XSpear v1.3

Kang Asu

XSpear v1.3 - Powerfull XSS Scanning And Parameter Analysis Tool

XSpear is XSS Scanner on ruby gems

Key features

Pattern matching based XSS scanning
Detect alert confirm prompt event on headless browser (with Selenium)
Testing request/response for XSS protection bypass and reflected(or all) params
- Reflected Params
- All params(for blind xss, anytings)
- Filtered test event handler HTML tag Special Char Useful code

Testing Blind XSS (with XSS Hunter , ezXSS, HBXSS, Etc all url base blind test...)
Dynamic/Static Analysis
- Find SQL Error pattern
- Analysis Security headers(CSP HSTS X-frame-options, XSS-protection etc.. )
- Analysis Other headers..(Server version, Content-Type, etc...)
- XSS Testing to URI Path
Scanning from Raw file(Burp suite, ZAP Request)
XSpear running on ruby code(with Gem library)
Show table base cli-report and filtered rule, testing raw query(url)
Testing at selected parameters
Support output format cli json
- cli: summary, filtered rule(params), Raw Query
Support Verbose level (0~3)
- 0: quite mode(only result)
- 1: show scanning status(default)
- 2: show scanning logs
- 3: show detail log(req/res)

Support custom callback code to any test various attack vectors
Support Config file

Installation
Install it yourself as:

$ gem install XSpear

Or install it yourself as (local file):

$ gem install XSpear-{version}.gem

Add this line to your application's Gemfile:

gem 'XSpear'

And then execute:

$ bundle

Dependency gems
colorize selenium-webdriver terminal-table progress_bar
If you configured it to install automatically in the Gem library, but it behaves abnormally, install it with the following command.

$ gem install colorize
$ gem install selenium-webdriver
$ gem install terminal-table
$ gem install progress_bar

Usage on cli

Usage: xspear -u [target] -[options] [value]
[ e.g ]
$ xspear -u 'https://www.hahwul.com/?q=123' --cookie='role=admin' -v 1 -a 
$ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 2

[ Options ]
    -u, --url=target_URL             [required] Target Url
    -d, --data=POST Body             [optional] POST Method Body data
    -a, --test-all-params            [optional] test to all params(include not reflected)
        --headers=HEADERS            [optional] Add HTTP Headers
        --cookie=COOKIE              [optional] Add Cookie
        --raw=FILENAME               [optional] Load raw file(e.g raw_sample.txt)
    -p, --param=PARAM                [optional] Test paramters
    -b, --BLIND=URL                  [optional] Add vector of Blind XSS
                                      + with XSS Hunter, ezXSS, HBXSS, etc...
                                      + e.g : -b https://hahwul.xss.ht
       -t, --threads=NUMBER             [optional] thread , default: 10
    -o, --output=FORMAT              [optional] Output format (cli , json)
    -c, --config=FILENAME            [optional] Using config.json
    -v, --verbose=0~3                [optional] Show log depth
                                      + v=0 : quite mode(only result)
                                      + v=1 : show scanning status(default)
                                      + v=2 : show scanning logs
                                      + v=3 : show detail log(req/res)
    -h, --help                       Prints this help
        --version                    Show XSpear version
        --update                     Show how to update

Result types

(I)NFO: Get information ( e.g sql error , filterd rule, reflected params, etc..)
(V)UNL: Vulnerable XSS, Checked alert/prompt/confirm with Selenium
(L)OW: Low level issue
(M)EDIUM: medium level issue
(H)IGH: high level issue

Verbose Mode
[0] quite mode(show only result)

$ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 0
you see report

[1] show progress bar (default)

$ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 1
[*] analysis request..
[*] used test-reflected-params mode(default)
[*] creating a test query [for reflected 2 param + blind XSS ]
[*] test query generation is complete. [249 query]
[*] starting XSS Scanning. [10 threads]

[#######################################] [249/249] [100.00%] [01:05] [00:00] [  3.83/s]
...
you see report

[2] show scanning logs

$ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 2
[*] analysis request..
[I] [22:42:41] [200/OK] [param: cat][Found SQL Error Pattern]
[-] [22:42:41] [200/OK] 'STATIC' not reflected
[-] [22:42:41] [200/OK] 'cat' not reflected 
[I] [22:42:41] [200/OK] reflected rEfe6[param: cat][reflected parameter]
[*] used test-reflected-params mode(default)
[*] creating a test query [for reflected 2 param + blind XSS ]
[*] test query generation is complete. [249 query]
[*] starting XSS Scanning. [10 threads]
[I] [22:42:43] [200/OK] reflected onhwul=64[param: cat][reflected EHon{any} pattern]
[-] [22:42:54] [200/OK] 'cat' not reflected 
[-] [22:42:54] [200/OK] 'cat' not reflected 
[H] [22:42:54] [200/OK] reflected [param: cat][reflected XSS Code]
[V] [22:42:59] [200/OK] found al   ert/prompt/confirm (45) in selenium!! '">
...
you see report

