Hackers of India

Ra.2 Blackbox DOM-based XSS scanner

 Nishant Das Patnaik   Sarathi Sabyasachi Sahoo 

2012/02/15

Ra.2 - Blackbox CI)M-based XSS Scanner is our approach towards finding a solution to the problem of detecting DOM-based Cross-Site Scripting vulnerabilities in Web-Application automatically, effectively and fast. It is in its alpha- release state currently.We have tried hard in understanding what are the current solutions available to this problem. And to our surprise, we found, there are very few tools out there that can really aid penetration testers in their testings.And we firmly believe not to re-invent the wheel, and we decided to build this tool because either the available solutions were not doing what they are meant for or they are had a quite a steep learning curve or require too much of manual analysis that they are not as zood as a tool or they were commercial solutions.

Ra.2 is basically a lighweight Mozilla FirefoxAdd-on that uses a very simple yet effective and unique approach to detect most DOM-based XSS vulnerabilities, if not all. The user can start a scan on a page right within the browser. Ra.2, has no URL crawler component, as of now, so the user has to feed all the URLs (if there are multiple pages to be scanned) before running a scan. Since Ra.2 is a browser-addon it is a session-aware tool which can scan a web-application that requires authentication. Ra.2 uses custom collected list of XSS vectors which has been heavily modified to be compatible with its scanning technology. Being a blackbox fuzzer, as soon as the user initiates a scan, the tool fuzzes all possible sources of DOM-based XSS vectors with its own custom defined callback (this has multiple advantages, to be discussed in the Conference). This callback, if lands in a Sink and gets successfully executed by the Firefox’s Javascript engine, shall send an XHR to our DataBase HOST. Once the tool has finished fuzzing, it shall generated a report based on the findings. The reporter has the option to customize the reprts, relevant to a multi-user environment The add-on also implements basic browser intrumentation to simulate a human interaction to trigger some hard to detect DOM- based XSS conditions. The tool may also include a grep based static-code analyzer for location Sources and Sinks of DOM-based XSS. In future we plan to figure a way to detect browser specific DOM-based XSS issues, implement a runtime code-flow analysis tool with less false-neeatives and better reDortine capabilities.