Got XSS? Check using the OWASP Xenotix XSS Exploit Framework

Got XSS? Check using the OWASP Xenotix XSS Exploit Framework

Henry Dalziel | General Hacking Posts, Hacker Hotshots, Pentesting Tools | October 21, 2013

This coming Thursday, October 24th to be precise, we have Ajin Abraham, the man behind the OWASP Xenotix XSS Plan, coming on Hacker Hotshots, usual time – 12 Eastern, 9 Pacific and 10 Mountain.

What is the OWASP Xenotix XSS Exploit Framework?
The OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. One of the neat features of Xenotix is that it provides accurate Zero False Positive scan results through its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner, something which we are sure Ajin will expand on.

Xenotix packs a punch: it contains the world’s 2nd largest XSS Payload Database with about 1500+ distinctive XSS Payloads which all make this pentesting tool highly effective for XSS vulnerability detection and WAF Bypass. The security tool also contains a rich ‘Information Gathering Module’ which is intended for target Reconnaissance. As an introduction, and again, Ajin will confirm this for us, think of Xenotix as an Exploit Framework that comes bundled with highly offensive XSS exploitation modules, tools that make life that little bit easier for Penetration Testers and Software Testers.

What will Ajin discuss?
Whilst we were agreeing a date to get Ajin on Hacker Hotshot he was able to summarize what he will be discussing. In short, our viewers will learn these three points about Xenotix:

  • You will learn how to configure and use Triple Render Engine based XSS Scanning module, something which is at the heart of this tool.
  • There will be a demonstration on how the XSS Information Gathering Modules operates
  • And if there is time, another demonstration of the Post XSS Exploitation strategies associated with XSS Exploitation Modules.

Sounds good to us!

Similar Hacker Hotshots
We had a similar presentation and talk with Jeff Williams from Contrast Security. Jeff’s product, called ‘Contrast’ (which comes with a free demo) has similar features to Xenotix: an identifier that labels OWASP Top Ten ‘potential problems’, the SANS Top 25, and many more important vulnerabilities in your code. The tool also works with Agile and DevOps, secures your libraries and helps generate those all important compliance reports (such as PCI DSS, HIPAA, DISA AppSec STIG etc).

We have had other similar talks, but IronWasp in particular stands out. IronWasp is an ‘Open Source Web Security Testing Platform’. We had the developer Lavakumar Kuppan on the show in which he explained that the tool was designed from the ground up to be customizable to the point where users can create their own custom security scanners using it. One of the things we particularly liked about IronWasp was that whilst an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool’s features are simple enough to be used by absolute beginners.

ThreadFix is another excellent product which we’d encourage you to check out, not least because one of the core developers Dan Cornell has been associated with OWASP from the early days.

If testing Android Apps is your thing then go ahead and have a look at “Drozer” with Hacker Hotshot Daniel Bradberry.

In Summary
Xenotix looks awesome and we really look forward to welcoming Ajin on the show – not least because XSS and CRSF still seems to affect online security. If you are interested in attending then hit this link (the show is this Thursday October 24 at 12 EST USA) and if you are reading this after that date then hit the link anyway because the recorded interview will be on the same URL. Also – don’t forget to check out the official OWASP demo tutorials on Xenotix.

In fact, this year – 2013, we’ve had other OWASP web shows. We had: “OWASP Broken Web Applications VM” (which incidentally nicely fits with this Xenotix XSS web show) and “The State of OWASP” with the chairman of OWASP, Michael Coates.

Have you used this tool or any of the others ones mentioned in the blog post? How do you combat XSS threats? As always, we’d love to get your feedback.

Leave a comment or reply below...thanks!