A French translation of this page is available thanks to Natalie Harmann.

x5s is a plugin for the free Fiddler HTTP proxy that actively injects tiny test cases into every user-controlled input of a Web-application in order to elicit and identify encoding issues that could lead to XSS vulnerbility. x5s has been released under Open Source license on Codeplex. Download x5s cross-site scripting testing tool from codeplex.

The x5s tool was built for pen-testers, and while it automates injection of character probes, it requires some manual review of the results. x5s goes beyond traditional cross-site scripting testing by injecting special Unicode characters and byte sequences that may produce exploitable transformations in a Web-application. x5s sends tiny character probes, not full XSS payloads, so that it can detect how the injected characters were encoded or transformed. This has the net effect of giving a security tester a quick view into all of the places where user-input was later emitted on a Web page.

The information on this page is just meant to provide a quick glimpse at the tool, please refer to the tutorial and full documentation on Codeplex when you're ready to learn more. The tutorial was made to help get you started quickly testing for XSS issues with the tool. The Full documentation is also available that describes how things work. A screenshot of the configuration settings is shown below. The tool gives you control over auto-injection points, a 'preamble' string it uses to identify its payloads, and a domain filter so you can limit testing to a specific domain.

x5s XSS testing Configuration

The next screenshot shows the test case configurations available. Essentially, you get to choose which characters you want to inject into the input parameters of the Web-app. These are sent one at a time, per parameter, so the number of test cases will increase with each character you choose. In these settings, which are loaded from an XML file you can modify or customize, you have access to Transformable, Traditional, and Overlong test cases.

x5s XSS character configuration

The final screenshot shows you the results tab, where a datagrid gives you quick visual access to all of the points the test case was emitted, as well as an analysis of whether it was encoded or transformed. When you're testing an app that returns large sets of results, you can quickly scroll down the list to identify spots that look vulnerable to you. Or you can click the 'Show Hotspots' filter to let x5s show you the spots it thinks have encoding or transformation issues.

x5s XSS Results