Anti-XSS: Burp Suite versus OWASP Xenotics and Anti-XSS from Microsoft?

Burp Suite versus Xenotics?

OSWASP has a free Anti-XSS tool called Xenotics. I like the 4800+ payloads and their use of the term "Target Reconnaissance." It's pretty scary if you imagine a hacker using that against your site. Other tools of interest are Burp Suite.

Any experience with either?

I hope for a tool that is easy for our team to quickly come up to speed and be able to use at least the majority of advanced features.

Suggestions about which of the two is better? Also, feel free to suggest one you have had personal experience with.

ALSO, if we chose to use the .NET Anti-XSS Library from Microsoft, how might that decision influence our choice of  test tool?

newbiewebSr. Software EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jackie ManIT ManagerCommented:
Other tools of interest are Burp Suite.

Do you have a Gartner account?

If no, register an account and you can read the Gartner reviews.

I think you have reversed the process of selecting the tool.

Which tool is best to use?

In fact, it depends on your own habits.

Or it depends on how your team works out the application development process to determine which safety testing tool is most suitable for them.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Burp Suite is quite established and normally used as the tool for penetration testing and web app testing. Wouldnt go wrong with that especially if you gotten the commercial version that go beyond just passive scanning but  interactive testing to get real feedback and make intelligent means to try bypass the checks by WAF or application level checks
Burp Scanner can automatically move parameters between different locations, such as URL parameters and cookies, to help evade web application firewalls and other defenses.

The Burp Infiltrator technology can be used to perform interactive application security testing (IAST) by instrumenting target applications to give real-time feedback to Burp Scanner when its payloads reach dangerous APIs within the application.
Xenotics  is good in the fuzzer aspects and have a substantially huge no of XSS Payloads (~4800) distinctive XSS Payloads. It helps to augment Burp to attempt to see if there are any other gaps by fuzzing (forcing any error)...but really it is for those who need to customise certain exploit kit or callback remotely for control. If you just looking at vulnerability scanning, this tool will serve just alright if you are not spending on Burp.

As for the Microsoft AntiXSS, it is a library based on Microsoft .NET Framework per se and not a tool. So not really a apple to apple comparison against Burp and Xenotics. Can consider for application development as part of secure coding and the other two tools for validation testing ..
newbiewebSr. Software EngineerAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.