[Owasp-leaders] Any DOM XSS Scanner ?

psiinon psiinon at gmail.com
Thu Mar 21 13:34:23 UTC 2013


As a general point to everyone on the list, whenever you find false
positives/negatives with _any_ security tool (but especially OWASP ones;),
then _please_ report them to the team/company/individual who maintains them.
Its very frustrating when people bad-mouth your tool in public but havnt
bothered to report the issues to you directly.
We all know that automated tools will never be 100% accurate, but we'll
only be able to make them better if issues are reported to us.
Thats not directed to anyone in particular by the way ;)

Cheers,

Simon

On Thu, Mar 21, 2013 at 1:16 PM, Ala'a Mubaied <alaa.mubaied at owasp.org>wrote:

> Stefano. I really appreciate your time answering my concerns .
>
> So things are promising, I frankly agree with you regarding the FN & FP.
>
> and i think its going to be a very powerful/best tool if the memory issue
> and automation have been resolved.
>
> again, thanks and looking for your new awesome version .. good luck.
>
> -Ala'a
>
>
>
> On Thu, Mar 21, 2013 at 4:05 PM, Stefano Di Paola <stefano at owasp.org>wrote:
>
>> Thank you Al'a,
>>
>> Let me first do a little explaination on how DOMinatorPro is composed.
>> 1. Open Source Part: the tainting engine which is a modified version of
>> Firefox 8
>>   https://github.com/wisec/DOMinator
>> 2. the (commercial) analyser and monitor extension which uses the taint
>> engine and adds advanced analysis techniques and a vulnerability KB.
>>
>> What the trial gives you is the compiled version for your OS of the
>> engine and a limited version of the extension to show the
>> potential of the runtime approach.
>>
>> Inline for the rest =) :
>>
>> On Thu, Mar 21, 2013 at 12:36 PM, Ala'a Mubaied <alaa.mubaied at owasp.org>wrote:
>>
>>> Thanks Stefano.
>>>
>>> Good to catch up with you here :)
>>>
>>> Actually i was talking mainly on DOMinator Pro version.
>>>
>>> I have used it for almost two weeks, I run it on my Mac laptop, and here
>>> are my comments :
>>>
>>> - it finds DOM XSS issues, good.
>>>
>>
>> Ok :)
>> So "not much effective of detecting DOM issues" was an high level resume?
>> jk :)
>>
>>
>>> - It has problems with stability - memory management- it crashes about
>>> every 10-15 minutes
>>>
>>
>> Agree. There are memory issues which have been "partially" solved in the
>> full version extension.
>> I'm in the process to port it to Firefox 20+ to solve them for good.
>>
>> - usability issues (false positives) especially with XHR.
>>>
>>
>> Ahhh, False Positives and False Negatives... :D
>>
>> Indeed, I'm sure you are aware that software analyzers are not going to
>> be perfect anytime soon, right?
>>
>> Ask Jeremiah Grossman, Ory Segal, Simon Bennets, Jim Manico, Ferruh
>> Mavituna, Arshan Dabirshiaghi and the other people
>> that are more experienced than me about the low hanging fruits and
>> automated scanners.
>>
>> Likely those with XHR are strongly dependent on the logic part of the
>> application.
>>
>> It would be interesting to talk about Stored/Indirect DOM Based XSS which
>> could lead to FN and FP as well.
>> I'm thinking about giving a talk about those advanced issues and how to
>> identify them.
>>
>> That said, assuming you hit a FP, surely I can improve some algorithm to
>> further minimize them,
>> but I also think we can have a veeery looong talk about them and how the
>> other approaches
>> and techniques deal with them. That is analogous for false negatives of
>> course :)
>>
>>
>>
>>> meanwhile, any plans to make the tool run automatically to scan the
>>> site, instead of manual clicking ?
>>>
>>
>> Yes, there's a Selenium support since earlier versions so one can
>> actually use it to create his own scanner, and there's a scanner in
>> development for the  DOMinatorPro Enterprise edition.
>>
>> Cheers and thank for your comments,
>> Stefano
>>
>>
>>> Thanks
>>> Ala'a
>>>
>>>
>>> On Thu, Mar 21, 2013 at 1:08 PM, Stefano Di Paola <stefano at owasp.org>wrote:
>>>
>>>> Ala'a,
>>>>
>>>> since I'm the author of DOMinator and DOMinatorPro, I'll try to be as
>>>> unbiased as possible :)
>>>>
>>>> 1.
>>>>
>>>> http://www.google.it/search?q=dom+xss+scanner&aq=f&oq=dom+xss+scanner&sourceid=chrome&ie=UTF-8
>>>> Lists:
>>>> domxssscanner  //  RegExp Based
>>>> ra2-dom-xss-scanner // Blind Fuzzer
>>>> DOMinatorPro /// Runtime Analyzer
>>>> IBM JSA  // Static Analyzer
>>>> ..
>>>>
>>>> You can compare them with your testbed and see what's better.
>>>>
>>>> 2.:
>>>> Although this is maybe not the place to talk about it, I'd like have
>>>> some more elaborate opinion of yours on DOMinator.
>>>>
>>>> About your opinion on the effectiveness on detecting DOM issues I'd
>>>> like to talk about it - publicly or privately as you wish.
>>>>
>>>> Which DOMinator are you referring to? The Pro version hosted on
>>>> https://dominator.mindedsecurity.com/
>>>> or the old community version hosted on
>>>> http://code.google.com/p/dominator/ ?
>>>>
>>>> I'd like to be clear that if you have some usage problems to report, I
>>>> am more than happy to help. Same for bugs.
>>>>
>>>>
>>>> Cheers,
>>>> Stefano
>>>>
>>>>
>>>> On Thu, Mar 21, 2013 at 9:55 AM, Ala'a Mubaied <alaa.mubaied at owasp.org>wrote:
>>>>
>>>>> Hi Leaders,
>>>>>
>>>>> I'm aware of Dominator, but it has a lot of crashes due to memory
>>>>> consumptions and not much effective of detecting DOM issues.
>>>>>
>>>>> any other suggestions ?
>>>>>
>>>>> Thanks
>>>>> Ala'a
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130321/1cbc19c4/attachment.html>


More information about the OWASP-Leaders mailing list