Our original post regarding x5s can be found here. That was version 1.0 beta. Now, we have x5s version 1.0.1 beta!
“x5s is a Fiddler addon which aims to assist penetration testers in finding cross-site scripting vulnerabilities. It acts as an assistant to the security tester by speeding up the process of parameter manipulation and aggregating the results for quick viewing. It automates some of the preliminary XSS testing work by enumerating and injecting canaries into all input fields/parameters sent to an application and analyzing how those canaries were later emitted. E.g. Was the emitted output encoded safely or not? Did an injected character transform to something else?“
This is the change log for the update:
Fixed bug where requests for HTTPS were wrongly going to HTTP.
Fixed a bug where the Content-Length wasn’t being updated for POST requests, causing failures from the server.
Changed the layout of the results tab to make the datagrid view sizeable.
we see how ESET treats its websites and the security of their users.
Cross-site scripting (xss) ,Html injection and open redirect vulnerabilities on eset.com , kb.eset.com and nod32.ch
some proof of concept and screensots we found on internet ….
Redirect from eset.com to Kaspersky website POC Click Here
Now many scammers and malicious people can take advantage ,they can inject Java script code to redirect users to some phishing scam pages.So take care nod32 users …
x5s is a Fiddler addon which aims to assist penetration testers in finding cross-site scripting vulnerabilities. By auto-injecting special character-probes x5s can detect where an emitted character may be ill-encoded or transformed and vulnerable to XSS attacks. The methodology used by x5s is to inject small probes which do not constitute a working XSS payload. In other words, x5s will not inject XSS payloads anywhere, it merely aims to identify character encoding and transformation issues that lead to XSS.
x5s acts as an assistant to the security tester by speeding up XSS testing parameter manipulation and aggregating the results for quick viewing. It automates some of the preliminary XSS testing work, which often involves sending input to an application and reviewing how that input was later emitted. E.g. Was the emitted output encoded safely or not Did an injected character transform to something else …
x5s does not inject XSS payloads – it does not attempt to exploit or confirm an XSS vulnerability. It’s designed to draw your attention to the fields and parameters which seem likely candidates. A security-tester would review the results to find issues where special characters were dangerously transformed or emitted without a safe encoding. This can be done by quickly scanning the results which have been designed with the intention of providing quick visual inspection. Results filters are also included so the tester could simply click show hotspots to see the areas likely vulnerable to XSS. After identifying a hot-spot it’s the tester’s job to perform further validation and XSS testing.
X5s can be more often used by security auditors, testers before performing any technical assessment on codes.
The three types of test cases that x5s includes: 1. Traditional test cases – characters typically used to test for XSS injection such as <, >, “,and ‘ which are used to control HTML, CSS, or javascript; 2. Transformable test cases – characters that might uppercase, lowercase, Normalize, best-fit map, or other wise transform to completely different characters, E.g. the Turkish ‘?’ which will lower-case to ‘i’ in culture-aware software. 3. Overlong UTF-8 test cases – non-shortest UTF-8 encodings of the ‘traditional’ test cases noted above. E.g. the ASCII < is 0x3C normally and 0xC0 0xBC in non-shortest form UTF-8.
