A tool for finding Cross Site Scripting vulnerabilities in web applications
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
bin
lib
spec
.document
.gitignore
.rspec
.ruby-gemset
.ruby-version
Gemfile
LICENSE
README.rdoc
Rakefile
cross.gemspec

README.rdoc

cross

cross is a simple and easy to use cross site scripting spotting tool. The idea is to use mechanize to submit attack patterns to forms and read the payload in the resulting page using nokogiri and xpath queries.

Having the result page full HTML understood my lead to have low false positives rate.

Version

current cross version is: 0.0.0

Wishlist

cross latest goal is automate the search for XSS in a web application, providing APIs for being called by other tools.

To accomplish this, I'd like to add in the very near future:

  • honoring sitemap.xml - given the web application URL, if the sitemap.xml has been found, cross will limit the scan in this link list (you'll be able to override this, I'll introduce it to limit the impact of crawling a website when URLs are dynamically generated).

  • save file in a SQL form - cross will be ORM agnostic, I'll provide a SQLite3 driver as default.

  • HTML5 & CSS3 reporting - even hackers want good looking web2.0 reports

Contributing to cross

  • Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet

  • Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it

  • Fork the project

  • Start a feature/bugfix branch

  • Commit and push until you are happy with your contribution

  • Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.

  • Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.

Copyright

Copyright © 2011 Paolo Perego. See LICENSE for further details.