-
Notifications
You must be signed in to change notification settings - Fork 10
Home
Tainted Phantomjs is the scriptable tool for DOM-based XSS detection. It is built based on the open source PhantomJS by hacking the JavaScriptCore and WebKit engine with the tainted signal. With the scripting capabilities of the PhantomJS and well adoption of Phatomjs as QE automation tool, Tainted PhantomJS is highly customizable for HTML5 web applications for DOM-based XSS detection by adding few lines in the original test suites.
Traditionally, reflected XSS can be detected by server response. However, DOM-based XSS leaves no network trace. Most of them happened in the DOM that the attack payload are directly manipulated by the client side browser without intervention from the web server. One could not find DOM-based XSS by reading access log, nor scan for DOM-based XSS by reading the plaintext response from a server. DOM-based XSS can only be detected when one trace the application Javascript logics, and it usually wrapped as anonymous functions or provided via eval statements. DOM-based XSS are hard to source code we shown is a small portion of the Javascript that we sourced on the page. Yet they are usually minified or obfuscated. Relying on human effort to find DOM-based XSS has huge overhead.
We implemented Tainted PhantomJS, which is the first one in the industry that successfully build tainted checking within a Javascript engine. The implementation is done inside Webkit [2] and JavascriptCore [3]. By instrumenting the tainted sources and sinks carefully, we enables the detection of DOM-based XSS via the tainted checking. The scripting of event navigation to emulate the browser interaction is done via PhantomJS [4]. Since many Javascript functional test framework are backed by PhantomJS, our solutions can be plugged into to them right away. We further provide a commandline tool and webtool for those that want to evaluate this before plugging it into an automated testing framework.