XnlReveal: Chrome browser extension to show alerts for relfected query params, show hidden elements
XnlReveal
This is a Chrome Extension that can do the following:
- Show an alert for any query parameters that are reflected.
- Show the Wayback Archive endpoints for the path visited
- Show any hidden elements on the page.
- Enable any disabled elements on the page.
The first point was inspired by a comment by @renniepak on Episode 42 of the Critical Thinking – Bug Bounty Podcast where he mentioned he had his own browser extension that let him know about any reflections.
The third and fourth points were inspired by this Tweet by Critical Thinking – Bug Bounty Podcast which I initially created as browser bookmarks.
Settings
Options Page
If you right-click the Xnl Reveal logo in the toolbar and select Options, you will be taken to the Options page.
You have the following options:
- Canary token – When requests are made to test for reflection of query parameters, this is the value of the parameter that is used and checked for.
- Check delay – When a page is loaded, depending on settings, the extension will try to show hidden elements and enable disabled elements. However, sometimes parts of the page are loaded dynamically and they aren’t in the original response. The extension will try to show and enable again after this delay (in seconds) after the page has initially loaded.
- Only write JS Wayback endpoints – If the setting to write Wayback archive endpoints has been selected, then if this option is checked, only endpoints for JS files will be written to the browser console.
- Save – If any options are changed, click this button to save them for future use.
- Clear Saved URLs/Params – If the extension is looking for reflected query parameters, then you don’t want to keep getting alerted for the same URL/Parameter combinations, so those that have been reported are stored to prevent this. However, if you want to remove the memory of those, you can click this button to remove them. Similarly, we don’t want to keep passing the same requests to the Wayback archive, so those are also stored, but can be cleared if this button is pressed.
Popup Menu
If you click the Xnl Reveal logo in the toolbar, you will see a popup menu.
You have the following settings:
- ENABLE REVEAL – If this is not checked then the extension will do nothing. If checked then it will take certain actions on web pages visited, depending on the other options set.
- Show query param reflection alerts – If this is checked, then when a web page is visited that has any query parameters, a background request is made for each parameter, replacing each n turn with the Canary token from the Options page. If the token is found for any of the parameters in the response then an alert box is shown giving you the URL and all the parameters on that page that were reflected. These are also written to the browser console.
NOTE: If there are many parameters, it can take some time to send all the requests and wait for the responses. A red status bar is displayed at the top of the page to let you know to wait. Also, if the page is dynamic, then these may not be found in the initial response and reported. - Write Wayback endpoints to console – If this is checked, then for each location/path visited in the browser, endpoints will be retrieved from the Wayback archive and written to the console. Once a location/path has been sent to the Wayback API it will not be sent again, unless the Clear Saved URLs/Params has been clicked.
- Show hidden elements – If this is checked, then any elements (excluding img,span and div) that are hidden will be shown. They will be shown with a red border and a label in red that gives some detail. Sometimes, if the page is dynamic, the elements may not be shown. You can always click the Run Now button to change the current loaded page.
- Enable disabled elements – If this is checked, then any elements (excluding img, span, and div) that are hidden will be shown. They will be shown with a red border and a label in red that gives some detail. Sometimes, if the page is dynamic, the elements may not be shown. You can always click the Run Now button to change the current loaded page.
Install
Copyright (c) 2023 /XNL-h4ck3r