Menu
 

Hi everyone today i am going give you a brief explanation on Xenotix Tool It is a tool specially crafted for detecting XSS And Exploiting the Attack.
It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident[IE], WebKit[Mozilla], and Gecko[Chrome]) embedded scanner. It is claimed to have the world’s 2nd largest XSS Payloads of about 1500+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. XSS is one of the top 3rd Vulnerability in the OWASP 2013 Web application Vulnerabilities list. Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications which allows the attackers to inject client-side script into web pages viewed by other users
xenotix
Xenotix Exploit Framework includes highly offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.
It has got various modules
SCANNER MODULES includes
  • Manual Mode Scanner
    which actually manully allow you to check all payload one by one
  • Auto Mode Scanner
    this feature allow you to auto mate the payload execution to your target
  • DOM Scanner
    this scan and check for xss based on dom (Document Object Model)
  • Multiple Parameter Scanner
    this is use for checking for xss based on multiple parameter
  • POST Request Scanner
    this allows you to check for xss on post request whcih helps a lot in modern technology based website
  • Header Scanner
    check in the header part for xss attack
  • Fuzzer
    xss fuzzer allow you an option to scan on user independednt parameter by just putting [X] int he parameter
  • Hidden Parameter Detector
    this feature allow you to detect parameter for xss attack automatically.

    Xenotix has also go the INFORMATION GATHERING MODULES which helps you on Enumeration target and get enough information on victim url

    some of its feature are
  • Victim Fingerprinting
  • Browser Fingerprinting
  • Browser Features Detector
  • Ping Scan
  • Port Scan
  • Internal Network Scan

    It also has EXPLOITATION MODULES Which has a Great option to exploit any xss vulnerable target
  • Send Message
  • Cookie Thief
  • Phisher
  • Tabnabbing
  • Keylogger
  • HTML5 DDoSer
  • Executable Drive By
  • JavaScript Shell
  • Reverse HTTP WebShell
  • Drive-By Reverse Shell
  • Metasploit Browser Exploit
  • Firefox Reverse Shell Addon (Persistent)
  • Firefox Session Stealer Addon (Persistent)
  • Firefox Keylogger Addon (Persistent)
  • Firefox DDoSer Addon (Persistent)
  • Firefox Linux Credential File Stealer Addon (Persistent)
  • Firefox Download and Execute Addon (Persistent)

    Xenotix has 1500+ payload for checking xss attack on any url. Ajin Abraham is the creator of OWASP Xenotix XSS Exploit Framework.
    Ajin has already posted white paper at
  • Exploit-db Xss Attack
  • Packet Storm XSS By ajinEtc

    also posted video tutorial you can just have practical demo.


    enough about tool lets try Practically explore a target for detecting xss attack.

    lets take http://www.webopedia.com/ (Alexa Rank Global 4631 ,India Flag 920)as example
    now it has a search box now we will explore more on it and find our xss attack on it.
    so first of all download Xenotix Here
    After downloading open Xenotix XSS Exploit Framework.exe
    first of all set the configur server and give your ip 192.168.xxx.xxx and port to be xxyz then click on start
    next just search for darksite.co.in on www.webopedia.com and get the ulr you will see something like this
    http://www.webopedia.com/sgsearch/results?cx=partner-pub-8768004398756183%3A6766915980&cof=FORID%3A10&ie=UTF-8&q=darksite.co.in
    so we see some thing like q=..... so that is our vulnreable parameter lets exploit it using xenotix
    So here it is we got our xss at now put the url at the address box and then go to scanner on menu bar and select manual mode
    detecting xss with xenotix
    keep clicking next exploit and it run concurrently three different browser
    http://www.webopedia.com/sgsearch/results?cx=partner-pub-8768004398756183:6766915980&cof=FORID:10&ie=UTF-8&q=*<*script*>*+*alert("XSS")*<*/*SCRIPT*>*
    (remove '*' from url)
    so finally we got the xssed :)
    exploiting xss with xenotix
    So this is how we just tried a basic use of xenotix fro exploit xss
    so later on i will try to put some more tutorial using xenotix utilizing its different features
    trust me its one of the best tool for xss attack and using this i got many such xss on top rated sites.
    do explore more and if you have any query do comments/Suggestion for Improvements below
  • Post a Comment

    Feel Free To Ask Your Query we Love To Answer

     
    Top