diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml deleted file mode 100644 index 299c749..0000000 --- a/.github/workflows/semgrep.yml +++ /dev/null @@ -1,24 +0,0 @@ -on: - workflow_dispatch: {} - pull_request: {} - push: - branches: - - main - - master - paths: - - .github/workflows/semgrep.yml - schedule: - # random HH:MM to avoid a load spike on GitHub Actions at 00:00 - - cron: 4 15 * * * -name: Semgrep -jobs: - semgrep: - name: semgrep/ci - runs-on: ubuntu-20.04 - env: - SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} - container: - image: returntocorp/semgrep - steps: - - uses: actions/checkout@v3 - - run: semgrep ci diff --git a/CHANGELOG.md b/CHANGELOG.md index bbf8c35..4a06674 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ ++ v1.6 + - Remove `.errors.todo` file and append the urls which encountered errors into `-date-time.todo` file + - Save the Unknown Errors in `errors.log` file for further investigation. + - Print `API rate limit exceeded` and `Expiration time reset, please try again` from KNOXSS API + - Compatibility to run on `bash`, `zsh`, `sh` + + v1.5 - Add retry options for ``target connection issues`` and ``can't finish scan gracefully`` (default: 1)" - Add verbose output for all responses from knoxss api diff --git a/README.md b/README.md index ce46e62..7ab63bb 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -# KNOXSSer v1.5 +# KNOXSSer v1.6 -**An powerful bash script for massive XSS scanning leveraging Brute Logic's KNOXSS API** +**An powerful bash script for massive XSS scanning leveraging [Brute Logic's](https://brutelogic.com.br/blog/about) [KNOXSS API](https://knoxss.me)** [![made-with-bash](https://img.shields.io/badge/Made%20with-Bash-1f425f.svg)](https://www.gnu.org/software/bash/) [![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)](https://GitHub.com/0xPugal/KNOXSSer/graphs/commit-activity) [![MIT license](https://img.shields.io/badge/License-MIT-blue.svg)](https://lbesson.mit-license.org/) [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com) [![Latest release](https://badgen.net/github/release/0xPugal/KNOXSSer?sort=semver&label=version)](https://github.com/0xPugal/KNOXSSer/releases) [![Open Source Love svg1](https://badges.frapsoft.com/os/v1/open-source.svg?v=103)](https://github.com/0xPugal/KNOXSSer) @@ -10,7 +10,7 @@ ## Installation ``` -curl -sSL https://raw.githubusercontent.com/0xPugal/KNOXSSer/master/knoxsser -o knoxsser && chmod +x knoxsser && sudo mv knoxsser /usr/bin/ +curl -sSL https://raw.githubusercontent.com/0xPugal/knoxsser/master/knoxsser.sh -o knoxsser.sh && chmod +x knoxsser.sh && sudo mv knoxsser.sh /usr/bin/knoxsser ``` ## Prerequisites @@ -19,7 +19,7 @@ curl -sSL https://raw.githubusercontent.com/0xPugal/KNOXSSer/master/knoxsser -o + RedHat based Distros - ``dnf install curl jq parallel`` + Arch based Distros - ``pacman -S curl jq parallel`` + Mac OS - ``brew install jq parallel`` -> Configure your knoxss api key in [line 36 of knoxsser](https://github.com/0xPugal/KNOXSSer/blob/master/knoxsser#L36) or pass the API key with ``-A`` argument. +> Configure your knoxss api key in [line 36 of knoxsser](https://github.com/0xPugal/knoxsser/blob/master/knoxsser.sh#L36) or pass the API key with ``-A`` argument. > [Notify](https://github.com/projectdiscovery/notify) must be installed on your system, to send notifications on sucessful xss.