elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado: Estamos en la red social de Mastodon


+  Foro de elhacker.net
|-+  Seguridad Informática
| |-+  Hacking
| | |-+  Bugs y Exploits
| | | |-+  Nivel Web (Moderadores: sirdarckcat, WHK)
| | | | |-+  x5s - XSS security testing assistant
0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: x5s - XSS security testing assistant  (Leído 3,021 veces)
Shell Root
Moderador Global
***
Desconectado Desconectado

Mensajes: 3.724


<3


Ver Perfil WWW
x5s - XSS security testing assistant
« en: 19 Agosto 2010, 23:42 pm »

x5s
XSS security testing assistant

by Casaba Security, contact us through CodePlex, or email us at casabasecurity .com.

x5s is a Fiddler addon which aims to assist penetration testers in finding cross-site scripting vulnerabilities. This is not a point and shoot tool, it requires some understanding of how encoding issues lead to XSS, and it requires manual driving. See the Quickstart Tutorial to jump right in but be ready to do a little work. It's main goal is to help you identify the hotspots where XSS might occur by:

  • Detecting where safe encodings were not applied to emitted user-inputs
  • Detecting where Unicode character transformations might bypass security filters
  • Detecting where non-shortest UTF-8 encodings might bypass security filters

It injects ASCII to find traditional encoding issues, and it injects special Unicode characters and encodings to help an analyst identify where XSS filters might be bypassed. The approach to finding these hotspots involves injecting single-character probes separately into each input field of each request, and detecting how they were later emitted. The focus is on reflected XSS issues however persisted issues can also be detected. The idea of injecting special Unicode characters and non-shortest form encodings was to identify where transformations occur which could be used to bypass security filters. This also has the interesting side effect of illuminating how all of the fields in a Web-app handle Unicode. For example, in a single page with many inputs, you may end up seeing the same test case get returned in a variety of ways – URL encoded, NCR encoded, ill-encoded, raw, replaced, dropped, etc. In some cases where we’ve had Watcher running in conjunction, we’ve been able to detect ill-formed UTF-8 byte sequences which is indicative of ‘other’ problems.

x5s acts as an assistant to the security tester by speeding up the process of parameter manipulation and aggregating the results for quick viewing. It automates some of the preliminary XSS testing work by enumerating and injecting canaries into all input fields/parameters sent to an application and analyzing how those canaries were later emitted. E.g. Was the emitted output encoded safely or not? Did an injected character transform to something else?

x5s does not inject XSS payloads - it does not attempt to exploit or confirm an XSS vulnerability. It's designed to draw your attention to the fields and parameters which seem likely candidates for vulnerability. A security-tester would review the results to find issues where special characters were dangerously transformed or emitted without a safe encoding. This can be done by quickly scanning the results, which have been designed with the intention of providing quick visual inspection. Results filters are also included so the tester could simply click show hotspots to see only the potential problem areas. After identifying a hotspot it's the tester's job to perform further validation and XSS testing.

The types of test cases that x5s includes:
  • Traditional test cases - characters typically used to test for XSS injection such as <, >, ",and ' which are used to control HTML, CSS, or javascript;
  • Transformable test cases - characters that might uppercase, lowercase, Normalize, best-fit map, or other wise transform to completely different characters, E.g. the Turkish 'İ' which will lower-case to 'i' in culture-aware software.
  • Overlong UTF-8 test cases - non-shortest UTF-8 encodings of the 'traditional' test cases noted above. E.g. the ASCII < is 0x3C normally and 0xC0 0xBC in non-shortest form UTF-8.

Download: :http://xss.codeplex.com/releases/view/43170
Fuente: dragonjar.org
En línea

Te vendería mi talento por poder dormir tranquilo.
Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  

Mensajes similares
Asunto Iniciado por Respuestas Vistas Último mensaje
[C++][?] Unit testing
Programación C/C++
oxydec 0 2,623 Último mensaje 18 Febrero 2011, 00:47 am
por oxydec
Problemas con el memory Testing.
Hardware
Wales_Pk 2 3,601 Último mensaje 22 Octubre 2012, 11:33 am
por Wales_Pk
Testing o QA
Programación General
nevermind2403 0 1,807 Último mensaje 7 Noviembre 2013, 15:26 pm
por nevermind2403
Web Testing
Desarrollo Web
2AA2 3 3,348 Último mensaje 23 Diciembre 2020, 15:46 pm
por #!drvy
Learn Bug Bounty Hunting & Web Security Testing From Scratch
Tutoriales - Documentación
ehn@ 0 1,525 Último mensaje 24 Noviembre 2023, 02:26 am
por ehn@
WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines