[Owasp-leaders] Any DOM XSS Scanner ?

Stefano Di Paola stefano at owasp.org
Thu Mar 21 13:05:16 UTC 2013


Thank you Al'a,

Let me first do a little explaination on how DOMinatorPro is composed.
1. Open Source Part: the tainting engine which is a modified version of
Firefox 8
  https://github.com/wisec/DOMinator
2. the (commercial) analyser and monitor extension which uses the taint
engine and adds advanced analysis techniques and a vulnerability KB.

What the trial gives you is the compiled version for your OS of the engine
and a limited version of the extension to show the
potential of the runtime approach.

Inline for the rest =) :

On Thu, Mar 21, 2013 at 12:36 PM, Ala'a Mubaied <alaa.mubaied at owasp.org>wrote:

> Thanks Stefano.
>
> Good to catch up with you here :)
>
> Actually i was talking mainly on DOMinator Pro version.
>
> I have used it for almost two weeks, I run it on my Mac laptop, and here
> are my comments :
>
> - it finds DOM XSS issues, good.
>

Ok :)
So "not much effective of detecting DOM issues" was an high level resume?
jk :)


> - It has problems with stability - memory management- it crashes about
> every 10-15 minutes
>

Agree. There are memory issues which have been "partially" solved in the
full version extension.
I'm in the process to port it to Firefox 20+ to solve them for good.

- usability issues (false positives) especially with XHR.
>

Ahhh, False Positives and False Negatives... :D

Indeed, I'm sure you are aware that software analyzers are not going to be
perfect anytime soon, right?

Ask Jeremiah Grossman, Ory Segal, Simon Bennets, Jim Manico, Ferruh
Mavituna, Arshan Dabirshiaghi and the other people
that are more experienced than me about the low hanging fruits and
automated scanners.

Likely those with XHR are strongly dependent on the logic part of the
application.

It would be interesting to talk about Stored/Indirect DOM Based XSS which
could lead to FN and FP as well.
I'm thinking about giving a talk about those advanced issues and how to
identify them.

That said, assuming you hit a FP, surely I can improve some algorithm to
further minimize them,
but I also think we can have a veeery looong talk about them and how the
other approaches
and techniques deal with them. That is analogous for false negatives of
course :)



> meanwhile, any plans to make the tool run automatically to scan the site,
> instead of manual clicking ?
>

Yes, there's a Selenium support since earlier versions so one can actually
use it to create his own scanner, and there's a scanner in development for
the  DOMinatorPro Enterprise edition.

Cheers and thank for your comments,
Stefano


> Thanks
> Ala'a
>
>
> On Thu, Mar 21, 2013 at 1:08 PM, Stefano Di Paola <stefano at owasp.org>wrote:
>
>> Ala'a,
>>
>> since I'm the author of DOMinator and DOMinatorPro, I'll try to be as
>> unbiased as possible :)
>>
>> 1.
>>
>> http://www.google.it/search?q=dom+xss+scanner&aq=f&oq=dom+xss+scanner&sourceid=chrome&ie=UTF-8
>> Lists:
>> domxssscanner  //  RegExp Based
>> ra2-dom-xss-scanner // Blind Fuzzer
>> DOMinatorPro /// Runtime Analyzer
>> IBM JSA  // Static Analyzer
>> ..
>>
>> You can compare them with your testbed and see what's better.
>>
>> 2.:
>> Although this is maybe not the place to talk about it, I'd like have some
>> more elaborate opinion of yours on DOMinator.
>>
>> About your opinion on the effectiveness on detecting DOM issues I'd like
>> to talk about it - publicly or privately as you wish.
>>
>> Which DOMinator are you referring to? The Pro version hosted on
>> https://dominator.mindedsecurity.com/
>> or the old community version hosted on
>> http://code.google.com/p/dominator/ ?
>>
>> I'd like to be clear that if you have some usage problems to report, I am
>> more than happy to help. Same for bugs.
>>
>>
>> Cheers,
>> Stefano
>>
>>
>> On Thu, Mar 21, 2013 at 9:55 AM, Ala'a Mubaied <alaa.mubaied at owasp.org>wrote:
>>
>>> Hi Leaders,
>>>
>>> I'm aware of Dominator, but it has a lot of crashes due to memory
>>> consumptions and not much effective of detecting DOM issues.
>>>
>>> any other suggestions ?
>>>
>>> Thanks
>>> Ala'a
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130321/b179a226/attachment.html>


More information about the OWASP-Leaders mailing list