Tracy

A tool designed to assist with finding all sinks and sources of a web application and display these results in a digestible manner.
What is Tracy?
The Chrome extension 'Tracy' is dedicated to making XSS detection more effective by focusing on sources of input and their corresponding sinks in a web application. Unlike other tools that only target server response reflection, Tracy achieves a more thorough inspection by providing 'x-ray vision into the DOM'. Tracy aids penetration testers in tracing potential risks while documenting and storing them as effective references.
Download

Extension stats

Users: 585 ▼ -10
Rating: 4.00 (2)
Version: 0.9.2 (Last updated: 2021-05-21)
Creation date: 2020-05-11
Risk impact: High risk impact
Risk likelihood: Low risk likelihood
Manifest version: 2
Permissions:
  • <all_urls>
  • storage
  • webRequest
Size: 920.58K

Ranking

# 38625 ▼ 446
Other rankings
#7501 in Developer Tools ▼ 30 #256 in identify keyword 8 ▲ 2 #288 in input keyword 31

Other platforms

Not available on Firefox
Not available on Edge
Want to check extension ranking and stats more quickly for other Chrome extensions? Install Chrome-Stats extension to view Chrome-Stats data as you browse the Chrome Web Store.
Chrome-Stats extension

Extension summary

Analyze keywords

There are many different ways to trigger XSS, especially considering the large number of frontend frameworks that have been made popular in the last few years. For example, some of the less traditional ways of exploiting XSS can be through:

  • DOM clobbering
  • DOM injection
  • Frontend template injection
  • Backend template injection
  • Open redirects

These attack vectors are significantly different than traditional stored and reflected XSS cases and they require new tools for finding them effectively.

Many similar tools only look for server response reflection, however this is not very helpful if all output encoding is performed by the frontend. In order to really gain knowledge about all the true sinks of the application, we need a tool that grants us "X-ray vision into the DOM".

This extensions was written with the goal of eliminating XSS by assisting a penetration tester in identifying every source of input into an application and following that input to all of its sinks. These cases are documented and stored as references that can be used to identify the locations of potentially risky input.

User reviews

Initial Review: ---------------- Installs cleanly, loads fine, however there is not comphrensive documentation (yet) to explain what exactly its doing to help pentest a site. Very cryptic desc. of its functions. I will report back once i learn some more but you should have a very firm handle on XSS before using this
by Mistah Mark, 2021-05-16
Quite the tool to look for XSS...a must have tool
by Emmanuel Odota, 2019-07-28
View all user reviews

Extension safety

Risk impact

Tracy requires some sensitive permissions that could impact your browser and data security. Exercise caution before installing.

Risk likelihood

Tracy has earned a fairly good reputation and likely can be trusted.

Upgrade to see risk analysis details

Similar extensions

Here are some Chrome extensions that are similar to Tracy:

Bishop Vulnerability Scanner
Bishop Vulnerability Scanner
Jack Kingsman
3.75
3,000+
ZoomEye Tools
ZoomEye Tools
knownseczoomeye
3.67
3,000+
Display Access Keys
Display Access Keys
dharris
4.33
327
Untrusted Types for DevTools
Untrusted Types for DevTools
Thomas Orlita
5.00
1,000+
HackBar
HackBar
0140454
4.24
70,000+
CounterXSS
CounterXSS
playarun93
5.00
522
Breakbot
Breakbot
https://jacksbrain.com
3.80
293
Vulners Web Scanner
Vulners Web Scanner
vankyver
4.55
9,000+
Input hidden Monitor
Input hidden Monitor
Bohumil Beran
N/A
335
Plugin Vulnerabilities
Plugin Vulnerabilities
White Fir Design
5.00
475
Investigate with Lacework
Investigate with Lacework
Lacework
N/A
232
should-i-trust
should-i-trust
ericalexander.org
N/A
232