WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

[tool] x5s - test encodings and character transformations to find XSS hotspots

From: "Chris Weber" <chris () casabasecurity com>
Date: Thu, 8 Apr 2010 11:39:59 -0700
Hello everyone, 
Casaba is happy to make x5s available for download - a specialized Web-app testing Fiddler addon aimed at helping 
security testers find XSS hotspots.  It's main goal is to help you identify those hotspots by:

- Detecting where safe encodings were not applied to emitted user-inputs
- Detecting where Unicode character transformations might bypass security filters
- Detecting where non-shortest UTF-8 encodings might bypass security filters

The approach to finding hotspots involves injecting single-character probes separately into each input field of each 
request, and detecting how they were later emitted.  The focus is on reflected XSS issues however persisted issues can 
also be detected.  The idea of injecting special Unicode characters and non-shortest form encodings was to identify 
where transformations occur which could be used to bypass security filters.  This also has the interesting side effect 
of illuminating how all of the fields in a Web-app handle Unicode.  For example, in a single page with many inputs, you 
may end up seeing the same test case get returned in a variety of ways – URL encoded, NCR encoded, ill-encoded, raw, 
replaced, dropped, etc.  In some cases where we’ve had Watcher running in conjunction, we’ve been able to detect 
ill-formed UTF-8 byte sequences which is indicative of ‘other’ problems.

Grab it:  http://xss.codeplex.com/

There’s no auto-XSS validation here.  X5s will highlight potential hotspots, but it’s the pen-testers job to further 
validate whether or not a vulnerability exists.  The x5s tool may not be so intuitive, so we’ve created a quickstart 
tutorial to get you started after you’ve read the documentation.

We’re releasing this as a 1.0 beta in hopes of getting feedback from the community.  If you try it please send me your 
likes and dislikes, and any bugs or other issues you find.  We’re happy to make more improvements based on feedback.  
Some items on our wishlist include support for parsing more Content-Types, a plan for further reducing false positives, 
and more test case types including well-formed and ill-formed multi-byte sequences.

Happy bug hunting,
Chris Weber





This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: