v1.6 update

0xPugal · Jun 29, 2024 · d89d39a · d89d39a
1 parent e65f28a
commit d89d39a
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 61 deletions.
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,9 @@
++ v1.6
+    - Remove `<inpu>.errors.todo` file and append the urls which encountered errors into `<input>-date-time.todo` file
+    - Save the Unknown Errors in `errors.log` file for further investigation.
+    - Print `API rate limit exceeded` and `Expiration time reset, please try again` from KNOXSS API
+    - Compatibility to run on `bash`, `zsh`, `sh`
+
 + v1.5
     - Add retry options for ``target connection issues`` and ``can't finish scan gracefully`` (default: 1)"
     - Add verbose output for all responses from knoxss api

diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
-# KNOXSSer v1.5
+# KNOXSSer v1.6
 
-**An powerful bash script for massive XSS scanning leveraging Brute Logic's KNOXSS API**
+**An powerful bash script for massive XSS scanning leveraging [Brute Logic's](https://brutelogic.com.br/blog/about) [KNOXSS API](https://knoxss.me)**
 
 [![made-with-bash](https://img.shields.io/badge/Made%20with-Bash-1f425f.svg)](https://www.gnu.org/software/bash/) [![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)](https://GitHub.com/0xPugal/KNOXSSer/graphs/commit-activity) [![MIT license](https://img.shields.io/badge/License-MIT-blue.svg)](https://lbesson.mit-license.org/) [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com) [![Latest release](https://badgen.net/github/release/0xPugal/KNOXSSer?sort=semver&label=version)](https://github.com/0xPugal/KNOXSSer/releases) [![Open Source Love svg1](https://badges.frapsoft.com/os/v1/open-source.svg?v=103)](https://github.com/0xPugal/KNOXSSer)
 
@@ -10,7 +10,7 @@
 
 ## Installation
 ```
-curl -sSL https://raw.githubusercontent.com/0xPugal/KNOXSSer/master/knoxsser -o knoxsser && chmod +x knoxsser && sudo mv knoxsser /usr/bin/
+curl -sSL https://raw.githubusercontent.com/0xPugal/knoxsser/master/knoxsser.sh -o knoxsser.sh && chmod +x knoxsser.sh && sudo mv knoxsser.sh /usr/bin/knoxsser
 ```
 
 ## Prerequisites
@@ -19,7 +19,7 @@ curl -sSL https://raw.githubusercontent.com/0xPugal/KNOXSSer/master/knoxsser -o
   + RedHat based Distros - ``dnf install curl jq parallel``
   + Arch based Distros - ``pacman -S curl jq parallel``
   + Mac OS - ``brew install jq parallel``
-> Configure your knoxss api key in [line 36 of knoxsser](https://github.com/0xPugal/KNOXSSer/blob/master/knoxsser#L36) or pass the API key with ``-A`` argument.
+> Configure your knoxss api key in [line 36 of knoxsser](https://github.com/0xPugal/knoxsser/blob/master/knoxsser.sh#L36) or pass the API key with ``-A`` argument.
 
 
 > [Notify](https://github.com/projectdiscovery/notify) must be installed on your system, to send notifications on sucessful xss.(optional)
@@ -33,7 +33,7 @@ Options:
   -A, --api       API key for Knoxss
   -s, --silent    Print only results without displaying the banner and target count
   -n, --notify    Send notifications on successful XSSes via notify
-  -p, --process   Number of URLs to scan parallely(1-5) (default: 1)
+  -p, --process   Number of URLs to scan parallely(1-5) (default: 3)
   -r, --retry     Number of times to retry on target connection issues and can't finish scans"
   -v, --version   Display the version and exit
   -V, --verbose   Enable verbose output
@@ -42,9 +42,10 @@ Options:
 
 ## Features
    - Enables scanning of both single URLs and files containing multiple URLs
-   - Unscanned URLs are saved in a `<input>+date-time.todo` file, providing a record of URLs not successfully scanned along with a timestamp.
-   - URLs that encountered errors during scanning, possibly due to issues with the KNOXSS API, are saved in a `<input>.errors.todo` file. 
-   - Successful XSS results are saved by default in `xss.txt`, with their full JSON responses.
+   - Unscanned / Remaining URLs and URLs that encountered errors  are saved in a `<input>+date-time.todo` file, providing a record of URLs not successfully scanned along with a timestamp.
+   - Ability to stop the scan and save the remaining URLs in a `<input>+date-time.todo` file.
+   - Successful XSS results are saved by default in `xss.txt`, with their full JSON responses, and `error.log` file for further investigation for Unknown Errors.
+   - Ability to retry the scan, if any error like `Connection issues` or `can't able to scan by knoxss`
    - Prints the API calls number along with the scanning process.
    - Send notifications on successful XSSes through notify
    - Parallel scans options for faster scan completion
@@ -73,6 +74,7 @@ Options:
 
