tracy v0.7.1 releases: finding all sinks and sources of a web application
tracy is a browser extension and light-weight HTTP proxy that records all user input to a web application and monitors any time those inputs are output, for example in a DOM write, server response, or call to eval.
tracy was written with the goal of eliminating XSS by assisting a penetration tester in identifying every source of input into an application and following that input to all of its sinks. These cases are documented and stored as references that can be used to identify the locations of potentially risky input.
How it works
While browsing a web application, a user flags particular input they would like to be traced. The extension marks this input with a reference and documents any time this reference is seen in a server response, written to the DOM, or used in one of the other dangerous method mentioned above.
The extension makes use of a light-weight proxy to monitor server responses and MutationObserver7 to monitor DOM writes. Additionally, the extension proxies8 a few functions that are considered dangerous and checks to see if these functions are executing arguments that contain one of the collected references.
No longer does it require a binary or proxy configuration. Install tracy at either the firefox or chrome extension stores and you are good to go to begin finding XSS. Click the tracy icon to view the UI. Throughout the migration, lots of things were changed and fixed so I am not going to log them here. The main things are the extension migration and a UI update. Tracy also shows the screenshot of the input source.
Copyright (c) 2018 NCC Group Plc