(optional) @@ -33,7 +33,7 @@ Options: -A, --api API key for Knoxss -s, --silent Print only results without displaying the banner and target count -n, --notify Send notifications on successful XSSes via notify - -p, --process Number of URLs to scan parallely(1-5) (default: 1) + -p, --process Number of URLs to scan parallely(1-5) (default: 3) -r, --retry Number of times to retry on target connection issues and can't finish scans" -v, --version Display the version and exit -V, --verbose Enable verbose output @@ -42,9 +42,10 @@ Options: ## Features - Enables scanning of both single URLs and files containing multiple URLs - - Unscanned URLs are saved in a `+date-time.todo` file, providing a record of URLs not successfully scanned along with a timestamp. - - URLs that encountered errors during scanning, possibly due to issues with the KNOXSS API, are saved in a `.errors.todo` file. - - Successful XSS results are saved by default in `xss.txt`, with their full JSON responses. + - Unscanned / Remaining URLs and URLs that encountered errors are saved in a `+date-time.todo` file, providing a record of URLs not successfully scanned along with a timestamp. + - Ability to stop the scan and save the remaining URLs in a `+date-time.todo` file. + - Successful XSS results are saved by default in `xss.txt`, with their full JSON responses, and `error.log` file for further investigation for Unknown Errors. + - Ability to retry the scan, if any error like `Connection issues` or `can't able to scan by knoxss` - Prints the API calls number along with the scanning process. - Send notifications on successful XSSes through notify - Parallel scans options for faster scan completion @@ -73,6 +74,7 @@ Options: ## ToDo + Allow knoxsser to read input from stdin ++ Stop the scan on `Invalid or Expired API Key` and `API rate limit exceeded` and save the urls in `-date-time.todo` file ## Credits + An amazing [KNOXSS](https://knoxss.me/) API by Brute Logic. diff --git a/knoxsser b/knoxsser.sh similarity index 82% rename from knoxsser rename to knoxsser.sh index 1d6e3dd..f312b89 100644 --- a/knoxsser +++ b/knoxsser.sh @@ -15,7 +15,7 @@ print_banner() { echo -e "${CYAN}██╔═██╗ ██║╚██╗██║██║ ██║ ██╔██╗ ╚════██║╚════██║██╔══╝ ██╔══██╗ ${NC}" echo -e "${CYAN}██║ ██╗██║ ╚████║╚██████╔╝██╔╝ ██╗███████║███████║███████╗██║ ██║ ${NC}" echo -e "${CYAN}╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚══════╝╚══════╝╚═╝ ╚═╝$VERSION ${NC}" - echo -e "${BOLD} Made with ${RED}<3${NC} by @0xPugal ${NC}" + echo -e " Made with ${RED}<3${NC} ${BOLD}by @0xPugal ${NC}" echo "" } @@ -33,14 +33,15 @@ fi # Default values input_type="file" input_file="" -api_key="YOUR_KNOXSS_API_KEY" +api_key="KNOXSS_API_KEY" output_file="xss.txt" -VERSION="v1.5" +VERSION="v1.6" silent_mode=false use_notify=false -parallel_processes=1 +parallel_processes=3 verbose_mode=false retry_count=2 +unknown_error_log="error.log" usage() { print_banner @@ -50,7 +51,7 @@ usage() { echo " -A, --api API key for Knoxss" echo " -s, --silent Print only results without displaying the banner and target count" echo " -n, --notify Send notifications on successful XSSes via notify" - echo " -p, --process Number of URLs to scan parallely(1-5) (default: 1)" + echo " -p, --process Number of URLs to scan parallely(1-5) (default: 3)" echo " -r, --retry Number of times to retry on target connection issues & can't finish scans (default: 1)" echo " -v, --version Display the version and exit" echo " -V, --verbose Enable verbose output" @@ -156,7 +157,6 @@ lineno=1 api_calls=0 todo_file="${urls_file}-$(date +'%Y%m%d%H%M%S').todo" processed_file="${urls_file}-$(date +'%Y%m%d%H%M%S').processed" -error_file="${urls_file}.errors.todo" # Displaying banner and target count if ! $silent_mode; then @@ -164,18 +164,6 @@ if ! $silent_mode; then target_count fi -# Check for a valid API key -test_response=$(curl "https://api.knoxss.pro" -d target="https://example.com" -H "X-API-KEY: $api_key" -s) - -if [[ "$test_response" == "Invalid or expired API key." ]]; then - echo -e "${RED}Invalid or expired API key. Exiting.