tracy v0.6.1 releases: finding all sinks and sources of a web application


A pentesting tool designed to assist with finding all sinks and sources of a web application and display these results in a digestible manner. tracy should be used during the mapping-the-application phase of the pentest to identify sources of input and their corresponding outputs. tracy can use this data to intelligently find vulnerable instances of XSS, especially with web applications that use lots of JavaScript.

tracy is a browser extension and light-weight HTTP proxy that records all user input to a web application and monitors any time those inputs are output, for example in a DOM write, server response, or call to eval.

tracy was written with the goal of eliminating XSS by assisting a penetration tester in identifying every source of input into an application and following that input to all of its sinks. These cases are documented and stored as references that can be used to identify the locations of potentially risky input.


How it works

While browsing a web application, a user flags particular input they would like to be traced. The extension marks this input with a reference and documents any time this reference is seen in a server response, written to the DOM, or used in one of the other dangerous method mentioned above.

The extension makes use of a light-weight proxy to monitor server responses and MutationObserver7 to monitor DOM writes. Additionally, the extension proxies8 a few functions that are considered dangerous and checks to see if these functions are executing arguments that contain one of the collected references.

Changelog v0.6.1


This is probably the final version of tracy with a proxy. We are currently migrating away from the whole proxy model and moving everything into the browser extension. We found that a lot of people had issues with the setup and it turns out that maintaining pretty much a fully functioning proxy is a pain. In the future, all of the proxy code will no longer be needed as those features can be performed in the browser extension. If you enjoyed the proxy workflow, speak now or forever hold your peace.

The new flow will still have an API and database. The API will always be able to run locally, however, we hope to have a database on the internet for easy setup. The next release should hopefully be as easy as installing the extension and begin tracing. We hope to also have a new UI and support for team tracing.


  • Add a small caching layer to make things a bit faster for people with larger databases
  • UI printout of memory for people concerned about tracy taking up too much memory
  • Request/Response size cap. Please don’t put tracy payloads in requests larger than 1MB
  • Updates to the extension to fix CORB issues
  • Probably other things

Extension links:

Download && Tutorial

Copyright (c) 2018 NCC Group Plc