Skip to content
/ DOM-Auditor Public

Security auditing tool designed to detect potential vulnerabilities in your web application by scanning HTML and JavaScript files.

License

GPL-3.0 license
1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

b0llull0s/DOM-Auditor

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
DOM-Auditor.py
DOM-Auditor.py
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

DOM-Auditor

DOM-Auditor is a security auditing tool designed to detect potential vulnerabilities in your web application by scanning HTML and JavaScript files. It uses AST (Abstract Syntax Tree) for deep JavaScript analysis and regex-based checks to identify common dangerous patterns and potential DOM clobbering issues. The tool can help developers identify issues related to DOM manipulation, XSS (Cross-Site Scripting), and unsafe user input handling.

Current Features

  1. ID and Name Attribute Extraction: Extracts IDs and names from HTML files.
  2. Inline Event Handler Detection: Detects inline event handlers.
  3. AST-based Analysis: Deep analysis of JavaScript files using AST to find unsafe assignments and track user input flow.
  4. Regex-based Detection: Identifies patterns such as eval(), innerHTML, setTimeout(), etc.
  5. DOM Clobbering Detection: Detects variable clashes between JS and HTML files.
  6. Recursive Scanning: Supports scanning an entire folder for .html and .js files.

Installation

  1. Clone the repository:

    git clone https://github.com/b0llull0s/DOM-Auditor

  2. Install Dependencies:

    Ensure you have Node.js installed. Then, install the necessary Node.js package (Esprima) for AST parsing:

    npm install esprima

  3. Run the Tool:

    You can run the tool on any folder containing your HTML and JS files by executing the following commands:

    # Make sure to give executable permissions
chmod +x DOM-Auditor.py
# Run it
python3 DOM-Auditor.py

Important

Make sure to set the correct folder path in the script for analysis.

Possible Improvements

1. Advanced Data Flow Analysis

  • Improve user input tracking by identifying all possible sources of user input (document.getElementById(), window.location, etc.) and tracing its path through the application.
  • Implement a taint-tracking system to ensure the tool can handle more complex cases of data flow across multiple functions and files.

2. Handling Minified/Obfuscated Code

  • Add support for de-obfuscating or prettifying minified or obfuscated JavaScript to improve detection accuracy.

3. Extending to Other Vulnerabilities

  • Add checks for other common vulnerabilities like SQL Injection patterns or SSRF (Server-Side Request Forgery).

4. Support for More JavaScript Features

  • Improve support for modern JavaScript features (e.g., async/await, arrow functions, etc.).
  • Detect issues specific to modern frameworks (e.g., React, Vue, Angular).

About

Security auditing tool designed to detect potential vulnerabilities in your web application by scanning HTML and JavaScript files.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages