DOMinator foreword
Stefano Di Paola
first of all I want to thank you for giving me some feedback.
Since DOMinator is split in:
1) Dominator Core: Firefox/SpiderMonkey modification
2) Dominator GUI Extension: the GUI.
>From now on, I encourage you to write "DOMinator Core" when talking
about 1), "Dominator GUI" or "DOMinator extension" when talking about 2)
and "Dominator" when talking about the whole project.
== Status of Dominator project ==
DOMinator is *not* production ready, is still in heavy testing phase and
since I was the only developer/architect who wrote all the stuff you see
in a few months, I have to admit there are surely poor implementation
choices, dirty code regarding the Dominator Core and usability issues
regarding the GUI.
As you all have seen there's a lot of stuff to be improved and added,
but I think DOMinator has a lot of potential in JS runtime analysis
methodology. And that can be proved with the results I achieved on the
Top 100 Alexa.
56 out of 100 top Alexa sites are or were vulnerable to some kind of
reflected DOM Xss. And most of them in their front page.
Some of those where from big advertising companies.
== Criticism ==
I'm very open to any kind of criticism on any choice I took.
Of course someone can think it's not a good idea at all to modify
Spidermonkey in order add tainting properties on native strings, and
would have choose some other way to have a runtime analysis engine.
The reason why I chose doing a such definitive solution is that there
are a lot of problems when dealing with JavaScript code without using an
real interpreter, and believe me I had to face them all before reaching
this solution.
I tried to be as abstract as I could in the Spidermonkey engine and
minimize the changes in Firefox code, so that, eventually, a good
implementation of an extension can do most of the analysis while
browsing.
== Project startup ==
That said I've set up a dominator project on google code which will host
the extension development and the diff of the code for Dominator Core.
We'll see if it's possible to upload the compiled versions of DOMinator
core as well.
In the meantime the google code project page is
http://code.google.com/p/dominator
I've uploaded a new version of the extension, which resolves some issue
so download it and install it, if you want.
In the wiki there is the installation instruction for dominator Core and
dominator extension.
http://code.google.com/p/dominator/wiki/InstallationInstructions
== Future work, conclusion and involvement ==
I see a lot of potential in this project.
For example I can think about
* Dominator library (Spidermonkey) used in web security scanners project
for automated batch testing.
* Logging can be saved in a DB and lately analyzed.
* Per page testing using Selenium/iMacros.
* a lot more
but it depends on how many people will help me in improving it.
So if you're also interested in contributing in the code let me know,
I'll add you to the project contributors.
I have some commercial ideas about it but I can assure you that the
community version will always be open and free.
Cheers,
Stefano
--
Stefano Di Paola
Chief Technology Officer, Lead Auditor ISO 27001
Minded Security - Application Security Consulting
Twitter: @WisecWisec
Company Site: http://www.mindedsecurity.com
Personal Site: http://www.wisec.it