Difference between revisions of "OWASP Xenotix XSS Exploit Framework"

SCANNER MODULES

• GET Request Fuzzer
• POST Request Fuzzer
• Advanced Request Fuzzer
• OAuth 1.0a Request Scanner
• DOM Scanner
  • DOM XSS Analyzer
  • Local DOM XSS Analyzer
• Hidden Parameter Detector

INFORMATION GATHERING MODULES

• WAF Fingerprinting
• Victim Fingerprinting
  • IP to Location
  • IP to GeoLocation
• Network
  • Network IP (WebRTC)
  • Ping Scan
  • Port Scan
  • Internal Network Scan
• Browser
  • Fingerprinting
  • Features Detector
  • HSTS+ CSP Visited Sites Grabber

EXPLOITATION MODULES

• Send Message
• Cookie Thief
• Keylogger
• HTML5 DDoSer
• Load File
• Grab Page Screenshot
• JavaScript Shell
• Reverse HTTP WebShell
• Metasploit Browser Exploit
• Social Engineering
  • Phisher
  • Tabnabbing
  • Live WebCam Screenshot
  • Download Spoofer
  • Geolocation HTML5 API
  • Java Applet Drive-By (Windows)
  • Java Applet Drive-By Reverse Shell (Windows)
  • HTA Network Configuration (Windows, IE)
  • HTA Drive-By (Windows, IE)
  • HTA Drive-By Reverse Shell (Windows, IE)
• Firefox Addons
  • Reverse TCP Shell Addon (Windows, Persistent)
  • Reverse TCP Shell Addon (Linux, Persistent)
  • Session Stealer Addon (Persistent)
  • Keylogger Addon (Persistent)
  • DDoSer Addon (Persistent)
  • Linux Credential File Stealer Addon (Persistent)
  • Drop and Execute Addon (Persistent)

AUXILIARY MODULES

• WebKit Developer Tools
• Encoder/Decoder
• JavaScript Encoders
  • JSFuck 6 Char Encoder
  • jjencode Encoder
  • aaencode Encoder
• JavaScript Beautifier
• Hash Calculator
• Hash Detector
• View Injected JavaScript
• View XSS Payloads

XENOTIX SCRIPTING ENGINE

• Xenotix API
• IronPython Scripting Support
• Trident and Gecko Web Engine Support

NULLCON GOA 2013

CLUBHACK 2012

IMPORTANT

Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

Latest Release

SHA256: 68096d574aacf51cea46708d473d5c6b13d3b5039c8f3587d2325c9bdefdcbc1

Requirements

• Microsoft .NET Framework 4.5 http://www.microsoft.com/en-in/download/details.aspx?id=30653
• IronPython 2.7.3 http://ironpython.codeplex.com/downloads/get/423690 [If you are using Scripting Engine]

Older Versions

• Version 6.1 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.1.zip | MD5: 17c703f90dbb4f09b112284232bbb69f
• Version 6.1 Mirror: https://drive.google.com/file/d/0B_Ci-1YbMqshNm5WRlRRTllqcG8/view | MD5: 17c703f90dbb4f09b112284232bbb69f
• Version 6 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V6.zip | MD5: 54a2335e35c47b1e5a87b163088c63ff
• Version 5 http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar | MD5: bdfce2d4af4012ecc20b86bed876a54a
• Version 4.5 http://opensecurity.in/downloads/Xenotix_XSS_Exploit_Framework_v4.5.rar
• Version 4 https://www.dropbox.com/s/ookdse6pyszh736/Xenotix%20XSS%20Exploit%20Framework%20V4.rar
• Version 3 https://www.owasp.org/index.php/File:OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
• Version 2 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploit_Framework_2013_v2.zip
• Version 1 https://www.owasp.org/index.php/File:Xenotix_XSS_Exploitation_Framework.zip

Source

• GitHub https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework/

Check: https://www.youtube.com/playlist?list=PLX3EwmWe0cS80ls3TsNiukQD0hfZjLHnP

WHAT'S NEW!

V6.1 Changes

• Bug Fixes
• Updated QuickPHP Server
• Local DOM XSS Analyzer

V6 Changes

• Intelli Fuzzer
• Context Based Fuzzer
• Blind Fuzzer
• HTA Network Configuration
• HTA Drive-By
• HTA Drive-By Reverse Shell
• JSFuck 6 Char Encoder
• jjencode Encoder
• aaencode Encoder
• IP to Location
• IP to GeoLocation
• IP Hinting
• Download Spoofer
• HTML5 Geolocation API
• Reverse TCP Shell Addon (Linux)
• OAuth 1.0a Request Scanner
• 4800+ Payloads
• SSL Error Fixed

V5 Changes

• Xenotix Scripting Engine
• Xenotix API
• V4.5 Bug Fixes
• GET Network IP (Information Gathering)
• QR Code Generator for Xenotix xook
• HTML5 WebCam Screenshot(Exploitation Module)
• HTML5 Get Page Screenshot (Exploitation Module)
• Find Feature in View Source.
• Improved Payload Count to 1630
• Name Changes

V4.5 Changes

• JavaScript Beautifier
• Pause and Resume support for Scan
• Jump to Payload
• Cookie Support for POST Request
• Cookie Support and Custom Headers for Header Scanner
• Added TRACE method Support
• Improved Interface
• Better Proxy Support
• WAF Fingerprinting
• Load Files <exploitation module>
• Hash Calculator
• Hash Detector

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

Support Us

• Twitter Page: Xenotix on Twitter
• Facebook Page: Xenotix on Facebook
• Official Page: [Xenotix @ OpenSecurity]

Feedback & Queries

• Do you have any issues with it?
• Do you find any design flows or errors?
• Do you need help in using it?
• Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

Development

Are you a developer? Do you have some cool ideas to contribute? Get in touch via ajin [DOT] abraham [AT] owasp.org If you actively contribute to Xenotix then you will be invited to join the project.