Closed affilares closed 4 years ago
@affilares Okay, I think it's a necessary function. But there's something that needs to be considered in the implementation.
XSpear is a tool that uses callback function in a custom way, so you need to specify which callback function you to create or to use a separate callback function.
I'm thinking about the pattern below. Plug-in-based (for example, NSE)
< plugin-directory >
XSpear/plugins/plugin_name.spear
# XSpear/plugins/yourspecialcode.spear
< plugin-data >
# if P1 is find reflected callback
{
"payload":"<svg/onload=alert(1)>",
"callback":"P1"
"descript":"blahblah~"
}
< use-case >
--plugin "plugin_name"
re-name options
--plugin
to --custom-payload
support callback list
- P1: reflected detect
- P2: selenium detect
format
[
{
"payload":"<svg/onload=alert(1)>",
"callback":"P1",
"descript":"blahblah~"
},
{
"payload":"<svg/onload=alert(1)>",
"callback":"P2",
"descript":"blahblah~"
},
{
"payload":"<>",
"callback":"P1",
"descript":"blahblah~"
}
]
use case
--custom-payload=my-xss.json
Add Custom Payload option to craft own payload list