Wednesday, May 18, 2011

The DOMinator Project

Update : DOMinator goes Pro and is now available at the following here

Finally DOMinator is public!


What is DOMinator?
DOMinator is a Firefox based software for analysis and identification of DOM Based Cross Site Scripting issues (DOMXss).
It is the first runtime tool which can help security testers to identify DOMXss.

How it works?

It uses dynamic runtime tainting model on strings and can trace back taint propagation operations in order to understand if a DOMXss vulnerability is actually exploitable.

You can have an introduction about the implementation flow and some interface description here

What are the possibilities?

In the topics of DOMXss possibilities are quite infinite.
At the moment DOMinator can help in identifying reflected DOM Based Xss, but there is potential to extend it to stored DOMXss analysis.

Download

Start from the installation instructions then have a look at the video.
Use the issues page to post about problems crashes or whatever.
And finally subscribe to the DOMinator Mailing List to get live news.

Video
A video has been uploaded here to show how it works.
Here's the video:


Soon I'll post more tutorials about the community version.


Some stats about DOM Xss

We downloaded top Alexa 1 million sites and analyzed the first 100 in order to verify the presence of exploitable DOM Based Cross Site Scripting vulnerabilities.
Using DOMinator we found that 56 out of 100 (56% of sites) were vulnerable to reliable DOMXss attacks.
Some analysis example can be found here and here.
We'll release a white paper about this research, in the meantime you can try to reach our results using DOMinator.

Future work

DOMinator is still in beta stage but I see a lot of potential in this project.
For example I can think about:
  • Dominator library (Spidermonkey) used in web security scanners project
  • for automated batch testing.
  • Logging can be saved in a DB and lately analyzed.
  • Per page testing using Selenium/iMacros.
  • A version of DOMinator for xulrunner.
  • A lot more
It only depends on how many people will help me in improving it.

So, if you're interested in contributing in the code (or in funding the project) let me know, I'll add you to the project contributors.
We have some commercial ideas about developing a more usable interface with our knowledge base but we can assure you that the community version will always be open and free.

In the next few days I'll release a whitepaper about DOMinator describing the implementation choices and the technical details.

Stay tuned for more information about DOMinator..the best is yet to come.

Acknowledgements
DOMinator is a project sponsored by Minded Security, created and maintainted by me (Stefano Di Paola).
I al want to thank Arshan Dabirsiaghi (Aspect Security), Gareth Heyes and Luca Carettoni (Matasano) for their feedback on the pre-pre-beta version :)

Finally, feel free to follow DOMinator news on Twitter as well by subscribing to @WisecWisec and @DOMXss.

26 comments:

  1. Nice work!

    Does Dominator only locate DOM-based XSS issues, or can it find other client-side vulnerabilities?

    ReplyDelete
  2. It adds taint propagation to particular strings you can choose.
    So if one wants to track some other kind of issue it can be done.

    DOMinator helps analyzing particular flows by giving information to the tester about what happened.
    You can add new sources and new sinks whenever you want and let DOMinator warn you when some particular operation is performed.
    I suggest you to have a look at http://dominator.googlecode.com/files/DOMinator_Control_Flow.pdf to have a more insightful perspective.

    ReplyDelete
  3. Great work Stefano!
    Next time, I'd like to hear your voice in the video! :)

    ReplyDelete
  4. @thesp0nge
    thanks!
    hehe I decided to save people from my bad english :)

    Maybe next time...

    ReplyDelete
  5. BTW - you may want to rephrase the part where you say that you downloaded 1 million sites and used DOMinator on them.

    Your actual sample set for the statistics you quote was 100 sites only, not 1 million, right? that's confusing.

    ReplyDelete
  6. @Anonymous,
    thanks, it seemed clear to me, but if you say it's confusing.
    Then, yes:
    We downloaded the top 1 Million Alexa Csv (http://s3.amazonaws.com/alexa-static/top-1m.csv.zip)
    and we tested *only* the first 100 sites of that top 1M using DOMinator.
    The result is that 56 out of those top 100 sites were vulnerable to exploitable DOMXss.

    Thanks :)

    ReplyDelete
  7. Really nice tool Stefano, can't wait to use it in a real wapt :)

    ReplyDelete
  8. Thanks ascii :)
    Looking forward to your feedback!

    ReplyDelete
  9. SecurityAcademicMay 19, 2011 at 4:13 PM

    You say DOMinator is "the first runtime tool which can help security testers to identify DOMXss." That is not correct. See, e.g., FLAX (http://webblaze.cs.berkeley.edu/2010/flax/flax.pdf) or Kudzu (http://webblaze.cs.berkeley.edu/2010/kudzu/).

    ReplyDelete
  10. Since I have followed DOMxss research evolution from the beginning, I would say that both Flax and Kudzu seem to work on very abstract input and sink definition. Also the targeted application seemed to be very buggy and cannot be comparable with Top 100 Alexa Sites.

    I would ask to try the UTF7 Fuzzer against Gmail / twitter / etc. and try to find some vulnerabilities. I think it would end up in some false positives.

    The automation as far as I understand in Dominator is just meant to be consistent with the Inputs and Sinks presented in the DomXss Wiki. There is no need anymore of an abstract input generator.

    ReplyDelete
  11. Thanks for your great work and your presentation at SWISS Cyber Storm 3!

    ReplyDelete
  12. @SecurityAcademic
    Thanks for pointing it out. I wasn't aware of
    those research papers even if I already knew about
    Vogt research. I'll add them to the whitepaper as
    references.

