class XspearRepoter

Public Class Methods

new(url,starttime, method) click to toggle source
# File lib/XSpear/XSpearRepoter.rb, line 17
def initialize(url,starttime, method)
  @url = url
  @starttime = starttime
  @endtime = nil
  @issue = []
  @query = []
  @filtered_objects = {}
  @method = method
  # type : i,v,l,m,h
  # param : paramter
  # type :
  # query :
  # pattern
  # desc
  # category
  # callback
  @rtype = {"i"=>"INFO".blue,"v"=>"VULN".red,"l"=>"LOW".green,"m"=>"MEDIUM".yellow,"h"=>"HIGH".light_red}
  @rissue = {"f"=>"FILERD RULE","r"=>"REFLECTED","x"=>"XSS","s"=>"STATIC ANALYSIS","d"=>"DYNAMIC ANALYSIS"}
end

Public Instance Methods

add_issue(type, issue, param, payload, pattern, description) click to toggle source
# File lib/XSpear/XSpearRepoter.rb, line 44
def add_issue(type, issue, param, payload, pattern, description)
  rtype = @rtype
  rissue = @rissue
  @issue << [@issue.size, rtype[type], rissue[issue], @method, param, pattern, description]
  @query.push payload
end
add_issue_first(type, issue, param, payload, pattern, description) click to toggle source
# File lib/XSpear/XSpearRepoter.rb, line 37
def add_issue_first(type, issue, param, payload, pattern, description)
  rtype = @rtype
  rissue = @rissue
  @issue.insert(0,["-", rtype[type], rissue[issue], @method, param, pattern, description])
  @query.push payload
end
filtered_objects() click to toggle source
# File lib/XSpear/XSpearRepoter.rb, line 51
def filtered_objects
  @filtered_objects
end
issues() click to toggle source
# File lib/XSpear/XSpearRepoter.rb, line 55
def issues
  @issue
end
set_endtime() click to toggle source
# File lib/XSpear/XSpearRepoter.rb, line 62
def set_endtime
  @endtime = Time.now
end
set_filtered(f) click to toggle source
# File lib/XSpear/XSpearRepoter.rb, line 59
def set_filtered f
  @filtered_objects = f
end
to_cli() click to toggle source
# File lib/XSpear/XSpearRepoter.rb, line 434
def to_cli
  rurl = ""
  if @url.length > 66
    rurl = @url[0..66]+"... (snip)"
  else
    rurl = @url
  end
  table = Terminal::Table.new
  table.title = "[ XSpear report ]".red+"\n#{rurl}\n#{@starttime} ~ #{@endtime} Found #{@issue.length} issues."
  table.headings = ['NO','TYPE','ISSUE', 'METHOD', 'PARAM', 'PAYLOAD','DESCRIPTION']
  table.rows = @issue
  #table.style = {:width => 80}
  puts table
  puts "< Available Objects >".yellow
  @filtered_objects.each do |key, value|
    begin
      eh = []
      tag = []
      sc = []
      uc = []
      puts "[#{key}]".blue+" param"
      value.each do |n|
        if n.include? "=64"
          # eh
          eh.push n.chomp("=64")
        elsif n.include? "xsp<"
          # tag
          n = n.sub("xsp<","")
          tag.push n.chomp(">")
        elsif n.include? ".xspear"
          # uc
          uc.push n.sub(".xspear","")
        else
          # sc
          sc.push n.sub("XsPeaR","")
        end
      end
      puts " + Available Special Char: ".green+"#{sc.map(&:inspect).join(',').gsub('"',"")}".gsub(',',' ')
      puts " + Available Event Handler: ".green+"#{eh.map(&:inspect).join(',')}"
      puts " + Available HTML Tag: ".green+"#{tag.map(&:inspect).join(',')}"
      puts " + Available Useful Code: ".green+"#{uc.map(&:inspect).join(',')}"
    rescue
      puts "Not found"
    end
  end
  if @filtered_objects.length == 0
    puts "Not found"
  end
  puts "\n< Raw Query >".yellow
  begin
  @query.each_with_index do |q, i|
    puts "[#{i}] #{@url.sub(URI.parse(@url).query,"")}"+q
  end
  rescue
    puts "Not found"
  end
end
to_html() click to toggle source
# File lib/XSpear/XSpearRepoter.rb, line 66
def to_html
  rurl = ""
  if @url.length > 66
    rurl = @url[0..66]+"... (snip)"
  else
    rurl = @url
  end
  t_info= "Testing to <a href='#{CGI.escapeHTML @url}'>#{CGI.escapeHTML rurl}</a><br>Found #{@issue.length} issues and running on #{@starttime} ~ #{@endtime} "
  t_issue = ""
  t_available = ""
  t_rawquery = ""
  @issue.each do |i|
    i[1] = i[1].uncolorize
    i[6] = i[6].uncolorize
    # NO TYPE ISSUE METHOD PARAM PAYLOAD DESCRIPTION
    t_issue = t_issue + "<tr class='#{i[1]} ISSUE'><td>#{i[0]}</td><td>#{i[1]}</td><td>#{CGI.escapeHTML i[2]}</td><td>#{i[3]}</td><td>#{CGI.escapeHTML i[4]}</td><td>#{CGI.escapeHTML i[5]}</td><td>#{CGI.escapeHTML i[6]}</td></tr>" #(i[0],i[1],i[2],i[3],i[4],i[5],i[6])
  end
  @filtered_objects.each do |key, value|
    begin
      eh = []
      tag = []
      sc = []
      uc = []
      t_available = t_available + "<code>#{key}</code> param<br>"
      value.each do |n|
        if n.include? "=64"
          # eh
          eh.push n.chomp("=64")
        elsif n.include? "xsp<"
          # tag
          n = n.sub("xsp<","")
          tag.push n.chomp(">")
        elsif n.include? ".xspear"
          # uc
          uc.push n.sub(".xspear","")
        else
          # sc
          sc.push n.sub("XsPeaR","")
        end
      end
      as = ""#sc.map(&:inspect).join(',')
      ae = ""#eh.map(&:inspect).join(',')
      at = ""#tag.map(&:inspect).join(',')
      ac = ""#uc.map(&:inspect).join(',')

