Update : DOMinator goes Pro and is now available at the following here
Finally DOMinator is public!
Finally DOMinator is public!
What is DOMinator?
DOMinator is a Firefox based software for analysis and identification of DOM Based Cross Site Scripting issues (DOMXss).
It is the first runtime tool which can help security testers to identify DOMXss.
How it works?
It uses dynamic runtime tainting model on strings and can trace back taint propagation operations in order to understand if a DOMXss vulnerability is actually exploitable.
You can have an introduction about the implementation flow and some interface description here
What are the possibilities?
In the topics of DOMXss possibilities are quite infinite.
At the moment DOMinator can help in identifying reflected DOM Based Xss, but there is potential to extend it to stored DOMXss analysis.
Start from the installation instructions then have a look at the video.
Use the issues page to post about problems crashes or whatever.
And finally subscribe to the DOMinator Mailing List to get live news.
A video has been uploaded here to show how it works.
Here's the video:
Soon I'll post more tutorials about the community version.
Some stats about DOM Xss
We downloaded top Alexa 1 million sites and analyzed the first 100 in order to verify the presence of exploitable DOM Based Cross Site Scripting vulnerabilities.
Using DOMinator we found that 56 out of 100 (56% of sites) were vulnerable to reliable DOMXss attacks.
Some analysis example can be found here and here.
We'll release a white paper about this research, in the meantime you can try to reach our results using DOMinator.
DOMinator is still in beta stage but I see a lot of potential in this project.
For example I can think about:
- Dominator library (Spidermonkey) used in web security scanners project
- for automated batch testing.
- Logging can be saved in a DB and lately analyzed.
- Per page testing using Selenium/iMacros.
- A version of DOMinator for xulrunner.
- A lot more
So, if you're interested in contributing in the code (or in funding the project) let me know, I'll add you to the project contributors.
We have some commercial ideas about developing a more usable interface with our knowledge base but we can assure you that the community version will always be open and free.
In the next few days I'll release a whitepaper about DOMinator describing the implementation choices and the technical details.
Stay tuned for more information about DOMinator..the best is yet to come.
DOMinator is a project sponsored by Minded Security, created and maintainted by me (Stefano Di Paola).
I al want to thank Arshan Dabirsiaghi (Aspect Security), Gareth Heyes and Luca Carettoni (Matasano) for their feedback on the pre-pre-beta version :)
Finally, feel free to follow DOMinator news on Twitter as well by subscribing to @WisecWisec and @DOMXss.