    Now, regarding your request.
    If we want to be precise as you are,
    1. I see two wonderful research papers, but no public url to the tool.
    2. DOMinator is a tool that "helps" security tester in finding DOMXss, differently by yours which seems to be fully automatic.
    But I'm not sure, since afaik your tool is not public.

    So, sorry but i think my phrase is correct.

    ReplyDelete
  13. @anonymous
    thank you for your kind words! :)

    ReplyDelete
  14. Stefano, great work!

    I managed to get it working under Backtrack 5.

    A couple of issues:

    The stack trace feature doesn't seem to be working in Linux 32 bit. I've clicked the stack trace enable button a few times to see if that made a difference. The app I'm working on is minified, but I don't think that's the issue.

    Secondly, if you can add CSRF token following, that would be awesome. For example, if it could take the ASP.NET MVC RequestVerificationToken value and submit it every time it changes, that would be good. I found that Dominator would get blocked pretty quickly.

    However, I did manage to find a DOM based XSS in a few minutes once I had it going and understood what it was trying to tell me.

    ReplyDelete
    Replies
    1. Can you plz tell me how you got it working on backtrack......

      Delete
  15. @Andrew
    About the issues or help on using DOMinator, you can use:
    http://code.google.com/p/dominator/issues/list
    and also I suggest you to subscribe to the mailing list:
    https://groups.google.com/group/dominator-ml

    We can keep talking about you issues on the mailing list.

    I'm glad you found the DOMXss with DOMinator! :)

    Thanks

    ReplyDelete
  16. I want to contribute. phersys@gmail.com

    ReplyDelete
  17. Hi,
    i wanted to test it, but it´s not compatible with FireFox 6 (WIN). Do you plan to release an upgraded version or do i have to downgrade FireFox ?

    Kind regard,

    Dirk.

    ReplyDelete
  18. @Dirk,
    DOMinator is not a firefox plugin. It uses Firefox as a base but it modifies Spidermonkey (JS engine) in order to follow external inputs and identify DOM based Xss.
    It should be considered as a stand alone software, not as a plugin.

    ReplyDelete
  19. Hi Stefano,

    Dominator is definitely a handy tool. Thanks for sharing it to the community. As per my understanding DOM based XSS is different than regular XSS only the way it is automatically scanned. Please correct me if I'm wrong. As in regular XSS, you inject a vector in the HTTP request and look for the presence of the pattern in the response, which may or may happen with DOM based XSS. As anything after the # in the URL isn't sent to the server. Do you agree with me? If yes, does that mean that if I inject the vector in page which may be susceptible to DOM XSS and scan the updated DOM may be programmatically or by manually saving the page to disk will confirm me the issue?

    ReplyDelete
  20. @Nishant

    > Dominator is definitely a handy tool.
    > Thanks for sharing it to the
    > community.

    Thanks, much appreciated!

    > As per my understanding DOM based XSS is different than regular
    > XSS only the way it is automatically scanned.
    >
    > Please correct me if I'm wrong.
    > As in regular XSS, you inject a vector in the HTTP request and look
    > for the presence of the pattern in the response, which may or may happen
    > with DOM based XSS.

    The Xss in terms of attack category is very similar in the way it can execute
    javascript in the page.

    On the other hand in terms of vulnerability DOM Xss and Xss are different
    since the vulnerable code is on the javascript executed in the browser.


    > As anything after the # in the URL isn't sent to the
    > server. Do you agree with me?

    Not only after the #. Any possible user controlled input can be considered
    as a source of troubles. See http://code.google.com/p/domxsswiki/wiki/Sources
    for more sources.

    > If yes, does that mean that if I inject the
    > vector in page which may be susceptible to DOM XSS and scan the updated DOM
    > may be programmatically or by manually saving the page to disk will confirm
    > me the issue?

    Well if you save the vulnerable page with all the scripts you will probably be able to
    recreate the environment where the vulnerability could be exploited.
    But the page and js execution could depend on things like XmlHttpRequest responses that
    could be more complex to reproduce.

    ReplyDelete
  21. @Stefano

    Thanks for being patient in explaining the details to me. I agree to all your points. My next question is, Can POST var be potential sources to DOM XSS or its just GET params and HTTP Headers?

    ReplyDelete
  22. #Nishant

    Of course POST and HTTP headers cannot be used as direct "Source" since there's no way to get the payload from javascript.
    On the other side if some value from the payload is used to instantiate a Js variable, then it could be considered as a potentially "indirect" source.

    I suggest you to have a look at my presentation:
    * slides: http://media.hacking-lab.com/scs3/scs3_pdf/SCS3_2011_Di_Paola.pdf
    * video: http://www.youtube.com/watch?v=bs-HvHJtT9Y

    and as previously mentioned the DOM Xss Wiki which describes Sources and Sinks:

    * http://code.google.com/p/domxsswiki/wiki/Sources

    ReplyDelete
  23. @Nishant

    Also, if you have more questions about DOMXss, contact me via email.

    We're going a bit off topic here :)

    ReplyDelete
  24. Hey bro i had a question ,
    i have found some html injection in sites with dominator and got alert box in the dominator browser ,but whenever i try to re produce it in other browsers like mozilaa chrome etc it dosent show alert box ,why is that ?
    Any way i can get it done ?
    Thank you !

    ReplyDelete
  25. sir free version of DOMinator doesn't contain log enabled , warning and alert keys so how we can find DOM vulnerability using free version of DOMinator

    ReplyDelete