[Owasp-leaders] Any DOM XSS Scanner ?

Ala'a Mubaied alaa.mubaied at owasp.org
Thu Mar 21 13:16:00 UTC 2013


Stefano. I really appreciate your time answering my concerns .

So things are promising, I frankly agree with you regarding the FN & FP.

and i think its going to be a very powerful/best tool if the memory issue
and automation have been resolved.

again, thanks and looking for your new awesome version .. good luck.

-Ala'a



On Thu, Mar 21, 2013 at 4:05 PM, Stefano Di Paola <stefano at owasp.org> wrote:

> Thank you Al'a,
>
> Let me first do a little explaination on how DOMinatorPro is composed.
> 1. Open Source Part: the tainting engine which is a modified version of
> Firefox 8
>   https://github.com/wisec/DOMinator
> 2. the (commercial) analyser and monitor extension which uses the taint
> engine and adds advanced analysis techniques and a vulnerability KB.
>
> What the trial gives you is the compiled version for your OS of the engine
> and a limited version of the extension to show the
> potential of the runtime approach.
>
> Inline for the rest =) :
>
> On Thu, Mar 21, 2013 at 12:36 PM, Ala'a Mubaied <alaa.mubaied at owasp.org>wrote:
>
>> Thanks Stefano.
>>
>> Good to catch up with you here :)
>>
>> Actually i was talking mainly on DOMinator Pro version.
>>
>> I have used it for almost two weeks, I run it on my Mac laptop, and here
>> are my comments :
>>
>> - it finds DOM XSS issues, good.
>>
>
> Ok :)
> So "not much effective of detecting DOM issues" was an high level resume?
> jk :)
>
>
>> - It has problems with stability - memory management- it crashes about
>> every 10-15 minutes
>>
>
> Agree. There are memory issues which have been "partially" solved in the
> full version extension.
> I'm in the process to port it to Firefox 20+ to solve them for good.
>
> - usability issues (false positives) especially with XHR.
>>
>
> Ahhh, False Positives and False Negatives... :D
>
> Indeed, I'm sure you are aware that software analyzers are not going to be
> perfect anytime soon, right?
>
> Ask Jeremiah Grossman, Ory Segal, Simon Bennets, Jim Manico, Ferruh
> Mavituna, Arshan Dabirshiaghi and the other people
> that are more experienced than me about the low hanging fruits and
> automated scanners.
>
> Likely those with XHR are strongly dependent on the logic part of the
> application.
>
> It would be interesting to talk about Stored/Indirect DOM Based XSS which
> could lead to FN and FP as well.
> I'm thinking about giving a talk about those advanced issues and how to
> identify them.
>
> That said, assuming you hit a FP, surely I can improve some algorithm to
> further minimize them,
> but I also think we can have a veeery looong talk about them and how the
> other approaches
> and techniques deal with them. That is analogous for false negatives of
> course :)
>
>
>
>> meanwhile, any plans to make the tool run automatically to scan the site,
>> instead of manual clicking ?
>>
>
> Yes, there's a Selenium support since earlier versions so one can actually
> use it to create his own scanner, and there's a scanner in development for
> the  DOMinatorPro Enterprise edition.
>
> Cheers and thank for your comments,
> Stefano
>
>
>> Thanks
>> Ala'a
>>
>>
>> On Thu, Mar 21, 2013 at 1:08 PM, Stefano Di Paola <stefano at owasp.org>wrote:
>>
>>> Ala'a,
>>>
>>> since I'm the author of DOMinator and DOMinatorPro, I'll try to be as
>>> unbiased as possible :)
>>>
>>> 1.
>>>
>>> http://www.google.it/search?q=dom+xss+scanner&aq=f&oq=dom+xss+scanner&sourceid=chrome&ie=UTF-8
>>> Lists:
>>> domxssscanner  //  RegExp Based
>>> ra2-dom-xss-scanner // Blind Fuzzer
>>> DOMinatorPro /// Runtime Analyzer
>>> IBM JSA  // Static Analyzer
>>> ..
>>>
>>> You can compare them with your testbed and see what's better.
>>>
>>> 2.:
>>> Although this is maybe not the place to talk about it, I'd like have
>>> some more elaborate opinion of yours on DOMinator.
>>>
>>> About your opinion on the effectiveness on detecting DOM issues I'd like
>>> to talk about it - publicly or privately as you wish.
>>>
>>> Which DOMinator are you referring to? The Pro version hosted on
>>> https://dominator.mindedsecurity.com/
>>> or the old community version hosted on
>>> http://code.google.com/p/dominator/ ?
>>>
>>> I'd like to be clear that if you have some usage problems to report, I
>>> am more than happy to help. Same for bugs.
>>>
>>>
>>> Cheers,
>>> Stefano
>>>
>>>
>>> On Thu, Mar 21, 2013 at 9:55 AM, Ala'a Mubaied <alaa.mubaied at owasp.org>wrote:
>>>
>>>> Hi Leaders,
>>>>
>>>> I'm aware of Dominator, but it has a lot of crashes due to memory
>>>> consumptions and not much effective of detecting DOM issues.
>>>>
>>>> any other suggestions ?
>>>>
>>>> Thanks
>>>> Ala'a
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130321/96306713/attachment-0001.html>


More information about the OWASP-Leaders mailing list