What is DOMinator?
DOMinator is a Firefox based software for analysis and identification of DOM Based Cross Site Scripting issues (DOMXss).
It is the first runtime tool which can help security testers to identify DOMXss.
How it works?
It uses dynamic runtime tainting model on strings and can trace back taint propagation operations in order to understand if a DOMXss vulnerability is actually exploitable.
You can have an introduction about the implementation flow and some interface description here
What are the possibilities?
In the topics of DOMXss possibilities are quite infinite.
At the moment DOMinator can help in identifying reflected DOM Based Xss, but there is potential to extend it to stored DOMXss analysis.
Download
Start from the installation instructions then have a look at the video.
Use the issues page to post about problems crashes or whatever.
And finally subscribe to the DOMinator Mailing List to get live news.
Video
A video has been uploaded here to show how it works.
Here's the video:
Soon I'll post more tutorials about the community version.
Some stats about DOM Xss
We downloaded top Alexa 1 million sites and analyzed the first 100 in order to verify the presence of exploitable DOM Based Cross Site Scripting vulnerabilities.
Using DOMinator we found that 56 out of 100 (56% of sites) were vulnerable to reliable DOMXss attacks.
Some analysis example can be found here and here.
We'll release a white paper about this research, in the meantime you can try to reach our results using DOMinator.
Future work
DOMinator is still in beta stage but I see a lot of potential in this project.
For example I can think about:
- Dominator library (Spidermonkey) used in web security scanners project
- for automated batch testing.
- Logging can be saved in a DB and lately analyzed.
- Per page testing using Selenium/iMacros.
- A version of DOMinator for xulrunner.
- A lot more
So, if you're interested in contributing in the code (or in funding the project) let me know, I'll add you to the project contributors.
We have some commercial ideas about developing a more usable interface with our knowledge base but we can assure you that the community version will always be open and free.
In the next few days I'll release a whitepaper about DOMinator describing the implementation choices and the technical details.
Stay tuned for more information about DOMinator..the best is yet to come.
Acknowledgements
DOMinator is a project sponsored by Minded Security, created and maintainted by me (Stefano Di Paola).
I al want to thank Arshan Dabirsiaghi (Aspect Security), Gareth Heyes and Luca Carettoni (Matasano) for their feedback on the pre-pre-beta version :)
Finally, feel free to follow DOMinator news on Twitter as well by subscribing to @WisecWisec and @DOMXss.
Nice work!
ReplyDeleteDoes Dominator only locate DOM-based XSS issues, or can it find other client-side vulnerabilities?
It adds taint propagation to particular strings you can choose.
ReplyDeleteSo if one wants to track some other kind of issue it can be done.
DOMinator helps analyzing particular flows by giving information to the tester about what happened.
You can add new sources and new sinks whenever you want and let DOMinator warn you when some particular operation is performed.
I suggest you to have a look at http://dominator.googlecode.com/files/DOMinator_Control_Flow.pdf to have a more insightful perspective.
Great work Stefano!
ReplyDeleteNext time, I'd like to hear your voice in the video! :)
@thesp0nge
ReplyDeletethanks!
hehe I decided to save people from my bad english :)
Maybe next time...
BTW - you may want to rephrase the part where you say that you downloaded 1 million sites and used DOMinator on them.
ReplyDeleteYour actual sample set for the statistics you quote was 100 sites only, not 1 million, right? that's confusing.
@Anonymous,
ReplyDeletethanks, it seemed clear to me, but if you say it's confusing.
Then, yes:
We downloaded the top 1 Million Alexa Csv (http://s3.amazonaws.com/alexa-static/top-1m.csv.zip)
and we tested *only* the first 100 sites of that top 1M using DOMinator.
The result is that 56 out of those top 100 sites were vulnerable to exploitable DOMXss.
Thanks :)
Really nice tool Stefano, can't wait to use it in a real wapt :)
ReplyDeleteThanks ascii :)
ReplyDeleteLooking forward to your feedback!
You say DOMinator is "the first runtime tool which can help security testers to identify DOMXss." That is not correct. See, e.g., FLAX (http://webblaze.cs.berkeley.edu/2010/flax/flax.pdf) or Kudzu (http://webblaze.cs.berkeley.edu/2010/kudzu/).
ReplyDeleteSince I have followed DOMxss research evolution from the beginning, I would say that both Flax and Kudzu seem to work on very abstract input and sink definition. Also the targeted application seemed to be very buggy and cannot be comparable with Top 100 Alexa Sites.
ReplyDeleteI would ask to try the UTF7 Fuzzer against Gmail / twitter / etc. and try to find some vulnerabilities. I think it would end up in some false positives.
The automation as far as I understand in Dominator is just meant to be consistent with the Inputs and Sinks presented in the DomXss Wiki. There is no need anymore of an abstract input generator.
Thanks for your great work and your presentation at SWISS Cyber Storm 3!
ReplyDelete@SecurityAcademic
ReplyDeleteThanks for pointing it out. I wasn't aware of
those research papers even if I already knew about
Vogt research. I'll add them to the whitepaper as
references.
Now, regarding your request.
