(1.1.0) Releases 1.1.0 / Fixed bug, modify report format, etc..

Author: hahwul

.idea/workspace.xml

@@ -400,7 +400,7 @@ def run
     r.push makeQueryPattern('x', '"\'><details/open/ontoggle="alert`45`">', '<details/open/ontoggle="alert`45`">', 'h', "reflected "+"HTML5 XSS Code".red, CallbackStringMatch)
     r.push makeQueryPattern('x', '"\'><audio src onloadstart=alert(45)>', '<audio src onloadstart=alert(45)>', 'h', "reflected "+"HTML5 XSS Code".red, CallbackStringMatch)
     r.push makeQueryPattern('x', '"\'><marquee onstart=alert(45)>', '<marquee onstart=alert(45)>', 'h', "reflected "+"HTML5 XSS Code".red, CallbackStringMatch)
-    r.push makeQueryPattern('x', '"\'><meter value=2 min=0 max=10 onmouseover=alert(45)>2 out of 10</meter>', '<meter value=2 min=0 max=10 onmouseover=alert(45)>2 out of 10</meter>', 'h', "reflected "+"HTML5 XSS Code".red, CallbackStringMatch)
+    r.push makeQueryPattern('x', '"\'><meter onmouseover=alert(45)>0</meter>', '<meter onmouseover=alert(45)>0</meter>', 'h', "reflected "+"HTML5 XSS Code".red, CallbackStringMatch)
 
     onfocus_tags.each do |t|
       r.push makeQueryPattern('x', "\"'><#{t} autofocus onfocus=alert(45)>", "<#{t} autofocus onfocus=alert(45)>", 'h', "reflected "+"onfocus XSS Code".red, CallbackStringMatch)

XSpear-1.0.9.gem

@@ -29,18 +29,20 @@ def initialize(url,starttime, method)
     # desc
     # category
     # callback
+    @rtype = {"i"=>"INFO".blue,"v"=>"VULN".red,"l"=>"LOW".green,"m"=>"MIDUM".yellow,"h"=>"HIGH".light_red}
+    @rissue = {"f"=>"FILERD RULE","r"=>"REFLECTED","x"=>"XSS","s"=>"STATIC ANALYSIS","d"=>"DYNAMIC ANALYSIS"}
   end
 
   def add_issue_first(type, issue, param, payload, pattern, description)
-    rtype = {"i"=>"INFO".blue,"v"=>"VULN".red,"l"=>"LOW".green,"m"=>"MIDUM".yellow,"h"=>"HIGH".red}
-    rissue = {"f"=>"FILERD RULE","r"=>"REFLECTED","x"=>"XSS","s"=>"STATIC ANALYSIS","d"=>"DYNAMIC ANALYSIS"}
+    rtype = @rtype
+    rissue = @rissue
     @issue.insert(0,["-", rtype[type], rissue[issue], @method, param, pattern, description])
     @query.push payload
   end
 
