OWASP Xelenium Project

Jump to: navigation, search
This page contains out-of-date content. Please help OWASP to FixME.
Last revision (yyyy-mm-dd): August 2012
Comment: The page should be updated, archived or redirected to something better.


Hello Everyone,

Warm Greetings!!! Welcome to the official page of OWASP Xelenium project!!!

Xelenium is a security testing tool that can be used to identify the security vulnerabilities present in the web application. Xelenium uses the open source functional test automation tool 'Selenium' as its engine and has been built using Java swing.

Xelenium has been designed considering that it should obtain very few inputs from users in the process of discovering the bugs.

Current version of Xelenium can be found here: http://sourceforge.net/projects/xeleniumsecurit/. Current version helps the user in identifying the Cross Site Scripting (XSS) threats present in the web application. In the subsequent versions, Xelenium will be enhanced such that it could identify other leading threats.

Please refer the road map for future plans.


Xelenium is an automation testing tool that can be used to identify the security vulnerabilities present in the web application. Xelenium uses ‘Selenium - Webdriver’ as its engine and has been developed using Java swing.

Selenium – Webdriver is an open source functional testing tool and is very powerful and flexible. More details on Selenium can be found here: http://seleniumhq.org/.


Following are the pre-requisites of Xelenium:

1. Mozilla Firefox (versions: 3.0, 3.5, 3.6, 4.0, 5.0, 6, 7) Note: Xelenium works with all the version of Firefox browsers that are supported by Selenium Webdriver. Please refer the Seleniumhq website for up-to-date information.

2. Java 1.6 or above

How it works?

Xelenium captures the details of web pages that are required to be scanned, and during scanning, it performs scan on each of the text fields present in the web page by making http requests to the respective pages.

Http requests are made using Selenium Htmlunit driver and call are made concurrently using Java threads.

Steps to use

Following are the steps that need to be followed to perform scan using Xelenium:

1. Download the xelenium.jar file and double click on it. Xelenium will be launched as shown below:

Image 1.jpg

2. Enter the url of the application under test in ‘Enter URL’ field and click on the ‘Capture Pages’ button. Note: Please ensure to provide the url starting with either http:// or https:// 3. Xelenium will launch the Firefox browser and display the web page of the provided url. 4. Navigate to the required pages that need to be scanned. 5. Close the browser. 6. URL details of the navigated pages will be displayed in the ‘Captured Pages’ list box.

Image 2.jpg

7. You can remove the unwanted url using the ‘Remove’ button present under ‘Captured Pages’ list box. 8. Navigate to the ‘Attack Vector’ section and select the required XSS attack vectors from the ‘Available Attack Vectors’ list box.

Image 3.jpg

9. Add the required attack vectors using the ‘Attack Vector’ field. Note: Please *ONLY* use the attack vectors that trigger the javascript alert box (i.e., attack vector that uses the javascript method alert()). 10. Navigate back to the ‘Capture & Scan’ tab and click on the ‘Perform XSS Scan’ button. 11. Selenium will execute series of tests with selected attack vectors against the urls listed in ‘Captured Pages’ list box. 12. Once the scan is completed, Xelenium will launch the results page with the details of attack results.

Image 4.jpg

13. ‘Log’ tab would provide us with the details about the scan and the details of any exceptions.

Image 5.jpg

Predefined Values

In a web page form that contains multiple fields, Xelenium attacks each of the fields with the attack vectors selected in the ‘Attack Vectors’ tab. During the attack, Xelenium supplies the fields of the webpage that are not under attack with a predefined string ‘abcdef’.

This default behavior would not work with the web pages that require the text fields to be supplied with predefined string format as below:

1. Email field 2. Phone number 3. Dates 4. Numbers only field etc.

Users can use the ‘Predefine Values’ tab of Xelenium to handle such text fields. ‘Predefine Values’ tab lists the details of the text fields that are present under each of the web pages captured in ‘Captured Pages’ list box of ‘Capture & Scan’ tab.

Image 6.jpg

Following formats can be used to generate the dynamic texts during the scan: <str>: Generates the random text value (of length 6). <str,8>: Generates the random text value of length 6. <num,8>: Generates the random number value with 8 digits. <num,1000,5000>: Generates the random number between 1000 and 5000. <str,6>.<str,7>@gmail.com: Generates the text value similar to abdcei.kjhuiew@gmail.com. 823<num,7>: Generates the number value similar to 8238934122. <num,2>,<str,6> <str,6>: Generates the text value similar to 89, denver street. <num,1,12>/<num,1,30>/2012: Generates a date value similar to 7/22/2012. <num,1,28> Feb, <num,1975,2012>: Generate a date value similar to 24 Feb, 2008.

Password Protected Pages

Xelenium supports the scanning of password protected pages as well. To scan the password protected pages, capture the pages that are password protected and mention the login credentials in the ‘Login Creds’ section as mentioned below:

Image 7.jpg

Subsequent Releases

In the subsequent releases, Xelenium will be enhanced to handle other leading security testing vulnerabilities.

In the next release, Xelenium will be enhanced to handle ‘DOM based XSS’ vulnerability of the web pages.

Project About

What does this OWASP project offer you?
What releases are available for this project?
what is this project?
Name: OWASP Xelenium
Purpose: Xelenium is a security testing automation tool that helps the user in identifying the security vulnerabilities present in the application. Xelenium uses powerful features of open source functional test automation tool - Selenium in identifying the security threats.
License: GNU GPL v3
who is working on this project?
Project Leader(s):
  • Vasanthkumar Velayudham @
Project Contributor(s):
  • Tarunkumar Bahaduria @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: [Current Status:

Current version of Xelenium allows the user in identifying Cross Site Scripting (XSS) threats present in the web application.


Addressing the current limitations of Xelenium

- Support for textboxes present in multiple iframes of a window. - Support for predefined values of the field.


Including the feature to identify DOM based XSS in web application.

Sep - Oct'12:

Including the feature to identify HTTP Splitting bugs in web application.

Nov - Dec'12:

Including the feature to identify SQL injection bugs in web application. View]

Key Contacts
  • Contact Vasanthkumar Velayudham @ to contribute to this project
  • Contact Vasanthkumar Velayudham @ to review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed

other releases