theunreplicated / domsnitch Goto Github PK

What steps will reproduce the problem?
1. enable DOM Snitch and set to passive mode
2. access facebook. log-in.
3. click on the notifications of messages button

What is the expected output? What do you see instead?
The notification or messages flyout should load but page just refreshes

What version of the product are you using? On what operating system?


Please provide any additional information below.
This also happens when viewing your saucelabs dashboard. 
https://saucelabs.com/account/dashboard.
switching from pass rates to minutes will just refresh the page.

What steps will reproduce the problem?
1. After installing and enabling the domsnitch extension in Chrome, go to 
Google Comparison Ads -> Mortgage -> Refinance
2. Enter criteria and receive results.
3. Click Email Lender link to bring up a virtual pop-up with a web form that 
prompts for name, email address and a message. When about to enter anything in 
the form, the popup disappears and causes the page to refresh also.

What is the expected output? What do you see instead?
The popup should not disappear and not be impacted in any other way until the 
user fills in the form and clicks Send.

What version of the product are you using? On what operating system?
Chrome 12.0.742.100 on Windows 7 Professional 64 bit

Please provide any additional information below.
http://www.google.com/support/forum/p/Chrome/thread?tid=223c8e18fa6ea257&hl=en

What steps will reproduce the problem?
1. Enable DOM Snitch
2. Open google.com
3. Look at DOM Snitch output. It found Untrusted code vulnerability (see 
http://i.stack.imgur.com/oriy5.png)

What is the expected output? What do you see instead?
Expected: There is no Untrusted code vulnerability
Actual: When opening google.com, DOM Snitch sends many requests (see 
http://i.imgur.com/V8UF2.png). Maybe, then it calls it Untrusted code

What version of the product are you using? On what operating system?
DOM Snitch v0.740, Windows 7 64 bit

Additional information:
Previously I asked this question at 
http://security.stackexchange.com/q/11696/5501

What steps will reproduce the problem?
1.  Working in ZenDesk 
2.  uFile.ca -- site unusable
3.  SavvisStation -- ISP control panel
4. facebook (? sometimes expanding comments)

Disable DOM Snitch and the sites behave as expected.
What is the expected output? What do you see instead?
 Pages reloading -- partial load of target page and reload of calling page
 websites having issues with session

What version of the product are you using? On what operating system?
Latest chrome 25 on OS X mountain lion 

Please provide any additional information below.

What steps will reproduce the problem?
1. Visit a site that uses something similar to "return false;" on click events 
in jQuery
2. Click a link that has Javascript rewrite the link and block the default link 
from occurring

Two examples:
Facebook.com - If you click the icon in the top left that shows your 
notifications while DOM Snitch is enabled, the drop down will appear, and then 
the page will take you to the notifications page.  This is not normal - disable 
DOM Snitch and clicking the icon will only show the drop down, not take you 
anywhere.

Expensify.com - On the home page when not logged in, there is an arrow pointing 
to the right that allows the headline product features to scroll right.  With 
DOM Snitch enabled, clicking will start the animation and then the page will 
reload.  With DOM Snitch disabled, clicking will start the animation and then 
nothing further will happen.

What version of the product are you using? On what operating system?
On Chrome 12.0.742.100 on Mac OSX 10.6.7, using DOM Snitch version 0.706.

Please provide any additional information below.

[deleted issue]

What steps will reproduce the problem?
1. Download | Install latest version, .717
2. Load URL http://cloudscan.org

What is the expected output? What do you see instead?

I run DOMSnitch against the URL http://cloudscan.org and see the output that 
says an untrusted source....  when I export to TXT | Doc.. the output it empty.

What version of the product are you using? On what operating system?

UA = 13.0.782.218 m, OS = Windows 2008 R2 Server 64 Bit, untested on other OS 
platforms.

Please provide any additional information below.

Global.URL for baseline transaction = http://cloudscan.org and results are 
posted in Issue #21, DOMSnitch still not fingerprinting the issues with no 
output for an exported record to TXT | Doc.