If we want to be precise as you are,
1. I see two wonderful research papers, but no public url to the tool.
2. DOMinator is a tool that "helps" security tester in finding DOMXss, differently by yours which seems to be fully automatic.
But I'm not sure, since afaik your tool is not public.
So, sorry but i think my phrase is correct.
@anonymous
ReplyDeletethank you for your kind words! :)
Stefano, great work!
ReplyDeleteI managed to get it working under Backtrack 5.
A couple of issues:
The stack trace feature doesn't seem to be working in Linux 32 bit. I've clicked the stack trace enable button a few times to see if that made a difference. The app I'm working on is minified, but I don't think that's the issue.
Secondly, if you can add CSRF token following, that would be awesome. For example, if it could take the ASP.NET MVC RequestVerificationToken value and submit it every time it changes, that would be good. I found that Dominator would get blocked pretty quickly.
However, I did manage to find a DOM based XSS in a few minutes once I had it going and understood what it was trying to tell me.
Can you plz tell me how you got it working on backtrack......
Delete@Andrew
ReplyDeleteAbout the issues or help on using DOMinator, you can use:
http://code.google.com/p/dominator/issues/list
and also I suggest you to subscribe to the mailing list:
https://groups.google.com/group/dominator-ml
We can keep talking about you issues on the mailing list.
I'm glad you found the DOMXss with DOMinator! :)
Thanks
I want to contribute. phersys@gmail.com
ReplyDeleteHi,
ReplyDeletei wanted to test it, but it´s not compatible with FireFox 6 (WIN). Do you plan to release an upgraded version or do i have to downgrade FireFox ?
Kind regard,
Dirk.
@Dirk,
ReplyDeleteDOMinator is not a firefox plugin. It uses Firefox as a base but it modifies Spidermonkey (JS engine) in order to follow external inputs and identify DOM based Xss.
It should be considered as a stand alone software, not as a plugin.
Hi Stefano,
ReplyDeleteDominator is definitely a handy tool. Thanks for sharing it to the community. As per my understanding DOM based XSS is different than regular XSS only the way it is automatically scanned. Please correct me if I'm wrong. As in regular XSS, you inject a vector in the HTTP request and look for the presence of the pattern in the response, which may or may happen with DOM based XSS. As anything after the # in the URL isn't sent to the server. Do you agree with me? If yes, does that mean that if I inject the vector in page which may be susceptible to DOM XSS and scan the updated DOM may be programmatically or by manually saving the page to disk will confirm me the issue?
@Nishant
ReplyDelete> Dominator is definitely a handy tool.
> Thanks for sharing it to the
> community.
Thanks, much appreciated!
> As per my understanding DOM based XSS is different than regular
> XSS only the way it is automatically scanned.
>
> Please correct me if I'm wrong.
> As in regular XSS, you inject a vector in the HTTP request and look
> for the presence of the pattern in the response, which may or may happen
> with DOM based XSS.
The Xss in terms of attack category is very similar in the way it can execute
javascript in the page.
On the other hand in terms of vulnerability DOM Xss and Xss are different
since the vulnerable code is on the javascript executed in the browser.
> As anything after the # in the URL isn't sent to the
> server. Do you agree with me?
Not only after the #. Any possible user controlled input can be considered
as a source of troubles. See http://code.google.com/p/domxsswiki/wiki/Sources
for more sources.
> If yes, does that mean that if I inject the
> vector in page which may be susceptible to DOM XSS and scan the updated DOM
> may be programmatically or by manually saving the page to disk will confirm
> me the issue?
Well if you save the vulnerable page with all the scripts you will probably be able to
recreate the environment where the vulnerability could be exploited.
But the page and js execution could depend on things like XmlHttpRequest responses that
could be more complex to reproduce.
@Stefano
ReplyDeleteThanks for being patient in explaining the details to me. I agree to all your points. My next question is, Can POST var be potential sources to DOM XSS or its just GET params and HTTP Headers?
#Nishant
ReplyDeleteOf course POST and HTTP headers cannot be used as direct "Source" since there's no way to get the payload from javascript.
On the other side if some value from the payload is used to instantiate a Js variable, then it could be considered as a potentially "indirect" source.
I suggest you to have a look at my presentation:
* slides: http://media.hacking-lab.com/scs3/scs3_pdf/SCS3_2011_Di_Paola.pdf
* video: http://www.youtube.com/watch?v=bs-HvHJtT9Y
and as previously mentioned the DOM Xss Wiki which describes Sources and Sinks:
* http://code.google.com/p/domxsswiki/wiki/Sources
@Nishant
ReplyDeleteAlso, if you have more questions about DOMXss, contact me via email.
We're going a bit off topic here :)
Hey bro i had a question ,
ReplyDeletei have found some html injection in sites with dominator and got alert box in the dominator browser ,but whenever i try to re produce it in other browsers like mozilaa chrome etc it dosent show alert box ,why is that ?
Any way i can get it done ?
Thank you !
sir free version of DOMinator doesn't contain log enabled , warning and alert keys so how we can find DOM vulnerability using free version of DOMinator
ReplyDeleteThis is the first time I come upon yuor amazing project . I am totaly astonished by your work! you are a genious!
ReplyDeleteThanks
paraphrase tool