February 13, 2009

XSS Testing Acceptance Tools Software Frameworks comparison

This post covers the free or paid tools and software available for XSS or Cross Side Scripting testing. These tools are not specific to any programming language and can used with any of .NET, Java, J2EE, PHP, Ruby or Python web applications.

These days I was researching around good tools to test XSS vulnerability on a given website. I came across a couple of tools foolowing are the results of my experience with them.
  • Paid Tools
  1. IBM App Scan:  App Scan looks like a good tool, but its free editions are only available for testing with the IBM's test site. So it was again of no use for me. But the companies with money to spend, it looks like a good solution as Salesforce is using it.
  2. WebInspect : This looks like a good product from HP. But the problem is its not for free and the dependencies on Ms SQL Server 2005 makes it even more difficult to install and use. But the companies with money to spend, it looks like a good solution as Salesforce is using it.
  • FREE Tools (Automatic/semi automatic)
  1. Firefox GreaseMonkey plugin with  user script provided by whiteacid. This solution didn't worked at all for me, I tried to hit "User Script Commands > Start XSSing Forms" on my required forms. But nothing happened.
  2. Nikto : Its a good tool for scanning web servers for problems. Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired). This can be useful to test your webservers for various port and known security limitations. Its used by Salesforce for there security checks, so you can be assured on its quality and  its for free :).
  3. Xss Me : This tool is a Firefox plugin.  Its the one I enjoyed most working with. Its pretty simple to use, you can make a XSS test on any web form opened in firefox, merely by right clicking and selecting "Open XSS Me SideBar" and hitting "Test All forms with all attacks". The scanning reports are good and pretty detailed too. Its a great tool to use and its for free.
  4. Sql Inject Me : Again from same company as of Xss Me. Its for testing SQL Injection with a similar interface as of XSS Me. Definitely a tool that I would recommend to use. Again its for free.
  • FREE Proxy based manual testing tools
  1. Burp Proxy : Burp Proxy is an interactive HTTP/S proxy server for attacking and testing web applications. It operates as a man-in-the-middle between the end browser and the target web server, and allows the user to intercept, inspect and modify the raw traffic passing in both directions. So its again a manual testing tool and its for free.
  2. Fiddler : Fiddler is a HTTP Debugging Proxy which logs all HTTP traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP Traffic, set breakpoints, and "fiddle" with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language. Fiddler is freeware and can debug traffic from virtually any application, including Internet Explorer, Mozilla Firefox, Opera, and thousands more.
  3. Paros ProxyParos is a good tool for manually tampering the get and post requests. So one can modify any outgoing request params with javascript xss stuff  like script, eval etc for testing. The only issue with this is your need to change your proxy settings in browser to point to Paros to make it working.
  4. OWASP WebScarab Project : Its a proxy based testing tool from OWASP. Its written in Java and allows you to intercept and modify HTTP and HTTPS requests.
  5. WebScarab (Next Generation) Project : WebScarab-NG is a complete rewrite of the old WebScarab application, with a special focus on making the application more user-friendly. To this end, WebScarab-NG makes use of the Spring Rich Client Platform  to provide the user interface features.
  6. etc