Untangling the DOM for More Easy-Juicy Bugs

Explore a powerful approach to uncovering DOM-based vulnerabilities in modern web applications through this Black Hat conference talk. Delve into the challenges posed by JavaScript-heavy applications for penetration testers and scanners, and discover how dynamic analysis can reveal client-side attacks like DOM XSS, insecure WebSocket usage, and problematic global variables. Learn about Hookish!, an open-source Chrome extension that overrides DOM properties to expose critical security insights. Gain hands-on experience with Dom Flow, a feature allowing intuitive visualization of data flow between sources and sinks, enabling deeper understanding of application behavior and facilitating the discovery of hidden DOM-based bugs. Equip yourself with advanced techniques to conduct more effective penetration tests on complex web applications and stay ahead of evolving security challenges.