      sc.each do |z|
        as = as + "<code>#{CGI.escapeHTML z}</code> "
      end
      eh.each do |z|
        ae = ae + "<code>#{CGI.escapeHTML z}</code> "
      end
      tag.each do |z|
        at = at + "<code>#{CGI.escapeHTML z}</code> "
      end
      uc.each do |z|
        ac = ac + "<code>#{CGI.escapeHTML z}</code> "
      end

      t_available = t_available + """
      <table>
          <tr>
              <td width='50%'>
                  <table>
                      <tr>
                          <td>Category</td>
                          <td>Data</td>
                      </tr>
                      <tr><td style='width:150px;'>HTML Tag</td><td>#{at}</td></tr>
                      <tr><td style='width:150px;'>Useful Code</td><td>#{ac}</td></tr>
                      <tr><td style='width:150px;'>Special Char</td><td>#{as}</td></tr>

                  </table>
              </td>
              <td><table>
                  <tr>
                      <td>Category</td>
                      <td>Data</td>
                      <tr><td style='width:150px;'>Event Handler</td><td>#{ae}</td></tr>
                  </tr>

              </table>
              </td>
          </tr>
      </table>
      """
    rescue
    end
  end
  if @filtered_objects.length == 0
  end
  begin
    @query.each_with_index do |q, i|
      html_q = "#{@url.sub(URI.parse(@url).query,"")}"+q
      t_rawquery = t_rawquery + "<li><a href='#{CGI.escapeHTML html_q}'>[#{i}] #{CGI.escapeHTML html_q}</a></li>"
    end
  rescue
  end
  report = """
    <style>
        @import url(https://fonts.googleapis.com/css?family=Lato:100,300,400,700);
        @import url(https://maxcdn.bootstrapcdn.com/font-awesome/4.2.0/css/font-awesome.min.css);

        html {
            height: 100%;
            font-family: 'Lato', sans-serif;
            -webkit-user-select: none;
            color:rgba(255, 255, 255, 0.4);
        }
        body {
            height: 100%;
            margin: 0;
            background: #252C33;
        }
        * {
            box-sizing: border-box;
            word-break: keep-all;
        }

        ::-webkit-scrollbar {
            min-width: 12px;
            width: 12px;
            max-width: 12px;
            min-height: 12px;
            height: 12px;
            max-height: 12px;
            background-color: #252C33;
        }
        ::-webkit-scrollbar-thumb {
            background: rgba(255,255,255,0.1);
            border: solid 3px #252C33;
            border-radius: 100px;
        }
        ::-webkit-scrollbar-thumb:hover {
            background: rgba(255,255,255,0.2);
        }
        ::-webkit-scrollbar-thumb:active {
            background: rgba(255,255,255,0.2);
        }
        ::-webkit-scrollbar-button {
            display: none;
            height: 0px;
        }

        /* CONTAINER */
        #container {
            display: table;
            width: 100%;
            background: #252C33;
            margin: 0px auto;
            border-radius: 0px;
        }

