-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Not able to inject tracy payload #109
Comments
Hey! Here's what you might be missing:
When you navigate to that URL, the Give that a shot and let me know if you still can't get it. Happy to help. |
When I did, I got the following: Notice how tracy assigned the input as a severity 3? That is because the user-controlled input was rendered in the DOM as a node name, which should never happen unless the user-controlled input was rendered into the page as HTML. This is a big red flag for XSS and why tracy flags it. The output on the right side of the UI shows other interesting information: the HTTP request used to inject the user-input, the screenshot (if one was taken; |
Wow I forgot to disable tracy xD |
Yes, so there are a few issues UI-wise that lead us to have the four different payloads we have. In most cases, you can just use the dropdown and select one of the four. However, in some cases (like the one you describe where you want to modify the query parameter in the URL directly), the extension APIs don't allow us to modify the UI of the browser's navigation bar. So in cases where you want to do that, you can manually type the So overall, we can't modify the navigation bar. If you want to introduce a payload in the navigation bar, use |
Closing this for now, let me know if you have any other issues I can help troubleshoot. And thanks for trying out Tracy! |
Hi! So I was just testing how to work with the Tracy web extension. For this particular website which is vulnerable to DOM XSS. User can control the input and that is being reflected too in the code.
But I can't generate payload via Tracy to track the input.
URL
https://brutelogic.com.br/tests/sinks.html?name=something
So in the above URL, name parameter is vulnerable to DOM XSS
Payload (Injecting the valid html )
https://brutelogic.com.br/tests/sinks.html?name=<img+src+onerror=alert(1)>
So for this tracy doesn't show any payload section in the URL bar. Not sure if I'm not using this tool properly !
The text was updated successfully, but these errors were encountered: