x5s - XSS security testing tool

x5s - XSS security testing tool

x5s is a Fiddler addon. This  penetration testing tool aims to assist penetration testers in finding cross-site scripting vulnerabilities in various web applications. This tool requires some understanding of how encoding issues lead to XSS, and it requires manual driving. It's main goal is to help you identify the hotspots where XSS might occur by:

• Detecting where safe encodings were not applied to emitted user-inputs
• Detecting where Unicode character transformations might bypass security filters
• Detecting where non-shortest UTF-8 encodings might bypass security filters

Tutorial on X5S


The types of test cases that x5s includes:
Traditional test cases - characters typically used to test for XSS injection such as <, >, ",and ' which are used to control HTML, CSS, or javascript;
Transformable test cases - characters that might uppercase, lowercase, Normalize, best-fit map, or other wise transform to completely different characters, E.g. the Turkish 'İ' which will lower-case to 'i' in culture-aware software.
Overlong UTF-8 test cases - non-shortest UTF-8 encodings of the 'traditional' test cases noted above. E.g. the ASCII < is 0x3C normally and 0xC0 0xBC in non-shortest form UTF-8.


Read More:


Download here:
http://xss.codeplex.com/releases/view/43170