[ad]<\/p>\n
x5s is a Fiddler<\/a> add-on which aims to assist penetration testers in finding cross-site scripting vulnerabilities. It’s main goal is to help you identify the hotspots where XSS might occur by:<\/p>\n It injects ASCII to find traditional encoding issues, and it injects special Unicode characters and encodings to help an analyst identify where XSS filters might be bypassed. The approach to finding these hotspots involves injecting single-character probes separately into each input field of each request, and detecting how they were later emitted. The focus is on reflected XSS issues however persisted issues can also be detected.<\/p>\n The idea of injecting special Unicode characters and non-shortest form encodings was to identify where transformations occur which could be used to bypass security filters. This also has the interesting side effect of illuminating how all of the fields in a Web-app handle Unicode. For example, in a single page with many inputs, you may end up seeing the same test case get returned in a variety of ways \u2013 URL encoded, NCR encoded, ill-encoded, raw, replaced, dropped, etc. In some cases where we\u2019ve had Watcher<\/a> running in conjunction, we\u2019ve been able to detect ill-formed UTF-8 byte sequences which is indicative of \u2018other\u2019 problems.<\/p>\n x5s acts as an assistant to the security tester by speeding up the process of parameter manipulation and aggregating the results for quick viewing. It automates some of the preliminary XSS testing work by enumerating and injecting canaries into all input fields\/parameters sent to an application and analyzing how those canaries were later emitted. E.g. Was the emitted output encoded safely or not? Did an injected character transform to something else?<\/p>\n x5s does not inject XSS payloads – it does not attempt to exploit or confirm an XSS vulnerability. It’s designed to draw your attention to the fields and parameters which seem likely candidates for vulnerability. A security-tester would review the results to find issues where special characters were dangerously transformed or emitted without a safe encoding. This can be done by quickly scanning the results, which have been designed with the intention of providing quick visual inspection. Results filters are also included so the tester could simply click show hotspots to see only the potential problem areas. After identifying a hotspot it’s the tester’s job to perform further validation and XSS testing.<\/p>\n The types of test cases that x5s includes:<\/p>\n You can download x5s here:<\/p>\n\n
\n