nullcon Goa 2012: Ra.2: Blackbox DOM-based XSS scanner - By Nishant and Sarathi

[Nytro]

[h=1]nullcon Goa 2012: Ra.2: Blackbox DOM-based XSS scanner - By Nishant and Sarathi[/h]

Published on Jun 29, 2012 by nullOxOO

Ra.2 - Blackbox DOM-based XSS Scanner is our approach towards finding a solution to the problem of detecting DOM-based Cross-Site Scripting vulnerabilities in Web-Application automatically, effectively and fast. It is in its alpha-release state currently. We have tried hard in understanding what are the current solutions available to this problem. And to our surprise, we found, there are very few tools out there that can really aid penetration testers in their testing. And we firmly believe not to re-invent the wheel, and we decided to build this tool because either the available solutions were not doing what they are meant for or they are had a quite a steep learning curve or require too much of manual analysis that they are not as good as a tool or they were commercial solutions.

Ra.2 is basically a lightweight Mozilla Firefox Add-on that uses a very simple yet effective and unique approach to detect most DOM-based XSS vulnerabilities, if not all. The user can start a scan on a page right within the browser. Ra.2, has no URL crawler component, as of now, so the user has to feed all the URLs (if there are multiple pages to be scanned) before running a scan. Since Ra.2 is a browser add-on it is a session-aware tool which can scan a web-application that requires authentication. Ra.2 uses custom collected list of XSS vectors which has been heavily modified to be compatible with its scanning technology. Being a blackbox fuzzer, as soon as the user initiates a scan, the tool fuzzes all possible sources of DOM-based XSS vectors with its own custom defined callback (this has multiple advantages, to be discussed in the Conference). This callback, if lands in a Sink and gets successfully executed by the Firefox's Javascript engine, shall send an XHR to our Database HOST. Once the tool has finished fuzzing, it shall generate a report based on the findings. The reporter has the option to customize the reports, relevant to a multi-user environment. The add-on also implements basic browser instrumentation to simulate a human interaction to trigger some hard to detect DOM-based XSS conditions.

The tool may also include a grep based static-code analyzer for location Sources and Sinks of DOM-based XSS. In future we plan to figure a way to detect browser specific DOM-based XSS issues, implement a runtime code-flow analysis tool with less false-negatives and better reporting capabilities.