Anti-XSS: Burp Suite versus OWASP Xenotics and Anti-XSS from Microsoft?

Burp Suite versus Xenotics?

OSWASP has a free Anti-XSS tool called Xenotics. I like the 4800+ payloads and their use of the term "Target Reconnaissance." It's pretty scary if you imagine a hacker using that against your site. Other tools of interest are Burp Suite.

Any experience with either?

I hope for a tool that is easy for our team to quickly come up to speed and be able to use at least the majority of advanced features.

Suggestions about which of the two is better? Also, feel free to suggest one you have had personal experience with.

ALSO, if we chose to use the .NET Anti-XSS Library from Microsoft, how might that decision influence our choice of  test tool?

Thanks.
newbiewebSr. Software EngineerAsked:
Who is Participating?
 
Jackie ManConnect With a Mentor Commented:
Other tools of interest are Burp Suite.

Do you have a Gartner account?

If no, register an account and you can read the Gartner reviews.

https://www.gartner.com/reviews/market/application-security-testing/vendor/portswigger/?pid=1047

I think you have reversed the process of selecting the tool.

Which tool is best to use?

In fact, it depends on your own habits.

Or it depends on how your team works out the application development process to determine which safety testing tool is most suitable for them.

Reference:

https://www.qa-knowhow.com/?p=3651
0
 
btanConnect With a Mentor Exec ConsultantCommented:
Burp Suite is quite established and normally used as the tool for penetration testing and web app testing. Wouldnt go wrong with that especially if you gotten the commercial version that go beyond just passive scanning but  interactive testing to get real feedback and make intelligent means to try bypass the checks by WAF or application level checks
Burp Scanner can automatically move parameters between different locations, such as URL parameters and cookies, to help evade web application firewalls and other defenses.

The Burp Infiltrator technology can be used to perform interactive application security testing (IAST) by instrumenting target applications to give real-time feedback to Burp Scanner when its payloads reach dangerous APIs within the application.
Xenotics  is good in the fuzzer aspects and have a substantially huge no of XSS Payloads (~4800) distinctive XSS Payloads. It helps to augment Burp to attempt to see if there are any other gaps by fuzzing (forcing any error)...but really it is for those who need to customise certain exploit kit or callback remotely for control. If you just looking at vulnerability scanning, this tool will serve just alright if you are not spending on Burp.

As for the Microsoft AntiXSS, it is a library based on Microsoft .NET Framework per se and not a tool. So not really a apple to apple comparison against Burp and Xenotics. Can consider for application development as part of secure coding and the other two tools for validation testing ..
0
 
newbiewebSr. Software EngineerAuthor Commented:
thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.