[Owasp-leaders] Any DOM XSS Scanner ?

Ala'a Mubaied alaa.mubaied at owasp.org
Thu Mar 21 11:36:36 UTC 2013


Thanks Stefano.

Good to catch up with you here :)

Actually i was talking mainly on DOMinator Pro version.

I have used it for almost two weeks, I run it on my Mac laptop, and here
are my comments :

- it finds DOM XSS issues, good.
- It has problems with stability - memory management- it crashes about
every 10-15 minutes
- usability issues (false positives) especially with XHR.

meanwhile, any plans to make the tool run automatically to scan the site,
instead of manual clicking ?

Thanks
Ala'a


On Thu, Mar 21, 2013 at 1:08 PM, Stefano Di Paola <stefano at owasp.org> wrote:

> Ala'a,
>
> since I'm the author of DOMinator and DOMinatorPro, I'll try to be as
> unbiased as possible :)
>
> 1.
>
> http://www.google.it/search?q=dom+xss+scanner&aq=f&oq=dom+xss+scanner&sourceid=chrome&ie=UTF-8
> Lists:
> domxssscanner  //  RegExp Based
> ra2-dom-xss-scanner // Blind Fuzzer
> DOMinatorPro /// Runtime Analyzer
> IBM JSA  // Static Analyzer
> ..
>
> You can compare them with your testbed and see what's better.
>
> 2.:
> Although this is maybe not the place to talk about it, I'd like have some
> more elaborate opinion of yours on DOMinator.
>
> About your opinion on the effectiveness on detecting DOM issues I'd like
> to talk about it - publicly or privately as you wish.
>
> Which DOMinator are you referring to? The Pro version hosted on
> https://dominator.mindedsecurity.com/
> or the old community version hosted on http://code.google.com/p/dominator/?
>
> I'd like to be clear that if you have some usage problems to report, I am
> more than happy to help. Same for bugs.
>
>
> Cheers,
> Stefano
>
>
> On Thu, Mar 21, 2013 at 9:55 AM, Ala'a Mubaied <alaa.mubaied at owasp.org>wrote:
>
>> Hi Leaders,
>>
>> I'm aware of Dominator, but it has a lot of crashes due to memory
>> consumptions and not much effective of detecting DOM issues.
>>
>> any other suggestions ?
>>
>> Thanks
>> Ala'a
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130321/52fcf33f/attachment.html>


More information about the OWASP-Leaders mailing list