OWASP Xenotix XSS Exploit Framework

Slides:



Advertisements
Similar presentations
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Advertisements

Chapter 17: WEB COMPONENTS
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Hands on Demonstration for Testing Security in Web Applications
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
APPLICATION VULNERABILITY ASSESSMENTS REVISITED COMPUTING AND COMMUNICATIONS Jared Perry GSEC, GWAPT, GCWN Application testing at Memorial University.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Browser Exploitation Framework (BeEF) Lab
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
 Chirita Ionel  Application Security  OWASP Chapter board member.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Security Scanning OWASP Education Nishi Kumar Computer based training
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.
A Scanner Sparkly Web Application Proxy Editors and Scanners.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Introduction to Application Penetration Testing
Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.
XSS Without the Browser Wait, what? Toorcon Seattle, 2011.
Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.
SQL Power Injector Avadanei AlinBalan Robert. What is SQL Power Injector ?  A graphical application created in C#.Net 1.1 that helps the penetration.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
JSProxy: Safety from Javascript Benjamin Prosnitz, Tang Yi, Yinzhi Cao.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
AppSec USA 2014 Denver, Colorado Customizing Burp Suite Getting the Most out of Burp Extensions.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.
Hands-On with RailsGoat WEB APPLICATION SECURITY TESTING.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Web Applications Testing By Jamie Rougvie Supported by.
Module 7: Advanced Application and Web Filtering.
New Techniques in Application Intrusion Detection Al Huizenga, Mykonos Product Manager May 2010.
Web2.0 Secure Development Practice Bruce Xia
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
Introduction of XSS:-- Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted.
MIS Week 5 Site:
Kali Linux BY BLAZE STERLING. Roadmap  What is Kali Linux  Installing Kali Linux  Included Tools  In depth included tools  Conclusion.
Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.
FROM CONTINUOUS INTEGRATION TO VIRTUAL PATCHING BUILDING APPSEC ALL ALONG THE WEB APPLICATION LIFECYCLE.
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
Strategic Security, Inc. © Burp Suite Presented By: Joe McCray
Andrés Riancho ariancho cybsec.com w3af – A framework to own the Web CanSecWest 2008 Vancouver, Canada.
XSS 101 Jason Clark 12/20.
Javascript worms By Benjamin Mossé SecPro
Penetration Testing Social Engineering Attack and Web-based Exploitation CIS 6395, Incident Response Technologies Fall.
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
Web Application Bug Hunting
An Introduction to Web Application Security
Web Application Hacker’s Toolkit
Presentation by: Naga Sri Charan Pendyala
WEB APPLICATION TESTING
CITA 352 Chapter 5 Port Scanning.
Web Application Firewall Bypassing – an approach for pentesters
CIT 480: Securing Computer Systems
HTML Level II (CyberAdvantage)
Riding Someone Else’s Wave with CSRF
Finding High-Risk Web Vulnerabilities with a Small Number of Generic Payloads Detecting Server-Side Injection Vulnerabilities using Expression Probing.
An Introduction to ZAP The OWASP Zed Attack Proxy
Exploring DOM-Based Cross Site Attacks
Presentation transcript:

OWASP Xenotix XSS Exploit Framework Gavriliță Cristian Cebanu Ghenadie

OWASP Top 10 2013

XSS Some years back Now… Low Ranked… It wasn’t considered a great vulnerability SQLi, LFI, RFI, RSI… were considered real vulnerabilities XSS was considered just <script>alert(“XSS”)</script> Only possibilities are Phishing or Cookie stealing Now… Tools like Beef, XSS Tunnel , Xssf, Shell of Future changed the scene People started understanding the real threats of XSS Some of them are XSS Tunneling, Client side code injection, DoS and DDos, Cookies Stealing, Malicious Drive-by Downloads, Phishing, Defacing

What is OWASP Xenotix XSS Exploit Framework Xenotix XSS Exploit Framework is a penetration testing tool It can be used to detect and exploit XSS vulnerabilities It is divided into an XSS Scanner and an Exploitation Framework Has support for Gecko, Trident and Webkit

OWASP Xenotix XSS Exploit Framework Version 1 : 8 Semptember 2013 Ajin Abraham runs a successful Defcon Chapter at Kerala DEFCON Bangalore-India, ClubHack , nullcon Goa, OWASP AppSec AsiaPac 2013, BlackHat Europe 2013 Arsenal , Hackmiami 2013 and Confidence 2013, OHM 2013, BlackHat USA 2013 Arsenal

Versions: 4.5 JavaScript Beautifier Pause and Resume support for Scan Jump to Payload Cookie Support for POST Request Cookie Support and Custom Headers for Header Scanner Added TRACE method Support Improved Interface Better Proxy Support WAF Fingerprinting Load Files <exploitation module> Hash Calculator Hash Detector

Versions: 5 Xenotix Scripting Engine Xenotix API V4.5 Bug Fixes GET Network IP (Information Gathering) QR Code Generator for Xenotix xook HTML5 WebCam Screenshot(Exploitation Module) HTML5 Get Page Screenshot (Exploitation Module) Find Feature in View Source. Improved Payload Count to 1630 Name Changes

Versions: 6 Intelli Fuzzer IP to Location Context Based Fuzzer IP to GeoLocation Blind Fuzzer IP Hinting HTA Network Configuration Download Spoofer HTA Drive-By HTML5 Geolocation API HTA Drive-By Reverse Shell Reverse TCP Shell Addon (Linux) JSFuck 6 Char Encoder OAuth 1.0a Request Scanner jjencode Encoder 4800+ Payloads aaencode Encoder SSL Error Fixed

Unique features Zero False Positive Triple Browser Engine Support 2nd Largest XSS Payloads Xenotix API Python Scripting Engine with Triple Browser Engine Rendering and XSS Payload Support Top 5th Security Tool of 2013 Toolsmith Tool of the Month 2013

Scanner Module Manual XSS Scanner Automode XSS Scanner MultiParameter XSS Scanner XSS Fuzzer XSS Filter Bypassing XSS Payload Encoder 4800++ XSS Payloads

Exploitation Module XSS Kelogger XSS Executable Drive-by Download XSS Reverse Shell XSS HTML5 DDoSer (CORS + WebSocket) XSS Cookie Thief

Burp Suite An intercepting Proxy, which lets you inspect and modify traffic between your browser and the target application. An application-aware Spider, for crawling content and functionality. An advanced web application Scanner, for automating the detection of numerous types of vulnerability. An Intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities. A Repeater tool, for manipulating and resending individual requests. A Sequencer tool, for testing the randomness of session tokens. The ability to save your work and resume working later. Extensibility, allowing you to easily write your own plugins, to perform complex and highly customized tasks within Burp.

The Zed Attack Proxy (ZAP) The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Conclusions Xenotix XSS Exploit Framework can be used by Security Analysts for XSS hunting Most commercial tools available are either XSS Scanners or XSS Exploitation tools. Xenotix is the first of it’s kind to act as both, a Vulnerability scanner as well as an Exploitation framework and it’s completely free Tutorials: https://www.youtube.com/watch?v=loZSdedJnqc&list=PLX3EwmWe0 cS9fMj1SOTKo8lgm-9XGNzPT

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.