        /* Side Bar */
        #sideMenu {
            width: 240px;
            height: 100%;
            padding: 30px;
            border-right: 1px solid rgba(0,0,0,.1);
            background: #1b232a;
            display: table-cell;
            vertical-align: top;
            color: #fff;
        }
        #sideMenuFixed{
            position: fixed;
            top: 0px;
            left: 0px;
            width: 240px;
            height: 100%;
            padding: 30px;
            border-right: 1px solid rgba(0,0,0,.1);
            background: #1b232a;
            z-index: 9;
        }
        #sidecontent{
            position: fixed;
            width: 200px;
            z-index: 10;
        }
        #sidecontent h1:first-child{
            color: maroon;
            text-shadow: 5px 5px 0px rgba(0,0,0,.2);
            font-weight: 700;
            font-size: 27px;
            margin-left: -8px;
        }
        .menu {
            list-style: none;
            margin:  24px 0;
            padding: 0;
            width: 100%;
        }
        .menu li {
            display: block;
            height: 30px;
            width: 100%;
            line-height: 30px;
            font-size: 14px;
            font-weight: 300;
            color: rgba(255, 255, 255, .7);
            position: relative;
            cursor: pointer;
        }
        .menu li:hover {
            color: #FFF;
        }
        .menu li:first-child {
            height: 35px;
            line-height: 35px;
            font-size: 16px;
            font-weight: 700;
            color: #DDD;
            background: rgba(0,0,0,.08);
            margin-left: -18px;
            padding: 0px 10px;
            border-radius: 8px;
            cursor: default;
        }
        .addCategory {
            font-size: 13px;
            font-weight: 200;
            color: rgba(255, 255, 255, .2);
        }
        .addCategory:hover {
            color: #fff;
        }

        /* Content */
        #content {
            width: calc(100% - 240px);
            height: 100%;
            padding: 25px;
            display: table-cell;
        }

        a{
          color:rgba(255, 255, 255, .8);
        }

        /* Table */
        table {
            width: 100%;
            border-collapse: collapse;
        }
        th {
            text-align: left;
            color: #fff;
            font-weight: 400;
            font-size: 13px;
            text-transform: uppercase;
            border-bottom: 1px solid rgba(255, 255, 255, 0.1);
            padding: 0 10px;
            padding-bottom: 14px;
        }
        tr:not(:first-child):hover {
            background: rgba(255, 255, 255, 0.03);
        }
        td {
            height: 40px;
            line-height: 40px;
            font-weight: 300;
            color: white;
            padding: 0 10px;
            vertical-align: top;
        }
        /* Headers */
        h1 {
            font-size: 13px;
            font-weight: 200;
            letter-spacing: 1px;
            text-transform: uppercase;
            margin: 0;
        }
        h2 {
            float: left;
            letter-spacing: 1px;
            margin: 0;
            color: white;
        }
        h3 {
            float: left;
            color: #fff;
            font-size: 32px;
            font-weight: 300;
            margin: 0;
            margin-top: 8%;
            margin-left: 20px;
            margin-bottom: 6px;
        }
        .LOW {
          background-color: darkgoldenrod;
        }
        .MEDIUM {
          background-color: sienna;
        }
        .HIGH {
          background-color: firebrick;
        }
        .VULN {
          background-color: maroon;
        }
        .ISSUE{
          border: 1px solid white;
        }
        code {
            background: black;
            border: 1px solid;
            padding: 3px;
            border-radius: 5px;
            color: white;
        }
    </style>
    <div id='container'>
        <div id='sideMenu'>
            <div id='sideMenuFixed'></div>
            <div id='sidecontent'>
                <h1>XSPEAR</h1> v#{XSpear::VERSION}

                <ul class='menu'>
                    <li><a href='#summary'>Report</a></li>
                    <li><a href='#issues'>Issues</a></li>
                    <li><a href='#available'>Available Objects</a></li>
                    <li><a href='#raw_query'>Raw Query</a></li>
                </ul>
                <ul class='menu'>
                    <li><a href='https://github.com/hahwul/XSpear'>About XSpear</a></li>
                    <li><a href='https://github.com/hahwul/XSpear/issues/new'>Submit Bugs</a></li>
                </ul>
            </div>
        </div>
        <div id='content'>
            <h2 id=summary>Summary</h2><br><br>
            #{t_info}
            <br><br><h2 id=issues>Issues</h2><br>
            <table>
                <tr>
                    <td>No</td><td>Type</td><td>Issue</td><td>Method</td><td>Parameter</td><td>Payload</td><td>Description</td>
                </tr>
                #{t_issue}
            </table>
            <br><br><h2 id=available>Available Objects</h2><br><br>
            #{t_available}
            <br><br><h2 id=raw_query>Raw Query</h2><br><br>
            #{t_rawquery}
        </div>
    </div>
  """
  return report
end
to_json() click to toggle source
# File lib/XSpear/XSpearRepoter.rb, line 416
def to_json
  buffer = []
  @issue.each do |i|
    i[1] = i[1].uncolorize
    i[6] = i[6].uncolorize
    # NO TYPE ISSUE METHOD PARAM PAYLOAD DESCRIPTION
    tmp = IssueStruct.new(i[0],i[1],i[2],i[3],i[4],i[5],i[6])
    buffer.push(tmp)
  end

  hash = {}
  hash["starttime"]=@starttime
  hash["endtime"]=@endtime
  hash["issue_count"]=@issue.length
  hash["issue_list"]=buffer
  hash.to_json
end