Hi, all! I'm searching for DOM Based XSS [0] flaws detection tool. Detection of such types of flaws is very interesting and in same time too difficult task as for human as for scanner. Currently I have found only Dominator [1] which is Mozilla Firefox based software. Could you please recommend me some other stuff (free or commercial)? [0] https://www.owasp.org/index.php/DOM_Based_XSS [1] https://dominator.mindedsecurity.com/ -- Taras http://oxdef.info GPG: C8D1F510

Hi, Having used the Dominator Pro free trial, it seemed to be the best automated tool to detect DOM based XSS that I had come across thus far. Another tool which I found to be useful was OWASP's IronWASP [0]. Ryan [0] http://ironwasp.org/ On Mon, Nov 5, 2012 at 1:18 PM, Taras <oxdef@oxdef.info> wrote: > Hi, all! > > I'm searching for DOM Based XSS [0] flaws detection tool. Detection of such > types of flaws is very interesting and in same time too difficult task as for > human as for scanner. Currently I have found only Dominator [1] which is > Mozilla Firefox based software. Could you please recommend me some other stuff > (free or commercial)? > > [0] https://www.owasp.org/index.php/DOM_Based_XSS > [1] https://dominator.mindedsecurity.com/ > -- > Taras > http://oxdef.info > GPG: C8D1F510 > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

DOMinator is definitely the most through tool going. RAFT(http://code.google.com/p/raft/) will find the simple stuff fast and defines the low bar of what every app should be tested for IMHO. -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID E9E996C1 |

Ryan, thanks for answer! Yes, it seems that Dominator is only one solution that simply works. It has too complicated UI based on Mozilla Firefox plus Firebug and Dominator addons. In same time it has correctly detected testing flaw (DOM XSS). And I like the idea to use patched version of modern web browser. Do you know if such well know webapp scanner like NTOSpider or AppScan can find client side issues like DOM XSS? Ryan Dewhurst <ryandewhurst@gmail.com> написал(а): >Hi, > >Having used the Dominator Pro free trial, it seemed to be the best >automated tool to detect DOM based XSS that I had come across thus >far. > >Another tool which I found to be useful was OWASP's IronWASP [0]. > >Ryan > >[0] http://ironwasp.org/ > >On Mon, Nov 5, 2012 at 1:18 PM, Taras <oxdef@oxdef.info> wrote: >> Hi, all! >> >> I'm searching for DOM Based XSS [0] flaws detection tool. Detection >of such >> types of flaws is very interesting and in same time too difficult >task as for >> human as for scanner. Currently I have found only Dominator [1] which >is >> Mozilla Firefox based software. Could you please recommend me some >other stuff >> (free or commercial)? >> >> [0] https://www.owasp.org/index.php/DOM_Based_XSS >> [1] https://dominator.mindedsecurity.com/ >> -- >> Taras >> http://oxdef.info >> GPG: C8D1F510 >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn >http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> >http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org -- Taras http://oxdef.info GPG: C8D1F510

Hi Taras, You're welcome! I also found the free Dominator UI a bit complicated to navigate when it was first released. The Dominator Pro free trial I used recently had a improved UI which was really intuitive. I've not used either NTOSpider or AppScan, however, due to the nature of DOM based XSS detection I wouldn't have thought they were as good as Dominator at detection. But this is an assumption. If you can grab some free trials they may be worth testing but then again their (NTOSpider & AppScan) price, the last time I looked, were quite extortionate. If I was you I'd probably look to see if NTOSpider or AppScan have free trials like Dominator Pro has, give them a go and see how they compare. But don't forget Dominator Pro is purely for detecting DOM XSS whereas the other scanners you mentioned do a whole range of other checks, so it may depend on what it is you actually need. Ryan On Tue, Nov 6, 2012 at 7:47 PM, Taras <oxdef@oxdef.info> wrote: > Ryan, thanks for answer! > > Yes, it seems that Dominator is only one solution that simply works. It has too complicated UI based on Mozilla Firefox plus Firebug and Dominator addons. In same time it has correctly detected testing flaw (DOM XSS). And I like the idea to use patched version of modern web browser. Do you know if such well know webapp scanner like NTOSpider or AppScan can find client side issues like DOM XSS? > > Ryan Dewhurst <ryandewhurst@gmail.com> написал(а): > >>Hi, >> >>Having used the Dominator Pro free trial, it seemed to be the best >>automated tool to detect DOM based XSS that I had come across thus >>far. >> >>Another tool which I found to be useful was OWASP's IronWASP [0]. >> >>Ryan >> >>[0] http://ironwasp.org/ >> >>On Mon, Nov 5, 2012 at 1:18 PM, Taras <oxdef@oxdef.info> wrote: >>> Hi, all! >>> >>> I'm searching for DOM Based XSS [0] flaws detection tool. Detection >>of such >>> types of flaws is very interesting and in same time too difficult >>task as for >>> human as for scanner. Currently I have found only Dominator [1] which >>is >>> Mozilla Firefox based software. Could you please recommend me some >>other stuff >>> (free or commercial)? >>> >>> [0] https://www.owasp.org/index.php/DOM_Based_XSS >>> [1] https://dominator.mindedsecurity.com/ >>> -- >>> Taras >>> http://oxdef.info >>> GPG: C8D1F510 >>> >>> _______________________________________________ >>> The Web Security Mailing List >>> >>> WebSecurity RSS Feed >>> http://www.webappsec.org/rss/websecurity.rss >>> >>> Join WASC on LinkedIn >>http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>> >>> WASC on Twitter >>> http://twitter.com/wascupdates >>> >>> websecurity@lists.webappsec.org >>> >>http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > -- > Taras > http://oxdef.info > GPG: C8D1F510

Steven, I will see on RAFT. Thanks. Some time ago I have made research in field of automated testing of modern web applications using PhantomJS and w3af. As part of it I have also made simple PoC to detect DOM XSS with PhantomJS and special JS payload but it is still PoC...:( Steven Pinkham <steve.pinkham@gmail.com> написал(а): >DOMinator is definitely the most through tool going. > >RAFT(http://code.google.com/p/raft/) will find the simple stuff fast >and >defines the low bar of what every app should be tested for IMHO. -- Taras http://oxdef.info GPG: C8D1F510