[Owasp-leaders] Any DOM XSS Scanner ?

Stefano Di Paola stefano at owasp.org
Thu Mar 21 13:38:30 UTC 2013


Thank you very much for this broadcast message Simon...
I can confirm it's frustrating. :)

Cheers,
Stefano

On Thu, Mar 21, 2013 at 2:34 PM, psiinon <psiinon at gmail.com> wrote:

> As a general point to everyone on the list, whenever you find false
> positives/negatives with _any_ security tool (but especially OWASP ones;),
> then _please_ report them to the team/company/individual who maintains them.
> Its very frustrating when people bad-mouth your tool in public but havnt
> bothered to report the issues to you directly.
> We all know that automated tools will never be 100% accurate, but we'll
> only be able to make them better if issues are reported to us.
> Thats not directed to anyone in particular by the way ;)
>
> Cheers,
>
> Simon
>
>
> On Thu, Mar 21, 2013 at 1:16 PM, Ala'a Mubaied <alaa.mubaied at owasp.org>wrote:
>
>> Stefano. I really appreciate your time answering my concerns .
>>
>> So things are promising, I frankly agree with you regarding the FN & FP.
>>
>> and i think its going to be a very powerful/best tool if the memory issue
>> and automation have been resolved.
>>
>> again, thanks and looking for your new awesome version .. good luck.
>>
>> -Ala'a
>>
>>
>>
>> On Thu, Mar 21, 2013 at 4:05 PM, Stefano Di Paola <stefano at owasp.org>wrote:
>>
>>> Thank you Al'a,
>>>
>>> Let me first do a little explaination on how DOMinatorPro is composed.
>>> 1. Open Source Part: the tainting engine which is a modified version of
>>> Firefox 8
>>>   https://github.com/wisec/DOMinator
>>> 2. the (commercial) analyser and monitor extension which uses the taint
>>> engine and adds advanced analysis techniques and a vulnerability KB.
>>>
>>> What the trial gives you is the compiled version for your OS of the
>>> engine and a limited version of the extension to show the
>>> potential of the runtime approach.
>>>
>>> Inline for the rest =) :
>>>
>>> On Thu, Mar 21, 2013 at 12:36 PM, Ala'a Mubaied <alaa.mubaied at owasp.org>wrote:
>>>
>>>> Thanks Stefano.
>>>>
>>>> Good to catch up with you here :)
>>>>
>>>> Actually i was talking mainly on DOMinator Pro version.
>>>>
>>>> I have used it for almost two weeks, I run it on my Mac laptop, and
>>>> here are my comments :
>>>>
>>>> - it finds DOM XSS issues, good.
>>>>
>>>
>>> Ok :)
>>> So "not much effective of detecting DOM issues" was an high level
>>> resume? jk :)
>>>
>>>
>>>> - It has problems with stability - memory management- it crashes about
>>>> every 10-15 minutes
>>>>
>>>
>>> Agree. There are memory issues which have been "partially" solved in the
>>> full version extension.
>>> I'm in the process to port it to Firefox 20+ to solve them for good.
>>>
>>> - usability issues (false positives) especially with XHR.
>>>>
>>>
>>> Ahhh, False Positives and False Negatives... :D
>>>
>>> Indeed, I'm sure you are aware that software analyzers are not going to
>>> be perfect anytime soon, right?
>>>
>>> Ask Jeremiah Grossman, Ory Segal, Simon Bennets, Jim Manico, Ferruh
>>> Mavituna, Arshan Dabirshiaghi and the other people
>>> that are more experienced than me about the low hanging fruits and
>>> automated scanners.
>>>
>>> Likely those with XHR are strongly dependent on the logic part of the
>>> application.
>>>
>>> It would be interesting to talk about Stored/Indirect DOM Based XSS
>>> which could lead to FN and FP as well.
>>> I'm thinking about giving a talk about those advanced issues and how to
>>> identify them.
>>>
>>> That said, assuming you hit a FP, surely I can improve some algorithm to
>>> further minimize them,
>>> but I also think we can have a veeery looong talk about them and how the
>>> other approaches
>>> and techniques deal with them. That is analogous for false negatives of
>>> course :)
>>>
>>>
>>>
>>>> meanwhile, any plans to make the tool run automatically to scan the
>>>> site, instead of manual clicking ?
>>>>
>>>
>>> Yes, there's a Selenium support since earlier versions so one can
>>> actually use it to create his own scanner, and there's a scanner in
>>> development for the  DOMinatorPro Enterprise edition.
>>>
>>> Cheers and thank for your comments,
>>> Stefano
>>>
>>>
>>>> Thanks
>>>> Ala'a
>>>>
>>>>
>>>> On Thu, Mar 21, 2013 at 1:08 PM, Stefano Di Paola <stefano at owasp.org>wrote:
>>>>
>>>>> Ala'a,
>>>>>
>>>>> since I'm the author of DOMinator and DOMinatorPro, I'll try to be as
>>>>> unbiased as possible :)
>>>>>
>>>>> 1.
>>>>>
>>>>> http://www.google.it/search?q=dom+xss+scanner&aq=f&oq=dom+xss+scanner&sourceid=chrome&ie=UTF-8
>>>>> Lists:
>>>>> domxssscanner  //  RegExp Based
>>>>> ra2-dom-xss-scanner // Blind Fuzzer
>>>>> DOMinatorPro /// Runtime Analyzer
>>>>> IBM JSA  // Static Analyzer
>>>>> ..
>>>>>
>>>>> You can compare them with your testbed and see what's better.
>>>>>
>>>>> 2.:
>>>>> Although this is maybe not the place to talk about it, I'd like have
>>>>> some more elaborate opinion of yours on DOMinator.
>>>>>
>>>>> About your opinion on the effectiveness on detecting DOM issues I'd
>>>>> like to talk about it - publicly or privately as you wish.
>>>>>
>>>>> Which DOMinator are you referring to? The Pro version hosted on
>>>>> https://dominator.mindedsecurity.com/
>>>>> or the old community version hosted on
>>>>> http://code.google.com/p/dominator/ ?
>>>>>
>>>>> I'd like to be clear that if you have some usage problems to report, I
>>>>> am more than happy to help. Same for bugs.
>>>>>
>>>>>
>>>>> Cheers,
>>>>> Stefano
>>>>>
>>>>>
>>>>> On Thu, Mar 21, 2013 at 9:55 AM, Ala'a Mubaied <alaa.mubaied at owasp.org
>>>>> > wrote:
>>>>>
>>>>>> Hi Leaders,
>>>>>>
>>>>>> I'm aware of Dominator, but it has a lot of crashes due to memory
>>>>>> consumptions and not much effective of detecting DOM issues.
>>>>>>
>>>>>> any other suggestions ?
>>>>>>
>>>>>> Thanks
>>>>>> Ala'a
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130321/162b8a0e/attachment-0001.html>


More information about the OWASP-Leaders mailing list