 ## ToDo
 + Allow knoxsser to read input from stdin
++ Stop the scan on `Invalid or Expired API Key` and `API rate limit exceeded` and save the urls in `<input>-date-time.todo` file
 
 ## Credits
 + An amazing [KNOXSS](https://knoxss.me/) API by Brute Logic.

diff --git a/knoxsser → knoxsser.sh b/knoxsser → knoxsser.sh
@@ -15,7 +15,7 @@ print_banner() {
     echo -e "${CYAN}██╔═██╗ ██║╚██╗██║██║   ██║ ██╔██╗ ╚════██║╚════██║██╔══╝  ██╔══██╗ ${NC}"
     echo -e "${CYAN}██║  ██╗██║ ╚████║╚██████╔╝██╔╝ ██╗███████║███████║███████╗██║  ██║ ${NC}"
     echo -e "${CYAN}╚═╝  ╚═╝╚═╝  ╚═══╝ ╚═════╝ ╚═╝  ╚═╝╚══════╝╚══════╝╚══════╝╚═╝  ╚═╝$VERSION ${NC}"
-    echo -e "${BOLD}                                        Made with ${RED}<3${NC} by @0xPugal    ${NC}"
+    echo -e "                                        Made with ${RED}<3${NC} ${BOLD}by @0xPugal    ${NC}"
     echo ""
 }
 
@@ -33,14 +33,15 @@ fi
 # Default values
 input_type="file"
 input_file=""
-api_key="YOUR_KNOXSS_API_KEY"
+api_key="KNOXSS_API_KEY"
 output_file="xss.txt"
-VERSION="v1.5"
+VERSION="v1.6"
 silent_mode=false
 use_notify=false
-parallel_processes=1
+parallel_processes=3
 verbose_mode=false
 retry_count=2
+unknown_error_log="error.log"
 
 usage() {
     print_banner
@@ -50,7 +51,7 @@ usage() {
     echo "  -A, --api       API key for Knoxss"
     echo "  -s, --silent    Print only results without displaying the banner and target count"
     echo "  -n, --notify    Send notifications on successful XSSes via notify"
-    echo "  -p, --process   Number of URLs to scan parallely(1-5) (default: 1)"
+    echo "  -p, --process   Number of URLs to scan parallely(1-5) (default: 3)"
     echo "  -r, --retry     Number of times to retry on target connection issues & can't finish scans (default: 1)"
     echo "  -v, --version   Display the version and exit"
     echo "  -V, --verbose   Enable verbose output"
@@ -156,26 +157,13 @@ lineno=1
 api_calls=0
 todo_file="${urls_file}-$(date +'%Y%m%d%H%M%S').todo"
 processed_file="${urls_file}-$(date +'%Y%m%d%H%M%S').processed"
-error_file="${urls_file}.errors.todo"
 
 # Displaying banner and target count
 if ! $silent_mode; then
     print_banner
     target_count
 fi
 
-# Check for a valid API key
-test_response=$(curl "https://api.knoxss.pro" -d target="https://example.com" -H "X-API-KEY: $api_key" -s)
-
-if [[ "$test_response" == "Invalid or expired API key." ]]; then
-    echo -e "${RED}Invalid or expired API key. Exiting.${NC}"
-    if $verbose_mode; then
-        echo -e "${BOLD}Verbose response from KNOXSS API:${NC}"
-        echo "$test_response"
-    fi
-    exit 1
-fi
-
 # Main loop to scan URLs
 process_url() {
     local line="$1"
@@ -194,7 +182,7 @@ process_url() {
             exit 1
 
         elif [[ "$response" == *"<p"* ]]; then
-            echo -e "${RED}[ NOPE/ ] - $line - XSS is not possible in this content-type${NC} [0]"
+            echo -e "${YELLOW}[ NOPE/ ] - $line - [XSS is not possible in this content-type]${NC} [0]"
             if $verbose_mode; then
                 echo -e "${BOLD}Verbose response from KNOXSS API:${NC}"
                 echo "$response"
@@ -212,7 +200,7 @@ process_url() {
 