What steps will reproduce the problem?
1. Make a page that sets document.cookie on the top level during page load 
script parsing and execution.
2. Turn on all DOMSnitch modules
3. Reload page

What is the expected output? What do you see instead?

An error occurs in line 66 of an unknown JS file.  Code is as follows:

DOMSnitch.Modules.Document.prototype.generateGlobalId = function(type) {
  // Generate unique, yet reproducible global ID
  var caller = arguments.callee.caller.caller.toString(); // line 66
  var token = caller.length > 50 ? caller.substring(0, 50) : caller;

  var baseUrl = document.location.origin + document.location.pathname + "#";
  var gid = baseUrl + type + "/" + token.replace(/\s/gg, "") + "-" + caller.length;

  return gid;
}

arguments.callee.caller ends up referencing the top level function, so 
arguments.callee.caller.caller is null.  I suspect code needs to be added to 
account for this edge case and generate a unique ID ("null" would probably be 
sufficient).

What version of the product are you using? On what operating system?

I downloaded the latest CRX download.  Version 0.706

Please provide any additional information below.

Google Chrome   14.0.798.0 (Official Build 89770) canary
OS  Windows
WebKit  535.1 (trunk@89232)
JavaScript  V8 3.4.4
Flash   10,3,181,26
User Agent  Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) 
Chrome/14.0.798.0 Safari/535.1
Command Line    "C:\Documents and Settings\dbugglin\Local Settings\Application 
Data\Google\Chrome SxS\Application\chrome.exe" --allow-file-access-from-files 
--disable-flash-sandbox --enable-timeline-extension-api 
--remote-debugging-port=1337 --flag-switches-begin --enable-click-to-play 
--enable-compact-navigation --conflicting-modules-check 
--enable-crxless-web-apps --no-pings --disable-interactive-form-validation 
--enable-nacl --experimental-location-features 
--enable-experimental-extension-apis --focus-existing-tab-on-open 
--ignore-gpu-blacklist --indexeddb-use-leveldb --multi-profiles 
--new-tab-page-4 --enable-p2papi --ppapi-flash-in-process 
--preload-instant-search --enable-remoting --enable-tab-groups-context-menu 
--enable-vertical-tabs --enable-webaudio --flag-switches-end
Executable Path C:\Documents and Settings\dbugglin\Local Settings\Application 
Data\Google\Chrome SxS\Application\chrome.exe
Profile Path    C:\Documents and Settings\dbugglin\Local Settings\Application 
Data\Google\Chrome SxS\User Data\Default

What steps will reproduce the problem?
1. Open a Spreadsheet or Drawing from your Google Docs list (Documents appear 
not to be affected)
2. Wait for the page load indicator to stop spinning
3. Keep waiting...

What is the expected output? What do you see instead?
The page load indicator should clear, demonstrating that page load was 
completed.

What version of the product are you using? On what operating system?
DOMSnitch 0.706, Google Chrome 12.0.742.100, Windows 7 SP1

Please provide any additional information below.

> What steps will reproduce the problem?

1. Download chrome Version 23 or higher

2. checkout the SVN version of domsnitch

3. Attempt to load domsnitch from the SVN 
( chrome://chrome/extensions/ >> "Load Unpacked Extensions" )

> What is the expected output? What do you see instead?

The expected output is to load the extension, instead you will recieve the 
following message:

Could not load extension from '/home/syn/domsnitch-read-only'. The 
'manifest_version' key must be present and set to 2 (without quotes). See 
developer.chrome.com/extensions/manifestVersion.html for details.

> What version of the product are you using? On what operating system?

SVN, Linux, Chrome Version 23.0.1271.91

> Please provide any additional information below.

Merely adding "manifest_version": 2 does not work to resolve the issue.

