Slide 1

DOMinatorPro a full featured DOM XSS security suite

Slide 2

DOMinatorPro: two versions, better results

The Problem with JavaScript Security

DOM XSS is Potentially Extremely Dangerous

Cloud based websites and new HTML5 Web interfaces use a lot of Javascript. Javascript can be abused for hacking into web sites. XSS is referenced in the OWASP top Ten 2013 and as a consequence in the PCI DSS standard.

XSS Attacks are Widespread

Cross Site Scripting (XSS) can be considered the new Buffer Overflow and is basically an abuse of Javascript functionality for carrying out web attacks. It is the most widespread vulnerability of all time.

DOM XSS are Hard to Find

DOM XSS is the XSS in the DOM. This happens when Javascript is not properly coded, and malicious attackers could take advantage of it. Conventional tools cannot find it: if you can't find it, you can't fix it.
The Best Available Solution

Scanning Automation

DOMinatorPro Enterprise Edition can automatically scan an entire website. This is the fastest way to scan and analyze BIG enterprise portals with rich Javascript content as a tester would do with his browser.

Ready Data: Realtime Dynamic Data Tainting

On the contrary to our competitors, DOMinatorPro uses the browser Javascript engine natively to understand the code. Our Control-Flow engine is so powerful that can inspect almost any obscured code.

Automatic Exploitability Check

Data Validation and Context Awareness makes the use of a dynamic runtime tainting model on strings even more powerful since it understands if a DOM XSS vulnerability is actually exploitable.

DOMinatorPro

This is the only available tool on the market that can identify DOM XSS vulnerabilities with the highest possible precision.

Please choose the version of DOMinatorPro license which best suits your needs.

Usage of this software is subject to license agreement and to terms and conditions.


  •  
  •  
  • Stored String Control
  • Taint Propagation on Storage
  • HTML Sinks
  • Fine Control on Input Elements
  • jQuery Sinks
  • User Experience
  • URL Fuzzer
  • Exploitability Analysis
  • Identifies Advanced Issues
  • Spider
  • Alert Collector
  • Remote Scripting
  • Scanning Automation
  • E-learning Platform
  • Professional Services Support

 *This feature presents some limitations, hover your mouse over this area to get more information.


 ** These features are available only on request

DOMinatorPro video tutorials

Here you can find several videos about DOMinatorPro and how to use it.


This video demonstrates how to use the DOMinatorPro Fuzzer feature and how to identify a DOM HTML injection vulnerability on a google.com page. DOMinatorPro is able to understand if the Javascript code loaded by the page looks for a particular pattern. This example shows how the fuzzer feature, then, adds this pattern in order to analyze all possible Javascript flows. In this way it is possible to understand if this pattern can be abused by a hacker. The video also shows how it was possible to find a real HTML injection vulnerability on a Google Toolbar page using this feature. This finding was also cited by the Department of Homeland Security in its daily report





Here, a DOM XSS is shown on a Google Plus One button which can lead to external JavaScript execution. This vulnerability was particularly interesting because it was present on every page containing a Google +1 button. In this video you can see how it was possible to load a JavaScript code from the domain dominator.mindedsecurity.com inside the page plusone.google.com and execute it. DOMinatorPro identifies this vulnerability as URL Redirection and in its description it gives some interesting advice in order to understand if this issue is actually exploitable.

First Step: Identify DOM based Vulnerabilities



DOMinatorPro user interface was designed to improve accuracy and speed in detection of DOM XSS vulnerabilities. Vulnerability Deck is where discovered security vulnerabilities are reported. To discover DOM XSS or other kinds of JavaScript issues on their websites, users just have to use DOMinatorPro with an enabled "Log Button". Issues will be automatically displayed on the "Vulnerability Deck". A Quality team is in charge of interacting correctly with the website: Browsing and visiting all of the pages, interacting with HTML elements waiting for the correct amount of time for all background actions to terminate, Checking the notification page regarding any discovered Alerts, URL location and the steps to reproduce the Alert.



Second Step: Test vulnerabilities



Software Security Testers usually evaluate the risk of security issues by exploiting them. The source history shows not only a simplified list of the function calls, but the data "string" that is passed through them. The Browser Emulation feature built into DOMinatorPro permits the user to find vulnerabilities for any browser, even if DOMinatorPro is built as a Mozilla Firefox component. DOM XSS vulnerabilities are usually browser specific, but now it's possible to understand the impact using just one browser. Vulnerability Analysis gives insights of Regular expressions or other different types of encodings like Escape, Unescape and so on.



Third Step: Fix any reported bugs



The Developers main task is to review the code and fix the security issues. This is possible thanks to the integration of DOMinatorPro with Firebug debugger. Full Call Stack (stack trace) is directly connected to Javascript source code for immediate debugging and identifying of the vulnerable piece of code. In case that the Javascript code is compressed, it's possible to turn on JSD (Beautifier) for a better visualization. Knowledge base provides useful information about the issue and refers to resources for supporting the remediation task.

What people say about DOMinatorPro

Read below what some of our users think about DOMinator:


DOMinatorPro helped in understanding the source of the problem of a regression issue found by Mario Heiderich on the official jQuery website: jQuery "Migrate" Plugin.
"jQuery Migrate" is a Sink, too?!




Lavakumar Kuppan in his presentation "Automating JavaScript Static Analysis" at Nullcon 2013 mentions DOMinatorPro because of its DOM XSS coverage!
Automating JavaScript Static Analysis




Abyssec found a DOM XSS on Yahoo Mail. He says that DOMinatorPro can find it as well!
DOMSDAY Analyzing a DOM-Based XSS in Yahoo!




Also Nils Juenemann finds DOMinatorPro very useful. Read a couple of his tweets about our product.
"The best tools for black box testing" and "Found 3 bugs with DOMinatorPro at Google".




The Department of Homeland Security cites DOMinatorPro and one of our blog post in his Daily_Report of 13th November 2012.
You can find the daily report here and our blog post here




Stefano Di Paola finds a DOM Cross Site Scripting on Google Plus One button using DOMinatorPro.
DOM XSS on Google Plus One Button




Read what Michele Orru, Ryan Dewhurst and Steven Pinkham think about DOMinatorPro in this web security mailing list.
Read their impressions here, here and here




Read how DOMinatorPro helped in finding a DOM XSS that affected a famous Facebook Like button present in millions of web sites
Analysis of DOM XSS vulnerability in a Facebook Like Button implementation



At the W3C Conference 2011 they talked about the security of the next generation web applications, about DOM XSS and the need of a tool able to find these kinds of problems. Since 2012 DOMinatorPro has been available, ready to be used and fully automated (Enterprise Version).
http://cdn-smooth.ms-studiosmedia.com/events/W3C/Day2/Securing_Web_Apps_1200k.webm




With DOMinatorPro we found a DOM XSS on Twitter, but that was not the end. This is the saga of ONE security issue and MANY wrong fixes before getting things working properly.
A Twitter DOM XSS, a wrong fix and something more


Russia:

Quarta Technologies

Phone: +7 (495) 234-4018

soft@quarta.ru

www.quarta.ru

Netherlands:

BTSoftware

Phone: +31-40-2845111

Fax: +31-40-2906460

btsoftware@btsoftware.com

www.btsoftware.com/

Minded Security S.r.l. - VAT IT05756380480 - License Agreement - Terms and Conditions - All Rights Reserved.