             # Handle XSS detection
             if [[ "$xss" == "true" ]]; then
-                echo -e "${GREEN}[ XSS!! ] - $poc ${NC} [$api_call]"
+                echo -e "${GREEN}${BOLD}[ XSS!! ] - $poc ${NC} [$api_call]"
                 echo "$response" >> "$output_file"
 
                 if [[ "$use_notify" == true ]]; then
@@ -239,7 +227,7 @@ process_url() {
                 break
 
             elif [[ "$error" == "KNOXSS can't test it (forbidden)" ]]; then
-                echo -e "${RED}[ 403:( ] - $line - [Forbidden]${NC} [$api_call]"
+                echo -e "${RED}[ 403:( ] - $line - [$error]${NC} [$api_call]"
                 if $verbose_mode; then
                     echo -e "${BOLD}Verbose response from KNOXSS API:${NC}"
                     echo "$response" | jq .
@@ -260,17 +248,36 @@ process_url() {
                 fi
 
             elif [[ "$error" == "service unavailable" ]]; then
-                echo -e "${RED}[ ERROR ] - $line - [KNOXSS Service Unavailable]${NC} [$api_call]"
-                echo -e "$line" >> "$error_file"
+                echo -e "${RED}[ ERROR ] - $line - [Service Unavailable]${NC} [$api_call]"
+                echo -e "$line" >> "$todo_file"
                 if $verbose_mode; then
                     echo -e "${BOLD}Verbose response from KNOXSS API:${NC}"
                     echo "$response" | jq .
                 fi
                 break
 
+            elif [[ "$error" == "API rate limit exceeded." ]]; then
+                echo -e "${RED}[ ERROR ] - $line - [API rate limit exceeded]${NC} [$api_call]"
+                echo -e "$line" >> "$todo_file"
+                if $verbose_mode; then
+                    echo -e "${BOLD}Verbose response from KNOXSS API: ${NC}"
+                    echo "$response" | jq .
+                fi
+                break
+
+            elif [[ "$error" == "Expiration time reset, please try again." ]]; then
+                echo -e "${RED}[ ERROR ] - $line - [Expiration time reset, please try again] ${NC} [$api_call]"
+                echo -e "$line" >> "$todo_file"
+                if $verbose_mode; then
+                    echo -e "${BOLD}Verbose response from KNOXSS API: ${NC}"
+                    echo "$reponse" | jq .
+                fi
+                break
+
             else
-                echo -e "${RED}[ ERROR ] - $line - [Unknown error]${NC} [$api_call]"
-                echo "$line" >> "$error_file"
+                echo -e "${RED}[ ERROR ] - $line - [Unknown Error]${NC} [$api_call]"
+                echo "$line" >> "$todo_file"
+                echo "$response" >> "$unknown_error_log"
                 if $verbose_mode; then
                     echo -e "${BOLD}Verbose response from KNOXSS API:${NC}"
                     echo "$response" | jq .
@@ -285,16 +292,18 @@ process_url() {
 
 # Setup for parallel processing
 export -f process_url
-export api_key output_file use_notify todo_file processed_file error_file verbose_mode CYAN GREEN RED YELLOW BOLD NC retry_count
+export api_key output_file use_notify todo_file processed_file unknown_error_log verbose_mode CYAN GREEN RED YELLOW BOLD NC retry_count
 
 # Start processing URLs in parallel
 parallel -j "$parallel_processes" process_url :::: "$urls_file"
 
 # Final summary
-if [[ -s "$error_file" ]]; then
-    echo -e "\n${BOLD}Some URLs encountered errors and are saved into $error_file${NC}"
+if [[ -s "$todo_file" ]]; then
+    echo -e "\n${BOLD}Some URLs encountered errors and are saved into $todo_file${NC}"
 fi
 
-rm -f "$processed_file"
+if [[ -s "$unknown_error_log" ]]; then
+    echo -e "\n${BOLD}Some URLs encountered unknown errors and their responses are saved into $unknown_error_log${NC}"
+fi
 
 rm -f "$processed_file"