OWASP Xelenium Project

= Main =

Hello Everyone,

Warm Greetings!!! Welcome to the official page of OWASP Xelenium project!!!

Xelenium is a security testing tool that can be used to identify the security vulnerabilities present in the web application. Xelenium uses the open source functional test automation tool 'Selenium' as its engine and has been built using Java swing.

Xelenium has been designed considering that it should obtain very few inputs from users in the process of discovering the bugs.

Current version of Xelenium can be found here: http://sourceforge.net/projects/xeleniumsecurit/. Current version helps the user in identifying the Cross Site Scripting (XSS) threats present in the web application. In the subsequent versions, Xelenium will be enhanced such that it could identify other leading threats.

Please refer the road map for future plans.

Overview
Xelenium is an automation testing tool that can be used to identify the security vulnerabilities present in the web application. Xelenium uses ‘Selenium - Webdriver’ as its engine and has been developed using Java swing.

Selenium – Webdriver is an open source functional testing tool and is very powerful and flexible. More details on Selenium can be found here: http://seleniumhq.org/.

Pre-requisite
Following are the pre-requisites of Xelenium:

1. Mozilla Firefox (versions: 3.0, 3.5, 3.6, 4.0, 5.0, 6, 7) Note: Xelenium works with all the version of Firefox browsers that are supported by Selenium Webdriver. Please refer the Seleniumhq website for up-to-date information.

2. Java 1.6 or above

How it works?
Xelenium captures the details of web pages that are required to be scanned, and during scanning, it performs scan on each of the text fields present in the web page by making http requests to the respective pages.

Http requests are made using Selenium Htmlunit driver and call are made concurrently using Java threads.

Steps to use
Following are the steps that need to be followed to perform scan using Xelenium:

1. Download the xelenium.jar file and double click on it. Xelenium will be launched as shown below:



2. Enter the url of the application under test in ‘Enter URL’ field and click on the ‘Capture Pages’ button. Note: Please ensure to provide the url starting with either http:// or https:// 3. Xelenium will launch the Firefox browser and display the web page of the provided url. 4. Navigate to the required pages that need to be scanned. 5. Close the browser. 6. URL details of the navigated pages will be displayed in the ‘Captured Pages’ list box.



7. You can remove the unwanted url using the ‘Remove’ button present under ‘Captured Pages’ list box. 8. Navigate to the ‘Attack Vector’ section and select the required XSS attack vectors from the ‘Available Attack Vectors’ list box.



9. Add the required attack vectors using the ‘Attack Vector’ field. Note: Please *ONLY* use the attack vectors that trigger the javascript alert box (i.e., attack vector that uses the javascript method alert). 10. Navigate back to the ‘Capture & Scan’ tab and click on the ‘Perform XSS Scan’ button. 11. Selenium will execute series of tests with selected attack vectors against the urls listed in ‘Captured Pages’ list box. 12. Once the scan is completed, Xelenium will launch the results page with the details of attack results.



13. ‘Log’ tab would provide us with the details about the scan and the details of any exceptions.



Predefined Values
In a web page form that contains multiple fields, Xelenium attacks each of the fields with the attack vectors selected in the ‘Attack Vectors’ tab. During the attack, Xelenium supplies the fields of the webpage that are not under attack with a predefined string ‘abcdef’.

This default behavior would not work with the web pages that require the text fields to be supplied with predefined string format as below:

1. Email field 2. Phone number 3. Dates 4. Numbers only field etc.

Users can use the ‘Predefine Values’ tab of Xelenium to handle such text fields. ‘Predefine Values’ tab lists the details of the text fields that are present under each of the web pages captured in ‘Captured Pages’ list box of ‘Capture & Scan’ tab.



Following formats can be used to generate the dynamic texts during the scan: : Generates the random text value (of length 6). : Generates the random text value of length 6. : Generates the random number value with 8 digits. : Generates the random number between 1000 and 5000. .@gmail.com: Generates the text value similar to abdcei.kjhuiew@gmail.com. 823: Generates the number value similar to 8238934122. , : Generates the text value similar to 89, denver street. //2012: Generates a date value similar to 7/22/2012.  Feb, : Generate a date value similar to 24 Feb, 2008.

Password Protected Pages
Xelenium supports the scanning of password protected pages as well. To scan the password protected pages, capture the pages that are password protected and mention the login credentials in the ‘Login Creds’ section as mentioned below:



Subsequent Releases
In the subsequent releases, Xelenium will be enhanced to handle other leading security testing vulnerabilities.

In the next release, Xelenium will be enhanced to handle ‘DOM based XSS’ vulnerability of the web pages.

= Project About =