Not able to inject tracy payload

[g33kyshivam]

Hi! So I was just testing how to work with the Tracy web extension. For this particular website which is vulnerable to DOM XSS. User can control the input and that is being reflected too in the code.

But I can't generate payload via Tracy to track the input.

URL

https://brutelogic.com.br/tests/sinks.html?name=something

So in the above URL, name parameter is vulnerable to DOM XSS

Payload (Injecting the valid html )

https://brutelogic.com.br/tests/sinks.html?name=<img+src+onerror=alert(1)>

So for this tracy doesn't show any payload section in the URL bar. Not sure if I'm not using this tool properly !

[heathj]

Hey! Here's what you might be missing:

1. Open the UI by clicking the tracy logo in the top right.
2. Copy the following into the URL bar: https://brutelogic.com.br/tests/sinks.html?name=zzXSSzz

When you navigate to that URL, the zzXSSzz string will be converted by tracy to a unique payload that it can spot in the page. It also adds HTML metacharacters so that it can detect XSS Once you navigate to that URL, the UI should reflect the generated payload for you in the table. If you click it, it will show you all the locations that input was rendered in the DOM and should also give a severity rating based on if it was escaped in any special way.

Give that a shot and let me know if you still can't get it. Happy to help.

[heathj]

When I did, I got the following:

Notice how tracy assigned the input as a severity 3? That is because the user-controlled input was rendered in the DOM as a node name, which should never happen unless the user-controlled input was rendered into the page as HTML. This is a big red flag for XSS and why tracy flags it. The output on the right side of the UI shows other interesting information: the HTTP request used to inject the user-input, the screenshot (if one was taken; zzPLAINzz and zzXSSzz payloads don't trigger screenshots so there wasn't one generated), and the bottom of the right side shows the actual DOM write to the page. Make sense?

[g33kyshivam]

Okay so I didn't know that bvlqswzwch would be tracked via tracy automatically, I was hoping that trace icon would show up in the URL bar of my browser when I can select the payload type just like we get in normal input fields.

But yes "' works well! Thanks for help :)

[g33kyshivam]

Wow I forgot to disable tracy xD

[jacobheath]

Yes, so there are a few issues UI-wise that lead us to have the four different payloads we have. In most cases, you can just use the dropdown and select one of the four. However, in some cases (like the one you describe where you want to modify the query parameter in the URL directly), the extension APIs don't allow us to modify the UI of the browser's navigation bar. So in cases where you want to do that, you can manually type the zzXSSzz and zzPLAINzz and they will get caught by our background scripts when the network request is made. That was actually one of their primary purposes; there are a couple other cases where we couldn't generate the payloads until the network request was made, such as when client-side validation occurs and prevents a < symbol in a text field. The GEN-PLAIN and GEN-XSS are nicer for your average input fields because we can collect a little bit more information about where in the DOM the input was first introduced. But these are just the limitations of the browser.

So overall, we can't modify the navigation bar. If you want to introduce a payload in the navigation bar, use zzXSSzz or zzPLAINzz and you should be good.

[jacobheath]

Closing this for now, let me know if you have any other issues I can help troubleshoot. And thanks for trying out Tracy!