| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1305783154.7137.1435.camel@tucbook> Date: Thu, 19 May 2011 07:32:34 +0200 From: Stefano Di Paola <wisec@...ec.it> To: IEhrepus <5up3rh3i@...il.com> Cc: FD <full-disclosure@...ts.grok.org.uk> Subject: Re: DOMinator - The DOMXss Analyzer Tool - is finally public Hey IEhrepus Il giorno mer, 18/05/2011 alle 20.34 -0700, IEhrepus ha scritto: > > DOMinator can't work on firefox 3.6.17? DOMinator consists in a core and an extension. The core is Firefox with some custom c/c++ code in order to add taint flag to JSStrings and deal with taint propagation. So, in order to launch DOMinator you have to download the Linux or Windows version which is a patched Firefox binary. http://code.google.com/p/dominator/downloads/detail?name=DOMinator_firefox_3.6.13_Linux_32Bit.tgz http://code.google.com/p/dominator/downloads/detail?name=DOMinator_firefox_3.6.13_Windows_32Bit.zip and follow the instructions here: http://code.google.com/p/dominator/wiki/InstallationInstructions That means that: *The extension itself is only part of it*. *It won't work without the patched Firefox.* You can have a look at the diff file here: http://code.google.com/p/dominator/downloads/detail?name=DOMinator_diff.txt So I'll have to apply that patch to the source code of FF 3.6.17 compile it. As a side note it has been seen that the Windows version of DOMinator doesn't work on 64 bit OS. I'd suggest the linux version in that case. Cheers Stefano > > hitest > > > 2011/5/18 Stefano Di Paola <wisec@...ec.it> > What is DOMinator? > DOMinator is a Firefox based software for analysis and > identification of > DOM Based Cross Site Scripting issues (DOMXss). > It is the first runtime tool which can help security testers > to identify > DOMXss. > > How it works? > > It uses dynamic runtime tainting model on strings and can > trace back > taint propagation operations in order to understand if a > DOMXss > vulnerability is actually exploitable. > ... > > If you're interested in it continue the reading here: > http://blog.mindedsecurity.com/2011/05/dominator-project.html > > More whitepapers in the next days. > > Cheers > Stefano > > > > -- > ...oOOo...oOOo.... > Stefano Di Paola > Software & Security Engineer > > Owasp Italy R&D Director > > Web: www.wisec.it > Twitter: http://twitter.com/WisecWisec > .................. > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists