View Issue Details

IDProjectCategoryView StatusLast Update
0004910Kali LinuxNew Tool Requestspublic2020-01-13 13:33
Reportersrccsebt Assigned To 
PrioritynormalSeverityfeatureReproducibilityhave not tried
Status closedResolutionwon't fix 
Summary0004910: Eval Villain hooks dangerous JavaScript functions and searches for user input in order to find DOM XSS.
Description

gotmilk questions

  • [Name] - Eval Villain

  • [Version] - Latest available on AMO, 1.4 at this time.

  • [Homepage] - https://github.com/swoops/eval_villain

  • [Download] - From AMO: https://addons.mozilla.org/en-US/firefox/addon/eval-villain/

  • [Author] - I am the author.

  • [Licence] - GPLv3. If this is a problem let me know.

  • [Description] -
    Eval Villian is, in short, an easily configurable LD_PRELOAD for
    JavaScript.

    Eval Villian is a web extension for Firefox that hooks user specified
    functions (or setters) before page load. Hooked functions then log
    information to the console.

    Eval Villain's main purpose is to find DOM XSS. So most of it's features
    are centered around highlighting interesting calls and throwing away what
    is worthless. So regex white/black lists, domain filters, ect.

    Eval Villain can also be helpful for reversing obfuscated JavaScript.

  • [Dependencies] -
    Firefox >= 59:
    This appears like it might be a problem. On my Kali box:

    > firefox-esr --version
    Mozilla Firefox 52.9.0

    Regretfully, in order to win the race with inline scripts and allow user
    configuration I use contentScripts.register which requires Firefox 59.
    https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/contentScripts/register

    If I can do something to help alleviate this burden let me know.

  • [Similar tools] -
    I have not seen any other plugin with this purpose. Previously I used
    grease monkey but it fails to hook before inline JavaScript executes.

  • [How to install] -

  • [How to use] -
    Click the icon in the tool bar and enable it via the toggle. Then visit a
    web page with the console open. Use the site and keep an eye on the console.

questions from Docs.kali.org/policy/penetration-testing-tools-policy

  • Is the tool useful/functional in a Penetration Testing environment?
    Yes, it makes finding DOM XSS very easy.

  • Does the tool overlap functionality of other existing tools?
    I don't think so. See "[Similar tools]" above.

  • Does the licensing of the tool allow for free redistribution?
    Yes

  • How much resources does the tool require? Will it work in a “standard” environment?

The tool is very light, has no external dependencies. It could be used in a
restrictive internal pentest.

Relationships

has duplicate 0004895 closed Eval Villain hooks dangerous JavaScript functions and searches for user input in order to find DOM XSS. 

Activities

g0tmi1k

g0tmi1k

2020-01-13 13:33

administrator   ~0011889

If people want to install their own extensions, they can ~ https://addons.mozilla.org/en-US/firefox/addon/eval-villain/

Issue History

Date Modified Username Field Change
2018-08-18 13:15 srccsebt New Issue
2018-08-18 13:15 srccsebt Issue generated from: 0004895
2019-12-09 13:30 g0tmi1k Severity minor => feature
2019-12-09 13:30 g0tmi1k Status acknowledged => new
2020-01-06 13:01 g0tmi1k Product Version 2018.2 =>
2020-01-06 13:25 g0tmi1k Relationship added has duplicate 0004895
2020-01-13 13:33 g0tmi1k Status new => closed
2020-01-13 13:33 g0tmi1k Resolution open => won't fix
2020-01-13 13:33 g0tmi1k Note Added: 0011889