XSEVERITY: A Custom Security Tool for Client-Side Vulnerability Detection

By /

Listen to this Post

Featured Image
XSEVERITY is a custom security tool designed to address gaps in traditional DAST (Dynamic Application Security Testing) solutions like Burp Suite and CAIDO. Unlike these tools, XSEVERITY focuses on improving JavaScript execution, DOM awareness, and memory efficiency—key areas where other tools fall short.

Why XSEVERITY?

  • Memory Efficiency: Unlike Burp Suite’s BApps, which consume significant memory, XSEVERITY is optimized for performance.
  • Full JavaScript Execution: Many tools lack proper JS execution, leading to missed client-side vulnerabilities.
  • Enhanced DOM Awareness: Better detection of DOM-based XSS and other client-side flaws.

You Should Know: Practical Testing with XSEVERITY

1. Setting Up a Local Test Environment

To test XSEVERITY’s capabilities, use a vulnerable web app like OWASP Juice Shop:

git clone https://github.com/juice-shop/juice-shop.git 
cd juice-shop 
npm install 
npm start

2. Intercepting Requests

Use `mitmproxy` to inspect traffic:

mitmproxy --mode transparent --showhost

3. JavaScript Analysis with Chrome DevTools

  • Open Chrome DevTools (F12) and use the Console to test JS execution:
    document.cookie = "test=XSSTest; path=/"; 
alert(document.cookie);

4. Automating DOM-Based XSS Detection

Use `puppeteer` for automated DOM checks:

const puppeteer = require('puppeteer');

(async () => { 
const browser = await puppeteer.launch(); 
const page = await browser.newPage(); 
await page.goto('http://vulnerable-site.com'); 
const domCheck = await page.evaluate(() => { 
return document.documentElement.innerHTML.includes('unsafe-eval'); 
}); 
console.log('DOM XSS Risk:', domCheck); 
await browser.close(); 
})();

5. Comparing with Burp Suite

Run a benchmark test using `ZAP CLI`:

docker run -it owasp/zap2docker-stable zap-cli quick-scan -s xss http://test-site.com

What Undercode Say

XSEVERITY fills a critical gap in client-side security testing, particularly where traditional DAST tools fail. By leveraging full JavaScript execution and DOM awareness, it provides a more accurate assessment of modern web app vulnerabilities. For those in offensive security, integrating custom tools like XSEVERITY alongside Burp or ZAP can enhance detection rates.

Expected Output:

  • A lightweight, efficient alternative to Burp Suite for client-side testing.
  • Improved detection of DOM XSS, insecure JS execution, and memory-heavy extensions.
  • Automation-friendly integration with Puppeteer, mitmproxy, and other pentesting tools.

For further reading:

References:

Reported By: Senad Cavkusic – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: