[tool] x5s - test encodings and character transformations to find XSS hotspots

From: Chris Weber (chris@casabasecurity.com)
Date: Thu Apr 08 2010 - 14:03:10 CDT

  • Next message: announcements@unicode.org: "[Unicode Announcement] Tracking proposed updates to Unicode technical publications"

    Hello everyone,
    I announced this on some of the security lists and thought folks here might find it useful as well. Casaba is happy to make x5s available for download - a specialized Web-app testing Fiddler addon aimed at helping security testers find XSS hotspots. It's main goal is to help you identify those hotspots by:

    - Detecting where safe encodings were not applied to emitted user-inputs
    - Detecting where Unicode character transformations might bypass security filters
    - Detecting where non-shortest UTF-8 encodings might bypass security filters

    The approach to finding hotspots involves injecting single-character probes separately into each input field of each request, and detecting how they were later emitted. The focus is on reflected XSS issues however persisted issues can also be detected. The idea of injecting special Unicode characters and non-shortest form encodings was to identify where transformations occur which could be used to bypass security filters. This also has the interesting side effect of illuminating how all of the fields in a Web-app handle Unicode. For example, in a single page with many inputs, you may end up seeing the same test case get returned in a variety of ways – URL encoded, NCR encoded, ill-encoded, raw, replaced, dropped, etc. In some cases where we’ve had Watcher running in conjunction, we’ve been able to detect ill-formed UTF-8 byte sequences which is indicative of ‘other’ problems.

    Grab it at: http://xss.codeplex.com/

    There’s no auto-XSS validation here. X5s will highlight potential hotspots, but it’s the pen-testers job to further validate whether or not a vulnerability exists. The x5s tool may not be so intuitive, so we’ve created a quickstart tutorial to get you started after you’ve read the documentation.

    We’re releasing this as a 1.0 beta in hopes of getting feedback from the community. If you try it please send me your likes and dislikes, and any bugs or other issues you find. We’re happy to make more improvements based on feedback. Some items on our wishlist include support for parsing more Content-Types, a plan for further reducing false positives, and more test case types including well-formed and ill-formed multi-byte sequences.

    Happy bug hunting,
    Chris Weber

    This archive was generated by hypermail 2.1.5 : Thu Apr 08 2010 - 14:06:24 CDT