   def add_issue(type, issue, param, payload, pattern, description)
-    rtype = {"i"=>"INFO".blue,"v"=>"VULN".red,"l"=>"LOW".green,"m"=>"MIDUM".yellow,"h"=>"HIGH".red}
-    rissue = {"f"=>"FILERD RULE","r"=>"REFLECTED","x"=>"XSS","s"=>"STATIC ANALYSIS","d"=>"DYNAMIC ANALYSIS"}
+    rtype = @rtype
+    rissue = @rissue
     @issue << [@issue.size, rtype[type], rissue[issue], @method, param, pattern, description]
     @query.push payload
   end
@@ -84,35 +86,46 @@ def to_cli
     puts table
     puts "< Available Objects >".yellow
     @filtered_objects.each do |key, value|
-      eh = []
-      tag = []
-      sc = []
-      uc = []
-      puts "[#{key}]".blue+" param"
-      value.each do |n|
-        if n.include? "=64"
-          # eh
-          eh.push n.chomp("=64")
-        elsif n.include? "xsp<"
-          # tag
-          n = n.sub("xsp<","")
-          tag.push n.chomp(">")
-        elsif n.include? ".xspear"
-          # uc
-          uc.push n.sub(".xspear","")
-        else
-          # sc
-          sc.push n.sub("XsPeaR","")
+      begin
+        eh = []
+        tag = []
+        sc = []
+        uc = []
+        puts "[#{key}]".blue+" param"
+        value.each do |n|
+          if n.include? "=64"
+            # eh
+            eh.push n.chomp("=64")
+          elsif n.include? "xsp<"
+            # tag
+            n = n.sub("xsp<","")
+            tag.push n.chomp(">")
+          elsif n.include? ".xspear"
+            # uc
+            uc.push n.sub(".xspear","")
+          else
+            # sc
+            sc.push n.sub("XsPeaR","")
+          end
         end
+        puts " + Available Special Char: ".green+"#{sc.map(&:inspect).join(',').gsub('"',"")}".gsub(',',' ')
+        puts " + Available Event Handler: ".green+"#{eh.map(&:inspect).join(',')}"
+        puts " + Available HTML Tag: ".green+"#{tag.map(&:inspect).join(',')}"
+        puts " + Available Useful Code: ".green+"#{uc.map(&:inspect).join(',')}"
+      rescue
+        puts "Not found"
       end
-      puts " + Available Special Char: ".green+"#{sc.map(&:inspect).join(',').gsub('"',"")}".gsub(',',' ')
-      puts " + Available Event Handler: ".green+"#{eh.map(&:inspect).join(',')}"
-      puts " + Available HTML Tag: ".green+"#{tag.map(&:inspect).join(',')}"
-      puts " + Available Useful Code: ".green+"#{uc.map(&:inspect).join(',')}"
     end
-    puts "< Raw Query >".yellow
+    if @filtered_objects.length == 0
+      puts "Not found"
+    end
+    puts "\n< Raw Query >".yellow
+    begin
     @query.each_with_index do |q, i|
       puts "[#{i}] #{@url.sub(URI.parse(@url).query,"")}"+q
     end
+    rescue
+      puts "Not found"
+    end
   end
 end

XSpear-1.1.0.gem

@@ -3,12 +3,12 @@ def banner;
  ( /(  )\\ )
  )\\())(()/(          (     )  (
 ((_)\\  /(_))`  )    ))\\ ( /(  )(
-__((_)(_))  /(/(   /((_))(_))(()\\
-\\ \\/ // __|((_)_\\ (_)) ((_)_  ((_)
+__((_)(_))  /(/(   /((_))(_))(()\\".red+"
+\\ \\/ // __|"+"((_)_\\ (_)) ((_)_  ((_)".red+"
  >  < \\__ \\| '_ \\)/ -_)/ _` || '_|
-/_/\\_\\|___/| .__/ \\___|\\__,_||_|    />
-           |_|                   \\ /<
-{\\\\\\\\\\\\\\\\\\\\\\\\\\BYHAHWUL\\\\\\\\\\\\\\\\\\\\\\(0):::<======================-
-                                 / \\<
-                                    \\>       [ v#{XSpear::VERSION} ]"
+/_/\\_\\|___/| .__/ \\___|\\__,_||_|    "+"/>".red+"
+           |_|                   "+"\\ /<".red+"
+"+"{\\\\\\\\\\\\\\\\\\\\\\\\\\".red+"BYHAHWUL"+"\\\\\\\\\\\\\\\\\\\\\\(0):::<======================-".red+"
+                                 "+"/ \\<".red+"
+                                    "+"\\>".red+"       [ v#{XSpear::VERSION} ]"
 end

lib/XSpear.rb

@@ -1,3 +1,3 @@
 module XSpear
-  VERSION = "1.0.9"
+  VERSION = "1.1.0"
 end