Zero false positives

[andresriancho]

Some guys from SAP did some research and scanned thousands of sites. One of the coolest things from their research is that they claim to have "zero false positives". I was wondering if this would be possible using tpjs?

[yukinying]

The idea is that tpjs would produce a list of possible domxss candidate, and then the fuzzer (domxss.js) will verify them one by one using the headless phantomjs again. I think this has already been implemented in domxss.js. @neraliu for more details...

[neraliu]

the idea of zero false positive has 2 problems needed to be solved.

1. fuzz the input with some delimiter into the DOM and trigger the alert(0) box, we can leverage the phantomjs to achieve this, we wanna to leverage the tainted analysis to minimize the pattern to fuzz. the code is already in domxss.js
2. another problem is how does the scanner knows the user interactive flow of the page, as it requires the domain knowledge of the page, it is actually out of scope. BUT, i think there are lot of hacky way to do it, like click all buttons of the page, check the value attribute of the button to make some judgements etc.

anyway, if the web application has setup a test case already, the domain knowledge is already there, so the script for tainted analysis and fuzzing input are already ready.

[neraliu]

do u know is there any testbed or testing url out there? i wanna to add those into my functional test

[andresriancho]

Maybe this one? https://github.com/dmitris/domxsstest

[neraliu]

thanks, let me check