Tuesday, June 19, 2012

DOMinator Pro has been released!

DOMinator Pro is a commercial suite whose concept is based on the DOMinator project (that is one of the Top Ten Web Hacking techniques 2011).

It performs a Realtime Dynamic Data Tainting which represents an innovative approach to identify DOM based Cross Site Scripting vulnerabilities and can help identify client side issues in a very short time while simply navigating.

DOMinator Pro Suite consists of two principal components:
1. DOMinator Core Engine: an core engine based on Firefox 8.0 modified version of SpiderMonkey (JS Engine)to add Dynamic Tainting and perform Taint propagation Tracing. Open source and downloadable from GitHub.
2. DOMinator Pro Extension: a proprietary, commercial extension which contains the knowledge base, the user interface and the analysis engine.
The DOMinator Pro Suite is a full package of the compiled code for immediate use for Windows and Linux.

How does it work

It uses dynamic runtime tainting engine which performs taint propagation on strings and keeps trace of previous operations in order to collect the so called Source History.
Source History of a tainted string will help in understanding if vulnerability is actually exploitable or not.

There are several techniques that could help humans to identify security issues in code and systems.

Static analysis is one of the most widely-used in conjunction with manual testing. Even if there are good advantages in using automatic static analysis tools like code coverage and fast analysis, it can have several drawbacks since JavaScript and DOM rely on browsers internal state, page contents and dynamic data in general. Static analysis on client side JavaScript could then result in plenty of false positives and false negatives.

DOMinator takes JavaScript security analysis to a different level, it uses realtime flow execution taking advantage of the native Mozilla JavaScript parser, analyzing dangerous methods only when used in conjunction with tainted sources in a real executed flow. This means that there will be a very low number of false positives respect to static analysis.

This approach gives several advantages as the state of the client is entirely consistent with user experience and the flow is executed and analyzed as it runs.

Features in DOMinator Pro

* New HTML 5 Source Objects and Sinks.
* Alerts when jQuery is used in conjunction with tainted sources.
* Alerts in real time with description of the vulnerabilities, code example and remediation summaries.
* Remote alerts in JSON format.
* Experimental DOM Based XSS Stored Sources.
* Minimization of false positives with new analysis techniques.

Web is an ever evolving environment, and DOMinator Pro will have new features and new technologies to keep your DOM based issues analysis and exploitations always up to date!

Why should we care about DOM Based XSS?

DOM XSS is getting more and more attention over the web and it can be considered one of the next generation web vulnerabilities stars (W3c Conference 2011, B.Hill and S.Stender ).

DOM XSS is a security issue of dynamic JavaScript, where unsanitized data is rendered by client side code.

Since Ajax is the main technology behind Cloud and Software As Service infrastructure, this issues (DOM XSS) if correctly exploited can break the Security.
Like Stored and Reflected XSS, DOM Based XSS could allow an attacker to inject his own code into other domain sandbox (Cross Site Scripting), with the important difference that it may run completely undetected by Web Application Firewalls and other security tools that can protect applications on the server side.

Even if you already take care of security testing on your applications there's very few companies that perform client side checks, because DOM based XSS is still underestimated and difficult to analyze without tools.
In 2011 Minded Security showed that using the community version of DOMinator it was possibile to identify that 57 out of 100 top Alexa sites were vulnerable to exploitable DOM Based Cross Site Scripting.
Considering that result it can be inferred that no one to a small number of companies are already aware about client side JavaScript security analysis.

Who should use DOMinator Pro?

DOMinator Pro was developed in order to facilitate the process of finding client side issues even for people with little security knowledge.
DOMinator Pro represents the first tool which can help quality teams, security testers,and developers to identify client side security issues while performing runtime quality or security testing.
Software companies producing web interfaces with heavy use of client side JavaScript code, should use it in order to add security checks in their software development lifecycle.
Big internet companies can use DOMinator Pro with automatic browser testing tools and directly get alerts in their bug ticket systems.
Eventually, there will be DOMinator Pro use for whoever is concerned about client side JavaScript security.

Featured Downloads and Information

Go to DOMinator Site, register yourself and download a 15 days Trial for DOMinator Pro.
You will see with your own eyes how DOMinator Pro overcomes static analysis drawbacks by performing runtime analysis during normal navigation.
Are you already persuaded? Contact us for license purchase.
Choose the version of DOMinator which suits your needs!