x5s Beta released - Automated XSS security testing assistant

In: Configurations checks , Exploitation , x5s

13 April 2010

x5s is a Fiddler addon which aims to assist penetration testers in finding cross-site scripting vulnerabilities. It’s main goal is to help you identify the hotspots where XSS might occur by:

Detecting where safe encodings were not applied to emitted user-inputs
Detecting where Unicode character transformations might bypass security filters
Detecting where non-shortest UTF-8 encodings might bypass security filters

It injects ASCII to find traditional encoding issues, and it injects special Unicode characters and encodings to help an analyst identify where XSS filters might be bypassed. The approach to finding these hotspots involves injecting single-character probes separately into each input field of each request, and detecting how they were later emitted. The focus is on reflected XSS issues however persisted issues can also be detected. The idea of injecting special Unicode characters and non-shortest form encodings was to identify where transformations occur which could be used to bypass security filters. This also has the interesting side effect of illuminating how all of the fields in a Web-app handle Unicode. For example, in a single page with many inputs, you may end up seeing the same test case get returned in a variety of ways â€“ URL encoded, NCR encoded, ill-encoded, raw, replaced, dropped, etc. In some cases where weâ€™ve had Watcher running in conjunction, weâ€™ve been able to detect ill-formed UTF-8 byte sequences which is indicative of â€˜otherâ€™ problems.

The types of test cases that x5s includes:

Traditional test cases - characters typically used to test for XSS injection such as <, >, ",and ’ which are used to control HTML, CSS, or javascript;
Transformable test cases - characters that might uppercase, lowercase, Normalize, best-fit map, or other wise transform to completely different characters, E.g. the Turkish ’Ä°’ which will lower-case to ’i’ in culture-aware software.
Overlong UTF-8 test cases - non-shortest UTF-8 encodings of the ’traditional’ test cases noted above. E.g. the ASCII < is 0x3C normally and 0xC0 0xBC in non-shortest form UTF-8.

Requirements

The fiddler

Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and "fiddle" with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language.

Fiddler is freeware and can debug traffic from virtually any application, including Internet Explorer, Mozilla Firefox, Opera, and thousands more.

Post scriptum

Download

Configurations checks	10 May 2010 : WebTest 1.2.1 - Testing Web Application with Python 1 May 2010 : Lansweeper v4.0 released 1 May 2010 : Sysinternal AccessChk v5.0 released 1 May 2010 : Spiceworks v4.7 build 50667 released 28 April 2010 : NSIA (Network System Integrity Analysis) v0.8.99 released
Exploitation	1 May 2010 : DAVTest v1.0 - WebDAV Application 13 April 2010 : x5s Beta released - Automated XSS security testing assistant 12 April 2010 : Windows Autopwn (winAUTOPWN) v2.2 released 10 April 2010 : pvefindaddr v1.30 released 30 March 2010 : pvefindaddr updated to v1.27
x5s

x5s Beta released - Automated XSS security testing assistant

Post scriptum

Related Articles

Follow us

Like us !

Most Read

Advertising

License

Categories

COMPANY

STANDARDS

RECENT POSTS

MENU