Achim,
On Wed, Jul 4, 2012 at 8:49 AM, Achim Hoffmann <webse...@sic-sec.org> wrote:
> Hi Andrés,
>
> sounds that these are the limits of static code analysis as done by (all)
> most web scanners, unfortunatelly.
Yes, you're right, but we would be doing dynamic analysis over the
javascript that we have the source code available. It's something that
requires more thinking... maybe we come up with a "good" solution that
works in most real-life applications
> You have to execute the code, somehow as you asked, to get the intented
> behaviour and find the flaws/vulnerabilities then.
>
> Stefano's DOMinator-Firefox can do it. But I guess his solution is not
> usable in w3af.
I'll check the source code to see what they do,
> Sorry for bad news,
> Achim
>
>
> Am 04.07.2012 13:15, schrieb Andres Riancho:
>> Achim,
>>
>> On Wed, Jul 4, 2012 at 2:31 AM, Achim Hoffmann <webse...@sic-sec.org> wrote:
>>> Am 04.07.2012 01:30, schrieb Andres Riancho:
>>>> List, Taras,
>>>>
>>>> I've been thinking a little bit about this RIA crawling problem.
>>>> Lets say we have a code that does this (but in real javascript no
>>>> pseudo-code):
>>>>
>>>> """
>>>> <script>
>>>> foo = 1;
>>>> function add_one(){
>>>> if foo == 5:
>>>> generate_link_and_go_to_it();
>>>> else:
>>>> foo += 1;
>>>> }
>>>> </script>
>>>> <div onmouseover="add_one();">
>>>> Move your mouse over this text 5 times and you'll see something special
>>>> </div>
>>>> """
>>>>
>>>> The only way to get to generate_link_and_go_to_it() would be to
>>>> fire 5 mouse over events to the div tag. Is there any way to solve
>>>> this issue in a generic way?
>>>
>>> some browsers support:
>>>
>>> obj = document.getElementById('div');
>>> evt = div.createEvent('Events');
>>> obj.dispatchEvent(evt.initEvent('onmouseover', true, true););
>>
>> Yes, I'm not worried about the issue of firing events, I'm worried
>> about how (if possible) to trigger the generate_link_and_go_to_it();
>> function. In this specific case, of course it would be running
>> something similar to your code snippet 5 times; but that's only if a
>> user sees the code and decides to do it that way. Here are some ideas
>> on how we could do it:
>>
>> - Bruteforce:
>> * Find all hooked events
>> * Fire every events 10 times or after an event causes a full page reload
>>
>> - "Smart":
>> * Find all hooked events
>> * Store original DOM
>> * Fire event A, if the DOM changes then fire it again until it
>> doesn't change, we have a full page reload or we reached 10 fired A
>> events
>>
>> The issue then comes with stuff like this where the order of the events
>> matter:
>>
>> """
>> <script>
>> clicked_a = false;
>> function click_a(){
>> clicked_a = true;
>> }
>> function over(){
>> if clicked_a:
>> generate_some_link();
>> }
>> </script>
>> <div onmouseover="over();" id="x">
>> Move your mouse over this text after clicking
>> </div>
>> <div onclick="click_a();" id="y">
>> Click this text first
>> </div>
>> """
>>
>> What now? if we fire mouseover 10 events on div x, and then we
>> fire 10 click events on y, we won't trigger the generate_some_link();
>> function. The paper I quoted in the other thread, the one that talks
>> about the probability of an event triggering a DOM change might help;
>> and would end up in an algorithm like this:
>>
>> while not dom_reload( dom ):
>> all_events = dom.get_events()
>> event =
>> choose_event_with_highest_probability_of_changing_state( all_events )
>> dom.fire( event )
>>
>> Then all the fun is to figure out the heuristics behind
>> choose_event_with_highest_probability_of_changing_state. Any ideas?
>>
>> Regards,
>
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
