View Issue Details

IDProjectCategoryView StatusLast Update
0004910Kali Linux[All Projects] New Tool Requestspublic2020-01-13 13:33
Reportersrccsebt Assigned To 
PrioritynormalSeverityfeatureReproducibilityhave not tried
Status closedResolutionwon't fix 
Product Version 
Target VersionFixed in Version 
Summary0004910: Eval Villain hooks dangerous JavaScript functions and searches for user input in order to find DOM XSS.
Description## gotmilk questions

- [Name] - Eval Villain
- [Version] - Latest available on AMO, 1.4 at this time.
- [Homepage] -
- [Download] - From AMO:
- [Author] - I am the author.
- [Licence] - GPLv3. If this is a problem let me know.
- [Description] -
    Eval Villian is, in short, an easily configurable LD_PRELOAD for

    Eval Villian is a web extension for Firefox that hooks user specified
    functions (or setters) before page load. Hooked functions then log
    information to the console.
    Eval Villain's main purpose is to find DOM XSS. So most of it's features
    are centered around highlighting interesting calls and throwing away what
    is worthless. So regex white/black lists, domain filters, ect.

    Eval Villain can also be helpful for reversing obfuscated JavaScript.

- [Dependencies] -
    Firefox >= 59:
    This appears like it might be a problem. On my Kali box:
    > firefox-esr --version
    Mozilla Firefox 52.9.0
    Regretfully, in order to win the race with inline scripts and allow user
    configuration I use `contentScripts.register` which requires Firefox 59.

    If I can do something to help alleviate this burden let me know.

- [Similar tools] -
    I have not seen any other plugin with this purpose. Previously I used
    grease monkey but it fails to hook before inline JavaScript executes.

- [How to install] -
    * Visit the AMO page:
    * click "add to Firefox"

- [How to use] -
    Click the icon in the tool bar and enable it via the toggle. Then visit a
    web page with the console open. Use the site and keep an eye on the console.

## questions from

* Is the tool useful/functional in a Penetration Testing environment?
Yes, it makes finding DOM XSS very easy.

* Does the tool overlap functionality of other existing tools?
I don't think so. See "[Similar tools]" above.

* Does the licensing of the tool allow for free redistribution?

* How much resources does the tool require? Will it work in a “standard” environment?

The tool is very light, has no external dependencies. It could be used in a
restrictive internal pentest.


has duplicate 0004895 closed Eval Villain hooks dangerous JavaScript functions and searches for user input in order to find DOM XSS. 



2020-01-13 13:33

administrator   ~0011889

If people want to install their own extensions, they can ~

Issue History

Date Modified Username Field Change
2018-08-18 13:15 srccsebt New Issue
2018-08-18 13:15 srccsebt Issue generated from: 0004895
2019-12-09 13:30 g0tmi1k Severity minor => feature
2019-12-09 13:30 g0tmi1k Status acknowledged => new
2020-01-06 13:01 g0tmi1k Product Version 2018.2 =>
2020-01-06 13:25 g0tmi1k Relationship added has duplicate 0004895
2020-01-13 13:33 g0tmi1k Status new => closed
2020-01-13 13:33 g0tmi1k Resolution open => won't fix
2020-01-13 13:33 g0tmi1k Note Added: 0011889