Skip to content
/ XSSFINDERAUTO Public
forked from xnl-h4ck3r/XnlReveal

A Chrome browser extension to show alerts for relfected query params, show hidden elements and enable disabled elements.

License

MIT license
0 stars 51 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

yaelahrip/XSSFINDERAUTO

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
images
images
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
background.js
background.js
 
 
content.js
content.js
 
 
manifest.json
manifest.json
 
 
options.html
options.html
 
 
options.js
options.js
 
 
popup.html
popup.html
 
 
popup.js
popup.js
 
 

Repository files navigation

About

This is a Chrome Extension that can do the following:

  • Show an alert for any query parameters that are reflected.
  • Show any hidden elements on the page.
  • Enable any disabled elements on the page.

The first point was inspired by a comment by @renniepak on Episode 42 of the Critical Thinking - Bug Bounty Podcast where he mentioned he had his own browser extension that let him know about any reflections.

The second and third points were inspired by this Tweet by Critical Thinking - Bug Bounty Podcast and I initially created as browser bookmarks.

Installing

  1. Clone this repo to your machine.

  2. Open the Extension Manager in Chrome by following: Kebab menu(three vertical dots) -> Extensions -> Manage Extensions

  3. If the developer mode is not turned on, turn it on by clicking the toggle in the top right corner.

  4. Now click on Load unpacked button on the top left

  5. Go the directory where you have XnlReveal folder and select it.

  6. The extension is now loaded. You can click on the extension icon in the toolbar to pin Xnl Reveal to your toolbar.

Settings

Options Page

If you right click the Xnl Reveal logo in the toolbar and select Options, you will be taken to the Options page.

You have the following options:

  • Canary token - When requests are made to test for reflection of query parameters, this is the value of the parameter that is used and checked for.
  • Check delay - When a page is loaded, depending on settings, the extension will try to show hidden elements and enable disabled elements. However, sometimes parts of the page are loaded dynamically and they aren't in the original response. THe extension will try to show and enable again after this delay (in seconds) after the page has initially loaded.
  • Save - If any options are changed, click this button to save them for future use.
  • Clear Saved URLs/Params - If the extension is looking for reflected query parameters, then you don't want to keep getting alerted for the same URL/Parameter combinations, so those that have been reported are stored to prevent this. However, if you want to remove the memory of those, you can click this button to remove them.

Popup Menu

If you click the Xnl Reveal logo in the toolbar, you will see a popup menu.

You have the following settings:

  • ENABLE REVEAL - If this is not checked then the extension will do nothing. If checked then it will take certain actions on web pages visited, depending on the other options set.
  • Show query param reflection alerts - If this is checked, then when a web page is visited that has any query parameters, a background request is made for each parameter, replacing each n turn with the Canary token from the Options page. If the token is found for any of the parameters the response then an alert box is shown giving you the URL and all the parameters on that page that were reflected. These are also written to the browser console.
    NOTE: If there are many parameters, it can take some time to send all the requests and wait for the responses. A red status bar is displayed at the top of the page to let you know to wait. Also, if the page is dynamic, then these may not be found in the initial response and reported.
  • Show hidden elements - If this is checked, then any elements (excluding img,span and div) that are hidden will be shown. They will be shown with a red border and a label in red that gives some detail. Sometimes, if the page is dynamic, the elements may not be shown. You can always click the Run Now button to change the current loaded page.
  • Enable disabled elements - If this is checked, then any elements (excluding img,span and div) that are hidden will be shown. They will be shown with a red border and a label in red that gives some detail. Sometimes, if the page is dynamic, the elements may not be shown. You can always click the Run Now button to change the current loaded page.

Important

This Chrome extension isn't going to be perfect!
Sometimes the change of code can break a page. If you get a problem, unselected a certain setting in the popup menu will reload the page and it may be okay again, and you'll just not be able to check.
There may also be some Errors that are shown in the Manage extension page in certain situations.

Issues

If you come across any problems at all, or have ideas for improvements, please feel free to raise an issue on Github. If there is a problem, it will be useful if you can provide the exact URL you were on, and any console errors.

Good luck and good hunting! If you really love the tool (or any others), or they helped you find an awesome bounty, consider BUYING ME A COFFEE! ☕ (I could use the caffeine!)

🤘 /XNL-h4ck3r

About

A Chrome browser extension to show alerts for relfected query params, show hidden elements and enable disabled elements.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Languages

  • JavaScript 88.5%
  • HTML 11.5%