Hi, all!
I'm searching for DOM Based XSS [0] flaws detection tool. Detection of such
types of flaws is very interesting and in same time too difficult task as for
human as for scanner. Currently I have found only Dominator [1] which is
Mozilla Firefox based software. Could you please recommend me some other stuff
(free or commercial)?
Taras
http://oxdef.info
GPG: C8D1F510
Hi,
Having used the Dominator Pro free trial, it seemed to be the best
automated tool to detect DOM based XSS that I had come across thus
far.
Another tool which I found to be useful was OWASP's IronWASP [0].
Ryan
On Mon, Nov 5, 2012 at 1:18 PM, Taras oxdef@oxdef.info wrote:
Hi, all!
I'm searching for DOM Based XSS [0] flaws detection tool. Detection of such
types of flaws is very interesting and in same time too difficult task as for
human as for scanner. Currently I have found only Dominator [1] which is
Mozilla Firefox based software. Could you please recommend me some other stuff
(free or commercial)?
Taras
http://oxdef.info
GPG: C8D1F510
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
DOMinator is definitely the most through tool going.
| Steven Pinkham, Security Consultant |
| http://www.mavensecurity.com |
| GPG public key ID E9E996C1 |
Ryan, thanks for answer!
Yes, it seems that Dominator is only one solution that simply works. It has too complicated UI based on Mozilla Firefox plus Firebug and Dominator addons. In same time it has correctly detected testing flaw (DOM XSS). And I like the idea to use patched version of modern web browser. Do you know if such well know webapp scanner like NTOSpider or AppScan can find client side issues like DOM XSS?
Ryan Dewhurst ryandewhurst@gmail.com написал(а):
Hi,
Having used the Dominator Pro free trial, it seemed to be the best
automated tool to detect DOM based XSS that I had come across thus
far.
Another tool which I found to be useful was OWASP's IronWASP [0].
Ryan
On Mon, Nov 5, 2012 at 1:18 PM, Taras oxdef@oxdef.info wrote:
Hi, all!
I'm searching for DOM Based XSS [0] flaws detection tool. Detection
of such
types of flaws is very interesting and in same time too difficult
task as for
human as for scanner. Currently I have found only Dominator [1] which
is
Mozilla Firefox based software. Could you please recommend me some
other stuff
(free or commercial)?
Taras
http://oxdef.info
GPG: C8D1F510
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn
--
Taras
http://oxdef.info
GPG: C8D1F510
Hi Taras,
You're welcome! I also found the free Dominator UI a bit complicated
to navigate when it was first released. The Dominator Pro free trial I
used recently had a improved UI which was really intuitive.
I've not used either NTOSpider or AppScan, however, due to the nature
of DOM based XSS detection I wouldn't have thought they were as good
as Dominator at detection. But this is an assumption. If you can grab
some free trials they may be worth testing but then again their
(NTOSpider & AppScan) price, the last time I looked, were quite
extortionate.
If I was you I'd probably look to see if NTOSpider or AppScan have
free trials like Dominator Pro has, give them a go and see how they
compare. But don't forget Dominator Pro is purely for detecting DOM
XSS whereas the other scanners you mentioned do a whole range of other
checks, so it may depend on what it is you actually need.
Ryan
On Tue, Nov 6, 2012 at 7:47 PM, Taras oxdef@oxdef.info wrote:
Ryan, thanks for answer!
Yes, it seems that Dominator is only one solution that simply works. It has too complicated UI based on Mozilla Firefox plus Firebug and Dominator addons. In same time it has correctly detected testing flaw (DOM XSS). And I like the idea to use patched version of modern web browser. Do you know if such well know webapp scanner like NTOSpider or AppScan can find client side issues like DOM XSS?
Ryan Dewhurst ryandewhurst@gmail.com написал(а):
Hi,
Having used the Dominator Pro free trial, it seemed to be the best
automated tool to detect DOM based XSS that I had come across thus
far.
Another tool which I found to be useful was OWASP's IronWASP [0].
Ryan
On Mon, Nov 5, 2012 at 1:18 PM, Taras oxdef@oxdef.info wrote:
Hi, all!
I'm searching for DOM Based XSS [0] flaws detection tool. Detection
of such
types of flaws is very interesting and in same time too difficult
task as for
human as for scanner. Currently I have found only Dominator [1] which
is
Mozilla Firefox based software. Could you please recommend me some
other stuff
(free or commercial)?
Taras
http://oxdef.info
GPG: C8D1F510
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn
--
Taras
http://oxdef.info
GPG: C8D1F510
Steven, I will see on RAFT. Thanks.
Some time ago I have made research in field of automated testing of modern web applications using PhantomJS and w3af. As part of it I have also made simple PoC to detect DOM XSS with PhantomJS and special JS payload but it is still PoC...:(
Steven Pinkham steve.pinkham@gmail.com написал(а):
DOMinator is definitely the most through tool going.
RAFT(http://code.google.com/p/raft/) will find the simple stuff fast
and
defines the low bar of what every app should be tested for IMHO.
--
Taras
http://oxdef.info
GPG: C8D1F510