Penetration Testing mailing list archives
[tool] x5s - test encodings and character transformations to find XSS hotspots
From: "Chris Weber" <chris () casabasecurity com>
Date: Thu, 8 Apr 2010 11:39:59 -0700
Hello everyone, Casaba is happy to make x5s available for download - a specialized Web-app testing Fiddler addon aimed at helping security testers find XSS hotspots. It's main goal is to help you identify those hotspots by: - Detecting where safe encodings were not applied to emitted user-inputs - Detecting where Unicode character transformations might bypass security filters - Detecting where non-shortest UTF-8 encodings might bypass security filters The approach to finding hotspots involves injecting single-character probes separately into each input field of each request, and detecting how they were later emitted. The focus is on reflected XSS issues however persisted issues can also be detected. The idea of injecting special Unicode characters and non-shortest form encodings was to identify where transformations occur which could be used to bypass security filters. This also has the interesting side effect of illuminating how all of the fields in a Web-app handle Unicode. For example, in a single page with many inputs, you may end up seeing the same test case get returned in a variety of ways – URL encoded, NCR encoded, ill-encoded, raw, replaced, dropped, etc. In some cases where we’ve had Watcher running in conjunction, we’ve been able to detect ill-formed UTF-8 byte sequences which is indicative of ‘other’ problems. Grab it: http://xss.codeplex.com/ There’s no auto-XSS validation here. X5s will highlight potential hotspots, but it’s the pen-testers job to further validate whether or not a vulnerability exists. The x5s tool may not be so intuitive, so we’ve created a quickstart tutorial to get you started after you’ve read the documentation. We’re releasing this as a 1.0 beta in hopes of getting feedback from the community. If you try it please send me your likes and dislikes, and any bugs or other issues you find. We’re happy to make more improvements based on feedback. Some items on our wishlist include support for parsing more Content-Types, a plan for further reducing false positives, and more test case types including well-formed and ill-formed multi-byte sequences. Happy bug hunting, Chris Weber ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- [tool] x5s - test encodings and character transformations to find XSS hotspots Chris Weber (Apr 12)