What steps will reproduce the problem?
1. Enabling domsnitch
2. Reload Webmin page
3. N/A

What is the expected output? What do you see instead?
Sub menus are to open and from subs open page in frame

What version of the product are you using? On what operating system?
Ubuntu 10.04.1 LTS server
Webmin 1.550

Please provide any additional information below.
Servers are being accessed on local networks via ip address

Disabling domsnitch and reloading page restores function of menu's

What steps will reproduce the problem?
1. Load URL http://cloudscan.org
2. Script Code from document.location executes via DOM manipulation by 
innerHTML property in https://a12.alpha.godaddy.com
3. Can also use DOMinator from OWASP to see same, Acunetix etc..

What is the expected output? What do you see instead?
Expected to fingerprint DOM-XSS in document.location path part at innerHTML and 
also vuln are location.ToString and referrer.

What version of the product are you using? On what operating system?
I am using Windows 2008 R2 Server 64bit with Chrome 12.0.742.122 and 
the download for DOMSnitch.. great tool!

This is a False Negative report on the assumption that is should be 
fingerprinting on innerHTML.. but perhaps I am reading your spec wrong.

Sorry of this is noise...

I see a balloon telling: "DOM Snitch has crashed. Click this balloon to reload 
the extension."
When I reload the extension using the balloon/extension page. it crashes again.

Linux 2.6.38.8-32.fc15.x86_64 #1 SMP Mon Jun 13 19:49:05 UTC 2011 x86_64 x86_64 
x86_64 GNU/Linux
Google Chrome 13.0.782.24 beta
domsnitch v0.707

What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.

What steps will reproduce the problem?
1. Enable win.eval hook
2. Execute evel within the context of a function, not a window, and reference 
variables that are only valid within the function context

What is the expected output? What do you see instead?

eval command should work

What version of the product are you using? On what operating system?

eval is executed within the context of the window

Please provide any additional information below.

function x() {
  var y = 1;

  try {
    eval("y++");
  } catch(e) {}
}
var z = new x();

Not sure if the try/catch block or function creation matters.

What steps will reproduce the problem?
1. Run app via chrome with domsnitch enabled
2. Running in debug mode (Visual Studio) helps to see the issue.

What is the expected output? What do you see instead?
Page_Load in app's codebehind file should only be called once.

What version of the product are you using? On what operating system?
v0.740, Windows 7

Please provide any additional information below.
It seems to be due to the href'less anchors in the "Dom snitch is currently 
running" message. After Domsnitch is disabled or the notification is dismissed 
permanently this behavior no longer occurs.

What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.

There should be a filter that restricts the input method.  For instance I am 
getting a lot of reports of dom based xss via cookie value,  and I don't care 
because this isn't exploitable.  Some people might care, so there should be a 
configuration option.  I have noticed that referer is also very common,  and it 
might be nice to filter for that as well.

What steps will reproduce the problem?
1. Tried to make reservations at Marriott.com, caused endless loop of inputting 
info without getting results
2. Slowing download of various sites
3.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?
Chrome,version 12.0.742.100
Vista,is my operating system
Please provide any additional information below.

Having problems with Snitch stopping & slowing downloads? 

When using the Command-Click shortcut in Chrome on OSX while DOM-Snitch is 
enabled, the shortcut key opens the link in the current tab and opens a 
background tab with the link URL.  The shortcut should not open the link in the 
current tab, only in the new background tab.

When I click a link with a URL of #, and an onclick javascript call, I get 
redirected to the default page

What steps will reproduce the problem?
1. Go to http://www.mysite.com/reports.aspx
2. Click a link with an href of "#" and an onclick event.

What is the expected output? What do you see instead?
I expect my javascript to run and update the page.  Instead I end up redirected 
to http://www.mysite.com/#

What version of the product are you using? On what operating system?
Windows 7 Professional, Google Chrome 12.0.742.100, domsnitch 0.706.

Other information - Other javascript events (an onchange on a dropdown and a 
doubleclick on a span tag) don't cause the same behavior.  If I take the 
href="#" out of the anchor tag, it just reloads the current page.

What steps will reproduce the problem?
1. Install or Enable DOM Snitch
2. Any mode works (Passive, Invasive, Standby)
3. Click, Ctrl+Click, Middle Mouse Click a link

What is the expected output? What do you see instead?
Modifier + Click :
  Expect that the link will open solely in new tab/window.
  Instead current window navigates to the link as well.
Click with href="" and onclick="return false" handling :
  Expect that anchor does nothing.
  Instead current window reloads page.

