x5s is a Fiddler addon which aims to assist penetration testers in finding cross-site scripting vulnerabilities. It’s main goal is to help you identify the hotspots where XSS might occur by:
- Fiddler is a web debugging tool for logging HTTP/S traffic. Inspect traffic, mock requests/responses, share sessions, collaborate within teams to debug issues.
- X5S While watcher does detect some XSS, however it generates lots of false positive, therefore i also use another addon along with fiddler for detecting cross site scripting attacks, X5S is also created by the developers of watcher, however it's specially for detecting XSS, here is an official despcription.
- A freeware tool to capture HTTP and HTTPS traffic Can also be used to modify HTTP traffic as a troubleshooting measure (not covered in the video) Download it.
Fiddler provides all of the rich functionality of a good Web/HTTP proxy. With Fiddler you can capture all HTTP traffic, intercept and modify, replay requests, and much much more. Fiddler provides the HTTP proxy framework for Watcher to work in, allowing for seamless integration with today’s complex Web 2.0 or Rich Internet Applications.
- Detecting where safe encodings were not applied to emitted user-inputs
- Detecting where Unicode character transformations might bypass security filters
- Detecting where non-shortest UTF-8 encodings might bypass security filters
It injects ASCII to find traditional encoding issues, and it injects special Unicode characters and encodings to help an analyst identify where XSS filters might be bypassed. The approach to finding these hotspots involves injecting single-character probes separately into each input field of each request, and detecting how they were later emitted. The focus is on reflected XSS issues however persisted issues can also be detected. The idea of injecting special Unicode characters and non-shortest form encodings was to identify where transformations occur which could be used to bypass security filters. This also has the interesting side effect of illuminating how all of the fields in a Web-app handle Unicode. For example, in a single page with many inputs, you may end up seeing the same test case get returned in a variety of ways – URL encoded, NCR encoded, ill-encoded, raw, replaced, dropped, etc. In some cases where we’ve had Watcher running in conjunction, we’ve been able to detect ill-formed UTF-8 byte sequences which is indicative of ‘other’ problems.
Fiddler Xss
The types of test cases that x5s includes:
- Traditional test cases - characters typically used to test for XSS injection such as <, >, ',and ’ which are used to control HTML, CSS, or javascript;
- Transformable test cases - characters that might uppercase, lowercase, Normalize, best-fit map, or other wise transform to completely different characters, E.g. the Turkish ’Ä°’ which will lower-case to ’i’ in culture-aware software.
- Overlong UTF-8 test cases - non-shortest UTF-8 encodings of the ’traditional’ test cases noted above. E.g. the ASCII < is 0x3C normally and 0xC0 0xBC in non-shortest form UTF-8.
Requirements
Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and 'fiddle' with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language.
Fiddler is freeware and can debug traffic from virtually any application, including Internet Explorer, Mozilla Firefox, Opera, and thousands more.
Post scriptum
Comments
Fiddler Xss Testing
Fiddler Xss Plugin
Related Articles
| Configurations checks |
|
| Exploitation |
|
| x5s |