.com"]} [ Response ] {"server"=>["nginx/1.4.1"], "date"=>["Sun, 29 Dec 2019 13:53:23 GMT"], "content-type"=>["text/html"], "transfer-encoding"=>["chunked"], "connection"=>["keep-alive"], "x-powered-by"=>["PHP/5.3.10-1~lucid+2uwsgi2"]} [-] [22:56:21] [200/OK] 'STATIC' not reflected [-] [22:56:21] [200/OK] cat=123rEfe6 in url ... [*] used test-reflected-params mode(default) [*] creating a test query [for reflected 2 param + blind XSS ] [*] test query generation is complete. [249 query] [*] starting XSS Scanning. [10 threads] ... [ Request ] {"accept-encoding"=>["gzip;q=1.0,deflate;q=0.6,identity;q=0.3"], "accept"=>["*/*"], "user-agent"=>["Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0"], "connection"=>["keep-alive"], "host"=>["testphp.vulnweb.com"]} [ Response ] {"server"=>["nginx/1.4.1"], "date"=>["Sun, 29 Dec 2019 13:54:36 GMT"], "content-type"=>["text/html"], "transfer-encoding"=>["chunked"], "connection"=>["keep-alive"], "x-powered-by"=>["PHP/5.3.10-1~lucid+2uwsgi2"]} [H] [22:57:33] [200/OK] reflected [param: cat][reflected onfocus XSS Code] ... you see report ``` ### Case by Case **Scanning XSS** ``` $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy" ``` **Only JSON output** ``` $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy" -o json -v 0 ``` **Set scanning thread** ``` $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -t 30 ``` **Testing at selected parameters** ``` $ xspear -u "http://testphp.vulnweb.com/search.php?test=query&cat=123&ppl=1fhhahwul" -p cat,test ``` **Testing at all parameters**
(This option is tested with or without reflection.) ``` $ xspear -u "http://testphp.vulnweb.com/search.php?test=query&cat=123&ppl=1fhhahwul" -a ``` **Testing blind xss(all params)**
(Should be used as much as possible because Blind XSS is everywhere)
``` $ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -b "https://hahwul.xss.ht" -a # Set your blind xss host. <-b options> ``` **for Pipeline**
``` $ xspear -u {target} -b "your-blind-xss-host" -a -v 0 -o json # -u : target # -b : testing blind xss # -a : test all params(test to not reflected param) # -v : verbose, not showing logs at value 1. # -o : output optios, json! ``` result json data ``` { "starttime": "2019-12-25 00:02:58 +0900", "endtime": "2019-12-25 00:03:31 +0900", "issue_count": 25, "issue_list": [{ "id": 0, "type": "INFO", "issue": "DYNAMIC ANALYSIS", "method": "GET", "param": "cat", "payload": "XsPeaR\"", "description": "Found SQL Error Pattern" }, { "id": 1, "type": "INFO", "issue": "STATIC ANALYSIS", "method": "GET", "param": "-", "payload": "", "description": "Found Server: nginx/1.4.1" }, { "id": 2, "type": "INFO", "issue": "STATIC ANALYSIS", "method": "GET", "param": "-", "payload": "", "description": "Not set HSTS" }, { "id": 3, "type": "INFO", "issue": "STATIC ANALYSIS", "method": "GET", "param": "-", "payload": "", "description": "Content-Type: text/html" }, { "id": 4, "type": "LOW", "issue": "STATIC ANALYSIS", "method": "GET", "param": "-", "payload": "", "description": "Not Set X-Frame-Options" }, { "id": 5, "type": "MIDUM", "issue": "STATIC ANALYSIS", "method": "GET", "param": "-", "payload": "", "description": "Not Set CSP" }, { "id": 6, "type": "INFO", "issue": "REFLECTED", "method": "GET", "param": "cat", "payload": "rEfe6", "description": "reflected parameter" }, { "id": 7, "type": "INFO", "issue": "FILERD RULE", "method": "GET", "param": "cat", "payload": "onhwul=64", "description": "not filtered event handler on{any} pattern" } .... , { "id": 17, "type": "HIGH", "issue": "XSS", "method": "GET", "param": "cat", "payload": "