What version of the product are you using? On what operating system?
DOM Snitch  0.706
Chrome 13.0.782.32 beta-m
Windows 7 x64

Please provide any additional information below.
The onclick handler mentioned above is actually a function that displays a 
popup menu and then returns false, e.g. onclick="return popup()"

What steps will reproduce the problem?
1. Visit a web page, such as "http://mydomain.com/showLog.do"
2. Click on a link, which refers to an anchor such as "<a href="#abc">"

What is the expected output? What do you see instead?
> The browser should call the url "http://mydomain.com/showLog.do#abc" 
> Instead it redirects to "http://mydomain.com/#abc"

What version of the product are you using? On what operating system?
> DOM Snitch - Version: 0.706
> Google Chrome 12.0.742.100
> OS: Windows 7

Please provide any additional information below.

What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.

What steps will reproduce the problem?
1. Install the extension
2. Mine was set to Passive mode, don't know if that's required
3. Middle click on a link

What is the expected output? What do you see instead?
I expect that a new tab containing the clicked on link is created and the 
current page stays the same. With the extension installed, the new tab is 
opened, but the current page navigates to the link target as well. So you end 
up with two pages both pointing to the clicked on link.

What version of the product are you using? On what operating system?
Extension: v0.706
Chrome: 12.0.742.100
OS: Windows 7 SP1, 64bit

What steps will reproduce the problem?
1. Disable the DB so it doesn't contribute to the memory consumption (though 
it's in the BG page)
2. Visit lots of pages
3. In the chrome task manager, watch memory consumption climb

What is the expected output? What do you see instead?
Flat memory usage.

What version of the product are you using? On what operating system?
Seen on Chrome in Mac and Linux; DS 0.743

Please provide any additional information below.
I was about to try to diagnose myself and saw Google has a JS memory profiler, 
so I thought I'd punt over to you as a Googler.  :-)

DOMSnitch is not catching a simple test where location.search.substring(1); 
makes it's way to an innerHTML.

Test case is up here http://nottrusted.com/test/dom.html?x=y

Or to get an onmouseover event in: 
http://nottrusted.com/test/dom.html?x=aa%3Ca%20href%3d%27a%27%20onmouseover=%27a
lert%281%29%27%3Eref%3C/a%3E

I used DOMinator which caught this and expected DOMSnitch to do the same.  

What steps will reproduce the problem?
1. Enable domsnitch
2. Load Hacker News
3. Upvote

What is the expected output? What do you see instead?
I expect to upvote with the JavaScript link.  Instead, Chrome takes me to a 
http://news.ycombinator.comvote/?2495... URL.

What version of the product are you using? On what operating system?
Chrome on Linux 12.0.742.100

Please provide any additional information below.
I installed domsnitch as I saw it released, and assumed since it is described 
as 'passive' that I could leave it installed & enabled (as I do with the Web 
Developer and other dev plugins).  However, I have noticed random errors and 
slower page load times.  I would just recommend mentioning in the docs that 
it's not an extension to leave enabled for normal browsing.

Otherwise -- Thanks for another great product, I'm sure I'll be using it often!

What steps will reproduce the problem?
1. Open the attached file in a webbrowser.
( Issue only occures only if it the file is called on a webserver. If the file 
is called directly everything works fine. )
2. Click on the Link and on the button with domsnicht disabled
3. Click on the Link and on the button with domsnicht enabled

What is the expected output? What do you see instead?
The href entry of the LINK is called. Instead no href should be called
because of "return false" in the javascript onClick block.

What version of the product are you using? On what operating system?
Windows 7 Prof
Chrome Version: 13.0.782.24 beta-m
Dom Snicht Version: 0.706 
Apache/2.2.14 (Win32)

Please provide any additional information below.
 - Passive Mode
 - Module: iframe.src

[deleted issue]