Dodanki za Firefox Browser
  • Rozšyrjenja
  • Drastwy
    • za Firefox
    • Słowniki a rěcne pakśiki
    • Druge sedła wobglědowaka
    • Dodanki za Android
Pśizjawiś
Pśeglěd za Eval Villain

Eval Villain wót bemodtwz

Hook native JavaScript functions before page load to see how a website uses them. Narrow down output based on the appearance of URL and session artifacts, user configured strings/regex, blacklists and more.

3.7 (3 reviews)3.7 (3 reviews)
222 wužywarjow222 wužywarjow
Trjebaśo Firefox, aby toś to rozšyrjenje wužywał
Firefox ześěgnuś a rozšyrjenje wobstaraś
Dataju ześěgnuś

Metadaty rozšyrjenja

Fota wobrazowki
Eval Villain discovers a DOM XSS vector, despite multiple layers of encoding on the x URL parameter. An encoder function is provided to encode your own payloads.The provided encoder function is pasted into the console. Then it's used to encode a new payload. Eval Villain shows the new payload hitting the sink and executing.
Wó toś tom rozšyrjenju
Eval Villain hooks JavaScript sinks and monitors input for the presence of strings found in sources. There is no race condition as Eval Villain will hook sinks before they can be used. Sinks will be hooked in all frames and pages unless a target URL pattern is configured.

The default configuration will hook common DOM XSS sinks but Eval Villain can be configured to hook any function. Go to the configuration page and click the icon -> configure to see examples.

When a sink is called, Eval Villain goes through a list of sources and tests input to that function for any occurrence of the sources. Sources include user defined strings or regex (referred to as needles), URL parameters, URL fragments (aka hash), local storage, window name and the user cookie. There is also a blacklist feature to remove commonly occurring false positives. Each of these features can be individually enabled or disabled in the popup menu. When changes are made, the page will need to be refreshed for changes to take effect.

These features make Eval Villain well suited to find DOM XSS, but also to answer other questions about how a web page is functioning. Hooking eval() and dumping input can bypass common obfuscation techniques and even find malware. Hooking decodeURI() with the URL parameter source enabled will give a stack trace that often contains the website's URL parser. Instrumenting the parser can then expose hidden URL parameters. Hooking addEventListener() with the needle "message" will dump the source code and location of post message handlers. Eval Villain allows a lot of configuration options to allow for creative solutions.

Eval Villain will also attempt to recursively decode sources. For example, ad networks often build iframes with encoded HTML hidden in the window name. Eval Villain can detect this behavior and provide both the sink where the HTML lands and an encoder function to encode arbitrary HTML into the frame.

Support for this version provided by Doyensec Research https://doyensec.com/research.html
Z 3,7 wót 3 pógódnośujucych pógódnośony
Pśizjawśo se, aby toś to rozšyrjenje pógódnośił
Hyšći pógódnośenja njejsu

Gwězdowe pógódnośenje jo se składło

5
2
4
0
3
0
2
0
1
1
3 pógódnośenja cytaś
Pšawa a datyDalšne informacije

Trjebne pšawa:

  • Pśistup k wašym datam za wšykne websedła měś
Dalšne informacije
Dodankowe wótzkaze
  • Startowy bok
  • E-mailowa adresa pomocy
Wersija
2.11
Wjelikosć
53,89 KB
Slědny raz zaktualizěrowany
yhdeksän kuukautta sitten (13. marras 2024)
Pśiswójźbne kategorije
  • Webwuwiśe
  • Priwatnosć a wěstota
Licenca
Jano licenca GNU General Public License v3.0
Pšawidła priwatnosći
Cytajśo pšawidła priwatnosći za toś ten dodank
Wersijowa historija
  • Wšykne wersije pokazaś
Wobznamjenja
  • security
Zběrce pśidaś
Toś ten dodank k wěsći daś
Wersijowe informacije za 2.11
Fixes bug where localStorage is not properly sourced
Improves encoder function for path search
Fixes mistake is sourcer debug statment
Wěcej rozšyrjenjow wót bemodtwz
  • Hyšći pógódnośenja njejsu

  • Hyšći pógódnośenja njejsu

  • Hyšći pógódnośenja njejsu

  • Hyšći pógódnośenja njejsu

  • Hyšći pógódnośenja njejsu

  • Hyšći pógódnośenja njejsu

K startowemu bokoju Mozilla

Dodanki

  • Wó nas
  • Blog dodankow Firefox
  • Źěłowa kupka rozšyrjenjow
  • Wuwijaŕski rožk
  • Wuwijaŕske pšawidła
  • Blog zgromaźeństwa
  • Forum
  • Programowu zmólku k wěsći daś
  • Směrnica za pógódnośenja

Wobglědowaki

  • Desktop
  • Mobile
  • Enterprise

Produkty

  • Browsers
  • VPN
  • Relay
  • Monitor
  • Pocket
  • Bluesky (@firefox.com)
  • Instagram (Firefox)
  • YouTube (firefoxchannel)
  • Priwatnosć
  • Cookieje
  • Pšawniske

Jolic nic hynac zapisane, se wopśimjeśe na toś tom sedle pód Creative Commons Attribution Share-Alike License v3.0 abo póznjejšeju wersiju licencěrujo.