OWASP Xelenium Project

From OWASP
Revision as of 14:11, 5 August 2012 by V Vasanthkumar (Talk | contribs)

Jump to: navigation, search

Contents

Main

Hello Everyone,

Warm Greetings!!! Welcome to the official page of 'OWASP Xelenium' project!!!

Xelenium is a security testing tool that can be used to identify the security vulnerabilities present in the web application. Xelenium uses the open source functional test automation tool 'Selenium' as its engine and has been built using Java swing.

Xelenium has been designed considering that it should obtain very few inputs from users in the process of discovering the bugs.

Current version of Xelenium can be found here: http://sourceforge.net/projects/xeleniumsecurit/. Current version helps the user in identifying the Cross Site Scripting (XSS) threats present in the web application. In the subsequent versions, Xelenium will be enhanced such that it could identify other leading threats.

Please refer the road map for future plans.

Overview

Xelenium is an automation testing tool that can be used to identify the security vulnerabilities present in the web application. Xelenium uses ‘Selenium - Webdriver’ as its engine and has been developed using Java swing.

Selenium – Webdriver is an open source functional testing tool and is very powerful and flexible. More details on Selenium can be found here: http://seleniumhq.org/.

Pre-requisite

Following are the pre-requisites of Xelenium:

1. Mozilla Firefox (versions: 3.0, 3.5, 3.6, 4.0, 5.0, 6, 7) Note: Xelenium works with all the version of Firefox browsers that are supported by Selenium Webdriver. Please refer the Seleniumhq website for up-to-date information. 2. Java 1.6 or above

How it works?

Xelenium captures the details of web pages that are required to be scanned, and during scanning, it performs scan on each of the text fields present in the web page by making http requests to the respective pages.

Http requests are made using Selenium Htmlunit driver and call are made concurrently using Java threads.

Steps to use

Following are the steps that need to be followed to perform scan using Xelenium:

1. Download the xelenium.jar file and double click on it. Xelenium will be launched as shown below: Image 1.jpg

2. Enter the url of the application under test in ‘Enter URL’ field and click on the ‘Capture Pages’ button. Note: Please ensure to provide the url starting with either http:// or https:// 3. Xelenium will launch the Firefox browser and display the web page of the provided url. 4. Navigate to the required pages that need to be scanned. 5. Close the browser. 6. URL details of the navigated pages will be displayed in the ‘Captured Pages’ list box. Image 2.jpg 7. You can remove the unwanted url using the ‘Remove’ button present under ‘Captured Pages’ list box. 8. Navigate to the ‘Attack Vector’ section and select the required XSS attack vectors from the ‘Available Attack Vectors’ list box. Image 3.jpg


PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Xelenium
Purpose: Xelenium is a security testing automation tool that helps the user in identifying the security vulnerabilities present in the application. Xelenium uses powerful features of open source functional test automation tool - Selenium in identifying the security threats.
License: GNU GPL v3
who is working on this project?
Project Leader(s):
  • Vasanthkumar Velayudham @
Project Contributor(s):
  • Tarunkumar Bahaduria @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: [Current Status:

Current version of Xelenium allows the user in identifying Cross Site Scripting (XSS) threats present in the web application.

July'12:

Addressing the current limitations of Xelenium

- Support for textboxes present in multiple iframes of a window. - Support for predefined values of the field.

Aug'12:

Including the feature to identify DOM based XSS in web application.

Sep - Oct'12:

Including the feature to identify HTTP Splitting bugs in web application.

Nov - Dec'12:

Including the feature to identify SQL injection bugs in web application. View]

Key Contacts
  • Contact Vasanthkumar Velayudham @ to contribute to this project
  • Contact Vasanthkumar Velayudham @ to review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases