It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident[IE], WebKit[Mozilla], and Gecko[Chrome]) embedded scanner. It is claimed to have the world’s 2nd largest XSS Payloads of about 1500+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. XSS is one of the top 3rd Vulnerability in the OWASP 2013 Web application Vulnerabilities list. Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications which allows the attackers to inject client-side script into web pages viewed by other users
It has got various modules
SCANNER MODULES includes
which actually manully allow you to check all payload one by one
this feature allow you to auto mate the payload execution to your target
this scan and check for xss based on dom (Document Object Model)
this is use for checking for xss based on multiple parameter
this allows you to check for xss on post request whcih helps a lot in modern technology based website
check in the header part for xss attack
xss fuzzer allow you an option to scan on user independednt parameter by just putting [X] int he parameter
this feature allow you to detect parameter for xss attack automatically.
Xenotix has also go the INFORMATION GATHERING MODULES which helps you on Enumeration target and get enough information on victim url
some of its feature are
It also has EXPLOITATION MODULES Which has a Great option to exploit any xss vulnerable target
Xenotix has 1500+ payload for checking xss attack on any url. Ajin Abraham is the creator of OWASP Xenotix XSS Exploit Framework.
Ajin has already posted white paper at
also posted video tutorial you can just have practical demo.
enough about tool lets try Practically explore a target for detecting xss attack.
lets take http://www.webopedia.com/ (Alexa Rank Global 4631 ,India Flag 920)as example
now it has a search box now we will explore more on it and find our xss attack on it.
so first of all download Xenotix Here
After downloading open Xenotix XSS Exploit Framework.exe
first of all set the configur server and give your ip 192.168.xxx.xxx and port to be xxyz then click on start
next just search for darksite.co.in on www.webopedia.com and get the ulr you will see something like this
http://www.webopedia.com/sgsearch/results?cx=partner-pub-8768004398756183%3A6766915980&cof=FORID%3A10&ie=UTF-8&q=darksite.co.inso we see some thing like q=..... so that is our vulnreable parameter lets exploit it using xenotix
So here it is we got our xss at now put the url at the address box and then go to scanner on menu bar and select manual mode
http://www.webopedia.com/sgsearch/results?cx=partner-pub-8768004398756183:6766915980&cof=FORID:10&ie=UTF-8&q=*<*script*>*+*alert("XSS")*<*/*SCRIPT*>*so finally we got the xssed :)
(remove '*' from url)
so later on i will try to put some more tutorial using xenotix utilizing its different features
trust me its one of the best tool for xss attack and using this i got many such xss on top rated sites.
do explore more and if you have any query do comments/Suggestion for Improvements below