In one application I've tested AppScan did a pretty good job in
detecting DOM based vulnerability, that was actually in old jQuery
embedded in that page.
--
Paweł Krawczyk, CISSP
http://ipsec.pl http://echelon.pl
+48 602 776959
On Tuesday, November 06, 2012 at 7:59 PM, "Ryan Dewhurst" wrote:Hi
Taras,
You're welcome! I also found the free Dominator UI a bit complicated
to navigate when it was first released. The Dominator Pro free trial I
used recently had a improved UI which was really intuitive.
I've not used either NTOSpider or AppScan, however, due to the nature
of DOM based XSS detection I wouldn't have thought they were as good
as Dominator at detection. But this is an assumption. If you can grab
some free trials they may be worth testing but then again their
(NTOSpider & AppScan) price, the last time I looked, were quite
extortionate.
If I was you I'd probably look to see if NTOSpider or AppScan have
free trials like Dominator Pro has, give them a go and see how they
compare. But don't forget Dominator Pro is purely for detecting DOM
XSS whereas the other scanners you mentioned do a whole range of other
checks, so it may depend on what it is you actually need.
Ryan
On Tue, Nov 6, 2012 at 7:47 PM, Taras wrote:
Ryan, thanks for answer!
Yes, it seems that Dominator is only one solution that simply works.
It has too complicated UI based on Mozilla Firefox plus Firebug and
Dominator addons. In same time it has correctly detected testing flaw
(DOM XSS). And I like the idea to use patched version of modern web
browser. Do you know if such well know webapp scanner like NTOSpider
or AppScan can find client side issues like DOM XSS?
Ryan Dewhurst написал(а):
Hi,
Having used the Dominator Pro free trial, it seemed to be the best
automated tool to detect DOM based XSS that I had come across thus
far.
Another tool which I found to be useful was OWASP's IronWASP [0].
Ryan
On Mon, Nov 5, 2012 at 1:18 PM, Taras wrote:
Hi, all!
I'm searching for DOM Based XSS [0] flaws detection tool.
Detection
of such
types of flaws is very interesting and in same time too difficult
task as for
human as for scanner. Currently I have found only Dominator [1]
which
is
Mozilla Firefox based software. Could you please recommend me some
other stuff
(free or commercial)?
Taras
http://oxdef.info
GPG: C8D1F510
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn
--
Taras
http://oxdef.info
GPG: C8D1F510
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
AppScan is a bit shit for DOM-based XSS.
It's just applying regexes on Javascript files.
When I tried it last year, was just resulting in false positives.
I use DOMinator Pro, and I have to say it is the best tool out there
for this purpose.
Go for it, it's not expensive.
Cheers
antisnatchor
On Wed, Nov 7, 2012 at 9:51 AM, Paweł Krawczyk pawel.krawczyk@hush.com wrote:
In one application I've tested AppScan did a pretty good job in detecting
DOM based vulnerability, that was actually in old jQuery embedded in that
page.
--
Paweł Krawczyk, CISSP
http://ipsec.pl http://echelon.pl
+48 602 776959
On Tuesday, November 06, 2012 at 7:59 PM, "Ryan Dewhurst"
ryandewhurst@gmail.com wrote:
Hi Taras,
You're welcome! I also found the free Dominator UI a bit complicated
to navigate when it was first released. The Dominator Pro free trial I
used recently had a improved UI which was really intuitive.
I've not used either NTOSpider or AppScan, however, due to the nature
of DOM based XSS detection I wouldn't have thought they were as good
as Dominator at detection. But this is an assumption. If you can grab
some free trials they may be worth testing but then again their
(NTOSpider & AppScan) price, the last time I looked, were quite
extortionate.
If I was you I'd probably look to see if NTOSpider or AppScan have
free trials like Dominator Pro has, give them a go and see how they
compare. But don't forget Dominator Pro is purely for detecting DOM
XSS whereas the other scanners you mentioned do a whole range of other
checks, so it may depend on what it is you actually need.
Ryan
On Tue, Nov 6, 2012 at 7:47 PM, Taras oxdef@oxdef.info wrote:
Ryan, thanks for answer!
Yes, it seems that Dominator is only one solution that simply works. It
has too complicated UI based on Mozilla Firefox plus Firebug and Dominator
addons. In same time it has correctly detected testing flaw (DOM XSS). And I
like the idea to use patched version of modern web browser. Do you know if
such well know webapp scanner like NTOSpider or AppScan can find client side
issues like DOM XSS?
Ryan Dewhurst ryandewhurst@gmail.com написал(а):
Hi,
Having used the Dominator Pro free trial, it seemed to be the best
automated tool to detect DOM based XSS that I had come across thus
far.
Another tool which I found to be useful was OWASP's IronWASP [0].
Ryan
On Mon, Nov 5, 2012 at 1:18 PM, Taras oxdef@oxdef.info wrote:
Hi, all!
I'm searching for DOM Based XSS [0] flaws detection tool. Detection
of such
types of flaws is very interesting and in same time too difficult
task as for
human as for scanner. Currently I have found only Dominator [1] which
is
Mozilla Firefox based software. Could you please recommend me some
other stuff
(free or commercial)?
Taras
http://oxdef.info
GPG: C8D1F510
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn
--
Taras
http://oxdef.info
GPG: C8D1F510
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
/antisnatchor