In one application I've tested AppScan did a pretty good job in detecting DOM based vulnerability, that was actually in old jQuery embedded in that page. -- Paweł Krawczyk, CISSP http://ipsec.pl http://echelon.pl +48 602 776959 On Tuesday, November 06, 2012 at 7:59 PM, "Ryan Dewhurst" wrote:Hi Taras, You're welcome! I also found the free Dominator UI a bit complicated to navigate when it was first released. The Dominator Pro free trial I used recently had a improved UI which was really intuitive. I've not used either NTOSpider or AppScan, however, due to the nature of DOM based XSS detection I wouldn't have thought they were as good as Dominator at detection. But this is an assumption. If you can grab some free trials they may be worth testing but then again their (NTOSpider & AppScan) price, the last time I looked, were quite extortionate. If I was you I'd probably look to see if NTOSpider or AppScan have free trials like Dominator Pro has, give them a go and see how they compare. But don't forget Dominator Pro is purely for detecting DOM XSS whereas the other scanners you mentioned do a whole range of other checks, so it may depend on what it is you actually need. Ryan On Tue, Nov 6, 2012 at 7:47 PM, Taras wrote: > Ryan, thanks for answer! > > Yes, it seems that Dominator is only one solution that simply works. It has too complicated UI based on Mozilla Firefox plus Firebug and Dominator addons. In same time it has correctly detected testing flaw (DOM XSS). And I like the idea to use patched version of modern web browser. Do you know if such well know webapp scanner like NTOSpider or AppScan can find client side issues like DOM XSS? > > Ryan Dewhurst написал(а): > >>Hi, >> >>Having used the Dominator Pro free trial, it seemed to be the best >>automated tool to detect DOM based XSS that I had come across thus >>far. >> >>Another tool which I found to be useful was OWASP's IronWASP [0]. >> >>Ryan >> >>[0] http://ironwasp.org/ >> >>On Mon, Nov 5, 2012 at 1:18 PM, Taras wrote: >>> Hi, all! >>> >>> I'm searching for DOM Based XSS [0] flaws detection tool. Detection >>of such >>> types of flaws is very interesting and in same time too difficult >>task as for >>> human as for scanner. Currently I have found only Dominator [1] which >>is >>> Mozilla Firefox based software. Could you please recommend me some >>other stuff >>> (free or commercial)? >>> >>> [0] https://www.owasp.org/index.php/DOM_Based_XSS >>> [1] https://dominator.mindedsecurity.com/ >>> -- >>> Taras >>> http://oxdef.info >>> GPG: C8D1F510 >>> >>> _______________________________________________ >>> The Web Security Mailing List >>> >>> WebSecurity RSS Feed >>> http://www.webappsec.org/rss/websecurity.rss >>> >>> Join WASC on LinkedIn >>http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>> >>> WASC on Twitter >>> http://twitter.com/wascupdates >>> >>> websecurity@lists.webappsec.org >>> >>http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > -- > Taras > http://oxdef.info > GPG: C8D1F510 _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

AppScan is a bit shit for DOM-based XSS. It's just applying regexes on Javascript files. When I tried it last year, was just resulting in false positives. I use DOMinator Pro, and I have to say it is the best tool out there for this purpose. Go for it, it's not expensive. Cheers antisnatchor On Wed, Nov 7, 2012 at 9:51 AM, Paweł Krawczyk <pawel.krawczyk@hush.com> wrote: > In one application I've tested AppScan did a pretty good job in detecting > DOM based vulnerability, that was actually in old jQuery embedded in that > page. > > -- > Paweł Krawczyk, CISSP > http://ipsec.pl http://echelon.pl > +48 602 776959 > > > On Tuesday, November 06, 2012 at 7:59 PM, "Ryan Dewhurst" > <ryandewhurst@gmail.com> wrote: > > Hi Taras, > > You're welcome! I also found the free Dominator UI a bit complicated > to navigate when it was first released. The Dominator Pro free trial I > used recently had a improved UI which was really intuitive. > > I've not used either NTOSpider or AppScan, however, due to the nature > of DOM based XSS detection I wouldn't have thought they were as good > as Dominator at detection. But this is an assumption. If you can grab > some free trials they may be worth testing but then again their > (NTOSpider & AppScan) price, the last time I looked, were quite > extortionate. > > If I was you I'd probably look to see if NTOSpider or AppScan have > free trials like Dominator Pro has, give them a go and see how they > compare. But don't forget Dominator Pro is purely for detecting DOM > XSS whereas the other scanners you mentioned do a whole range of other > checks, so it may depend on what it is you actually need. > > Ryan > > On Tue, Nov 6, 2012 at 7:47 PM, Taras <oxdef@oxdef.info> wrote: >> Ryan, thanks for answer! >> >> Yes, it seems that Dominator is only one solution that simply works. It >> has too complicated UI based on Mozilla Firefox plus Firebug and Dominator >> addons. In same time it has correctly detected testing flaw (DOM XSS). And I >> like the idea to use patched version of modern web browser. Do you know if >> such well know webapp scanner like NTOSpider or AppScan can find client side >> issues like DOM XSS? >> >> Ryan Dewhurst <ryandewhurst@gmail.com> написал(а): >> >>>Hi, >>> >>>Having used the Dominator Pro free trial, it seemed to be the best >>>automated tool to detect DOM based XSS that I had come across thus >>>far. >>> >>>Another tool which I found to be useful was OWASP's IronWASP [0]. >>> >>>Ryan >>> >>>[0] http://ironwasp.org/ >>> >>>On Mon, Nov 5, 2012 at 1:18 PM, Taras <oxdef@oxdef.info> wrote: >>>> Hi, all! >>>> >>>> I'm searching for DOM Based XSS [0] flaws detection tool. Detection >>>of such >>>> types of flaws is very interesting and in same time too difficult >>>task as for >>>> human as for scanner. Currently I have found only Dominator [1] which >>>is >>>> Mozilla Firefox based software. Could you please recommend me some >>>other stuff >>>> (free or commercial)? >>>> >>>> [0] https://www.owasp.org/index.php/DOM_Based_XSS >>>> [1] https://dominator.mindedsecurity.com/ >>>> -- >>>> Taras >>>> http://oxdef.info >>>> GPG: C8D1F510 >>>> >>>> _______________________________________________ >>>> The Web Security Mailing List >>>> >>>> WebSecurity RSS Feed >>>> http://www.webappsec.org/rss/websecurity.rss >>>> >>>> Join WASC on LinkedIn >>>http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>>> >>>> WASC on Twitter >>>> http://twitter.com/wascupdates >>>> >>>> websecurity@lists.webappsec.org >>>> >>>http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> >> -- >> Taras >> http://oxdef.info >> GPG: C8D1F510 > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > -- /antisnatchor