Merlin
Untrusted Types for DevTools

Untrusted Types for DevTools

Abusing Trusted Types to discover XSS sinks.

What is Untrusted Types for DevTools?
'Untrusted Types for DevTools' is a Chrome extension designed to uncover potential DOM XSS vulnerabilities. By abusing Trusted Types, this extension identifies sinks, or code patterns, that could potentially execute dangerous JavaScript code if provided with malevolent inputs. The extension adds a dedicated panel to DevTools giving users the ability to view and filter sink logs, customize settings, and even highlight keywords passed in a sink. Furthermore, it aids in the exploration of stack traces of specific logs, helping developers ensure safer, more secure applications.
Download
Merlin
Stats
Users: 1,000+
Rating: 5.00 (3)
Version: 1.1.1 (Last updated: 2021-10-12)
Creation date: 2021-01-22
Risk impact: High risk impact
Risk likelihood: Very low risk likelihood
Manifest version: 2
Permissions:
  • storage
  • webRequest
  • webRequestBlocking
  • http://*/*
  • https://*/*
Size: 40.10K
URLs: Website
Stats date:

Chrome-Stats Rank

# 27549 ▼ 63
Other rankings
#870 in Developer Tools ▲ 1 #168 in input keyword 39 ▼ 1 #208 in console keyword 13 ▲ 3

Other platforms

Not available on Firefox
Not available on Edge
Want to check extension ranking and stats more quickly for other Chrome extensions? Install Chrome-Stats extension to view Chrome-Stats data as you browse the Chrome Web Store.
Chrome-Stats extension
Merlin
Summary
Analyze keywords

Discover and test inputs passed into sinks that could lead to DOM XSS vulnerabilities.

A sink is a code pattern that could run arbitrary JavaScript code if the input is malicious, for example: innerHTML, eval, document.write.

This extension adds a panel to DevTools where you can see/filter the sink logs and customize settings.

Keywords (by default: "d0mxss") that are found to be passed in a sink will be highlighted in the extension and in console.

You can then find the stack trace of a specific log:

  1. Click to copy the ID,
  2. Open Console>Filter and paste the ID,
  3. Now you can inspect the stack trace. Click on the function name to open it in the Sources tab.
User reviews
fantastic tool! helps me display the xss dom sink in devtools console! Thanks
by Rizan Fauzi Rizan Fauzi, 2021-08-31
View all user reviews
Safety
Risk impact

Untrusted Types for DevTools is risky to use as it requires a number of sensitive permissions that can potentially harm your browser and steal your data. Exercise caution when installing this extension. Review carefully before installing. We recommend that you only install Untrusted Types for DevTools if you trust the publisher.

Risk likelihood

Untrusted Types for DevTools has earned a good reputation and can be trusted.

Upgrade to see risk analysis details
Screenshots
Untrusted Types for DevTools Untrusted Types for DevTools
Similar extensions

Here are some Chrome extensions that are similar to Untrusted Types for DevTools:

Hack-Tools
Hack-Tools
Ludovic COULON & Riadh BOUCHAHOUA
4.73
30,000+
Shodan
Shodan
https://shodan.io
4.52
100,000+
YesWeHack VDP Finder
YesWeHack VDP Finder
acc+browserext
5.00
2,000+
HackBar
HackBar
0140454
4.12
70,000+
Investigate with Lacework
Investigate with Lacework
Lacework
N/A
270
CounterXSS
CounterXSS
playarun93
5.00
578
retire.js
retire.js
jadwigaostrowska803
4.88
20,000+
Tracy
Tracy
jacob.heath.ncc
4.00
649
Vulners Web Scanner
Vulners Web Scanner
vankyver
4.55
9,000+
XSS
XSS
totofish2021
5.00
2,000+
OWASP Penetration Testing Kit
OWASP Penetration Testing Kit
https://pentestkit.co.uk
4.86
20,000+
Plugin Vulnerabilities
Plugin Vulnerabilities
White Fir Design
5.00
536