[3] show scanning detail logs

$ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 3
[*] analysis request..
[-] [22:56:21] [200/OK] http://testphp.vulnweb.com/listproducts.php?cat=123 in url
[ Request ]
{"accept-encoding"=>["gzip;q=1.0,deflate;q=0.6,identity;q=0.3"], "accept"=>["*/*"], "user-agent"=>["Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0"], "connection"=>["keep-alive"], "host"=>["testphp.vulnweb.com"]}
[ Response ]
{"server"=>["nginx/1.4.1"], "date"=>["Sun, 29 Dec 2019 13:53:23 GMT"], "content-type"=>["text/html"], "transfer-encoding"=>["chunked"], "connection"=>["keep-alive"], "x-powered-by"=>["PHP/5.3.10-1~lucid+2uwsgi2"]}
[-] [22:56:21] [200/OK] 'STATIC' not reflected
[-] [22:56:21] [200/OK] cat=123rEfe6 in url
...
[*] used test-reflected-params mode(default)
[*] creating a test query [for reflected 2 param + blind XSS ]
[*] test query generation is complete. [249 que   ry]
[*] starting XSS Scanning. [10 threads]
...
[ Request ]
{"accept-encoding"=>["gzip;q=1.0,deflate;q=0.6,identity;q=0.3"], "accept"=>["*/*"], "user-agent"=>["Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0"], "connection"=>["keep-alive"], "host"=>["testphp.vulnweb.com"]}
[ Response ]
{"server"=>["nginx/1.4.1"], "date"=>["Sun, 29 Dec 2019 13:54:36 GMT"], "content-type"=>["text/html"], "transfer-encoding"=>["chunked"], "connection"=>["keep-alive"], "x-powered-by"=>["PHP/5.3.10-1~lucid+2uwsgi2"]}
[H] [22:57:33] [200/OK] reflected [param: cat][reflected onfocus XSS Code]
...
you see report

Case by Case
Scanning XSS

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy"

Only JSON output

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy" -o json -v 0

Set scanning thread

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -t 30

Testing at selected parameters

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query&cat=123&ppl=1fhhahwul" -p cat,test

Testing at all parameters
(This option is tested with or without reflection.)

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query&cat=123&ppl=1fhhahwul" -a

Testing blind xss(all params)
(Should be used as much as possible because Blind XSS is everywhere)

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -b "https://hahwul.xss.ht" -a

# Set your blind xss host. <-b options>

for Pipeline

$ xspear -u {target} -b "your-blind-xss-host" -a -v 0 -o json

# -u : target 
# -b : testing blind xss
# -a : test all params(test to not reflected param)
# -v : verbose, not showing logs at value 1.
# -o : output optios, json!

result json data

{
    "starttime": "2019-12-25 00:02:58 +0900",
    "endtime": "2019-12-25 00:03:31 +0900",
    "issue_count": 25,
    "issue_list": [{
        "id": 0,
        "type": "INFO",
        "issue": "DYNAMIC ANALYSIS",
        "method": "GET",
        "param": "cat",
        "payload": "XsPeaR\"",
        "description": "Found SQL Error Pattern"
    }, {
        "id": 1,
        "type": "INFO",
        "issue": "STATIC ANALYSIS",
        "method": "GET",
        "param": "-",
        "payload": "",
        "description": "Found Server: nginx/1.4.1"
    }, {
        "id": 2,
        "type": "INFO",
        "issue": "STATIC ANALYSIS",
        "method": "GET",
        "param": "-",
        "payload": "",
        "description": "Not set HSTS"
    }, {
        "id": 3,
        "type": "INFO",
        "issue": "STATIC    ANALYSIS",
        "method": "GET",
        "param": "-",
        "payload": "",
        "description": "Content-Type: text/html"
    }, {
        "id": 4,
        "type": "LOW",
        "issue": "STATIC ANALYSIS",
        "method": "GET",
        "param": "-",
        "payload": "",
        "description": "Not Set X-Frame-Options"
    }, {
        "id": 5,
        "type": "MIDUM",
        "issue": "STATIC ANALYSIS",
        "method": "GET",
        "param": "-",
        "payload": "",
        "description": "Not Set CSP"
    }, {
        "id": 6,
        "type": "INFO",
        "issue": "REFLECTED",
        "method": "GET",
        "param": "cat",
        "payload": "rEfe6",
        "description": "reflected parameter"
    }, {
        "id": 7,
        "type": "INFO",
        "issue": "FILER   D RULE",
        "method": "GET",
        "param": "cat",
        "payload": "onhwul=64",
        "description": "not filtered event handler on{any} pattern"
    }
....
, {
        "id": 17,
        "type": "HIGH",
        "issue": "XSS",
        "method": "GET",
        "param": "cat",
        "payload": "

Nexus

XSpear v1.3