mozfreddyb / domsnitch

Automatically exported from code.google.com/p/domsnitch
Apache License 2.0
5 stars 0 forks source link

Failing to flag a simple source #18

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
DOMSnitch is not catching a simple test where location.search.substring(1); 
makes it's way to an innerHTML.

Test case is up here http://nottrusted.com/test/dom.html?x=y

Or to get an onmouseover event in: 
http://nottrusted.com/test/dom.html?x=aa%3Ca%20href%3d%27a%27%20onmouseover=%27a
lert%281%29%27%3Eref%3C/a%3E

I used DOMinator which caught this and expected DOMSnitch to do the same.  

Original issue reported on code.google.com by chris@casaba.com on 8 Jul 2011 at 9:46

GoogleCodeExporter commented 8 years ago
This is due to a race condition between when DOM Snitch can properly traverse 
the DOM tree (where everything is done via JavaScript without interacting 
directly with any debug functionality in the V8 engine) and inline JS being 
executed as part of parsing the HTML document. This is a known pain point and 
there are active development works to address this sort of things. Stay tuned!

Original comment by r...@r-n-d.org on 9 Jul 2011 at 7:38

GoogleCodeExporter commented 8 years ago
Thanks for the fast reply, and great work on DOMSniff keep it up!

Original comment by chris@casaba.com on 12 Jul 2011 at 4:51

GoogleCodeExporter commented 8 years ago
The detection problem should be addressed in 0.717. However, there is more to 
be done in determining if it is exploitable.

Original comment by r...@r-n-d.org on 1 Sep 2011 at 8:12