Casaba x5s: A Cross-Site Scripting (XSS) Test Tool

-------------------------------------------------Copyright (c) 2010, Casaba Security, LLC.

All rights reserved.
A free, active security testing tool for finding XSS vulnerabilities in web-appl
ications. x5s aims to be a specialized testing tool which assists penetration t
esters in finding cross-site scripting hot-spots. By auto-injecting token value
s and special character-probes x5s can detect where an emitted character or its
transformation may be lacking a safe encoding and vulnerable to XSS.
Prerequisites
------------Fiddler Web Debugging Proxy (http://www.fiddlertool.com/)
Installation
-----------Run the X5Setup.msi and follow the prompts. This is the prefered method of inst
allation. Alternately, extract the files from X5Setup.zip to %USERPROFILE%\Docu
ments\Fiddler2\Scripts.
x5s can be uninstalled via Add/Remove Programs in the Control Panel; or if files
were extracted from the ZIP file, simply removed from the directory to which th
ey were installed.
Upgrading
-----------First uninstall x5s through the Control Panel, or by right-clicking the MSI and
choosing uninstall.
Then you can install an updated x5s.
Usage
----1. Start Fiddler, and select the x5s tab.
2. Check Enable to start capturing page metadata.
3. Enter a Preamble, or use the default - this must be a unique string x5s can u
se to identify its payload in the response, for example "pqz" or "test321"
4. Enable Domain Targeting to restrict testing to a particular domain, i.e., the
site you'd like to test.
5. Select each of the auto-injection options you want (e.g. select auto-inject i
nto GET, POST, and Other)
6. Leave the advanced filter disabled for now
7. Enable the injection characters you'd like to test through the 'Test Case Con
figuration' tab.
8. Browse the site you're testing. x5s will work its magic.
9. Click the 'Results' tab to review any issues discovered by the tool.
10. If you don't feel like trying to make sense of the results, just click the '
show hotspots' button and review any that show up.
Definitions
----------Canary
======
Canaries are composed of a unique ID, the Preamble (as specified in the UI), and
a single character (also specified in the UI). x5s uses these canaries to ident
ify injected data that has been persisted or reflected by the target web applica
tion during testing.

canary = { unique ID + preamble + character probe }

x5s determines the inputs types of a request passed to it via Fiddler, and for e
ach character configuration enabled in the UI, resends a request containing a ca
nary to the application being evaluated.
To support unknown request protocols (e.g. not application/json, or x-www-form-u
rlencoded), if the preamble is found in a request by itself, x5s will replace it
with a canary, and resend the request back to the web application. This enables
a tester to enter the preamble in any field of a Web-app, and allow x5s to call
attention to a potentially unknown serialization format. For this and other rea
sons, it is important to choose a preamble that is unlikely to appear in pages t
hat you are evaluating.
If the canary is found in a response, x5s will evaluate the character probe segm
ent for replacement, transformation, or encoding, and report it as appropriate i
n the Results tab of the UI.
Hot Spots
=========
Hot Spots are areas that are likely susceptible to XSS.
Target Domains
==============
If enabled, Target Domains define the list of domains that x5s will evaluate and
send requests to. If disabled, all domains are subject to evaluation by x5s.
Updates
------You can always obtain the latest version of x5s from:
http://www.casabasecurity.com/
http://xss.codeplex.com/
Notes
----x5s can generate a significant number of queries to the hosting server, as it ac
tively injects each enabled character into each field of a request (including HT
TP headers and GET/POST form data).