${NC}" - if $verbose_mode; then - echo -e "${BOLD}Verbose response from KNOXSS API:${NC}" - echo "$test_response" - fi - exit 1 -fi - # Main loop to scan URLs process_url() { local line="$1" @@ -194,7 +182,7 @@ process_url() { exit 1 elif [[ "$response" == *"> "$output_file" if [[ "$use_notify" == true ]]; then @@ -239,7 +227,7 @@ process_url() { break elif [[ "$error" == "KNOXSS can't test it (forbidden)" ]]; then - echo -e "${RED}[ 403:( ] - $line - [Forbidden]${NC} [$api_call]" + echo -e "${RED}[ 403:( ] - $line - [$error]${NC} [$api_call]" if $verbose_mode; then echo -e "${BOLD}Verbose response from KNOXSS API:${NC}" echo "$response" | jq . @@ -260,17 +248,36 @@ process_url() { fi elif [[ "$error" == "service unavailable" ]]; then - echo -e "${RED}[ ERROR ] - $line - [KNOXSS Service Unavailable]${NC} [$api_call]" - echo -e "$line" >> "$error_file" + echo -e "${RED}[ ERROR ] - $line - [Service Unavailable]${NC} [$api_call]" + echo -e "$line" >> "$todo_file" if $verbose_mode; then echo -e "${BOLD}Verbose response from KNOXSS API:${NC}" echo "$response" | jq . fi break + elif [[ "$error" == "API rate limit exceeded." ]]; then + echo -e "${RED}[ ERROR ] - $line - [API rate limit exceeded]${NC} [$api_call]" + echo -e "$line" >> "$todo_file" + if $verbose_mode; then + echo -e "${BOLD}Verbose response from KNOXSS API: ${NC}" + echo "$response" | jq . + fi + break + + elif [[ "$error" == "Expiration time reset, please try again." ]]; then + echo -e "${RED}[ ERROR ] - $line - [Expiration time reset, please try again] ${NC} [$api_call]" + echo -e "$line" >> "$todo_file" + if $verbose_mode; then + echo -e "${BOLD}Verbose response from KNOXSS API: ${NC}" + echo "$reponse" | jq . + fi + break + else - echo -e "${RED}[ ERROR ] - $line - [Unknown error]${NC} [$api_call]" - echo "$line" >> "$error_file" + echo -e "${RED}[ ERROR ] - $line - [Unknown Error]${NC} [$api_call]" + echo "$line" >> "$todo_file" + echo "$response" >> "$unknown_error_log" if $verbose_mode; then echo -e "${BOLD}Verbose response from KNOXSS API:${NC}" echo "$response" | jq . @@ -285,16 +292,18 @@ process_url() { # Setup for parallel processing export -f process_url -export api_key output_file use_notify todo_file processed_file error_file verbose_mode CYAN GREEN RED YELLOW BOLD NC retry_count +export api_key output_file use_notify todo_file processed_file unknown_error_log verbose_mode CYAN GREEN RED YELLOW BOLD NC retry_count # Start processing URLs in parallel parallel -j "$parallel_processes" process_url :::: "$urls_file" # Final summary -if [[ -s "$error_file" ]]; then - echo -e "\n${BOLD}Some URLs encountered errors and are saved into $error_file${NC}" +if [[ -s "$todo_file" ]]; then + echo -e "\n${BOLD}Some URLs encountered errors and are saved into $todo_file${NC}" fi -rm -f "$processed_file" +if [[ -s "$unknown_error_log" ]]; then + echo -e "\n${BOLD}Some URLs encountered unknown errors and their responses are saved into $unknown_error_log${NC}" +fi rm -f "$processed_file"