Qualys Boosts Web App Security with New DOM XSS Detection
Qualys Web Application Scanning (WAS) has bolstered its security capabilities with a new mechanism to detect DOM-based Cross-Site Scripting (DOM XSS) vulnerabilities. This enhancement, recently added by Palo Alto Networks, helps security teams tackle a significant threat, as XSS is ranked third in the OWASP top 10 list.
Qualys WAS's DOM XSS detection operates in two phases: taint propagation and exploitation. In the first phase, the system tracks strings passed from potential sources to sinks to identify potential DOM XSS vulnerabilities. The second phase involves a smart exploitation sub-engine that injects JavaScript into the suspected sink and detects its execution, improving coverage and accuracy with fewer false positives.
The new DOM XSS detection mechanism works automatically, requiring no special setup or knowledge. It reports vulnerabilities with QID 150076, providing details to aid development teams in fixing issues. The tool indicates the location of any XSS bugs found in your code, facilitating remediation. DOM XSS vulnerabilities occur when malicious users inject JavaScript code by modifying the Document Object Model (DOM) or adding JavaScript code directly for execution on the client side.
With the expanded DOM XSS detection capabilities, Qualys WAS offers security teams complete coverage of an important class of vulnerabilities, helping to protect web applications from potential attacks.
