Ra.2 – Blackbox DOM-based XSS Scanner is our approach towards finding a solution to the problem of detecting DOM-based Cross-Site Scripting vulnerabilities in Web-Application automatically, effectively and fast.
Ra.2 is basically a lighweight Mozilla Firefox Add-on that uses a very simple yet effective and unique approach to detect most DOM-based XSS vulnerabilities, if not all.
Being a browser-add on its a session-aware tool which can scan a web-application that requires authentication, although the user needs to manually needs to authenticate into the application, prior to scanning. Ra.2 uses custom collected list of XSS vectors which has been heavily modified to be compatible with its scanning technology. The add-on also implements basic browser intrumentation to simulate a human interaction to trigger some hard to detect DOM-based XSS conditions.
1. Download the “ra.two.xpi” file and install it within Mozilla Firefox. We have tested it to be working fine on Mozilla Firefox Version 3.6.0 running on Windows 7 64bit. Your mileage may vary.
2. Download the archive “vectors.zip”. Extract the contents (“xss.txt”) to a folder. Rename the folder “xss” and copy it to the root of “C:”. The resulting path should be “C:xssxss.txt”.
3. Download the archive “reporting-tool.zip”. Extract the contents to the webroot of your Apache server. We have tested it using the XAMPP package (http://www.apachefriends.org/en/xampp.html). In our case the path is “C:xampphtdocsxss”
4. Finally import the database schema to the MySQL via phpMyAdmin, required for the reporting tool.
5. The tool should be ready to use. If you find anything not working or buggy, please email us or raise a ticket at http://code.google.com/p/ra2-dom-xss-scanner/issues/list
Download Version :
Mac OsX Ra.2 DOM XSS Scanner – Mozilla Add-On Installer: ra2-osx-mLion.zip (86.4 KB)
Windows Ra.2 DOM XSS Scanner – Mozilla Add-On Installer : ra.two.xpi (70.1 KB)
Mozilla Extension (Manual Installer) : add-on-installer.zip (330 bytes)
Find Other Version |
Read more in here : http://hacksafe.blogspot.com/
Our post before :