-
[Name] - Eval Villain
-
[Version] - Latest available on AMO, 1.4 at this time.
-
[Homepage] - https://github.com/swoops/eval_villain
-
[Download] - From AMO: https://addons.mozilla.org/en-US/firefox/addon/eval-villain/
-
[Author] - I am the author.
-
[Licence] - GPLv3. If this is a problem let me know.
-
[Description] -
Eval Villian is, in short, an easily configurable LD_PRELOAD for
JavaScript.
Eval Villian is a web extension for Firefox that hooks user specified
functions (or setters) before page load. Hooked functions then log
information to the console.
Eval Villain's main purpose is to find DOM XSS. So most of it's features
are centered around highlighting interesting calls and throwing away what
is worthless. So regex white/black lists, domain filters, ect.
Eval Villain can also be helpful for reversing obfuscated JavaScript.
-
[Dependencies] -
Firefox >= 59:
This appears like it might be a problem. On my Kali box:
> firefox-esr --version
Mozilla Firefox 52.9.0
Regretfully, in order to win the race with inline scripts and allow user
configuration I use contentScripts.register
which requires Firefox 59.
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/contentScripts/register
If I can do something to help alleviate this burden let me know.
-
[Similar tools] -
I have not seen any other plugin with this purpose. Previously I used
grease monkey but it fails to hook before inline JavaScript executes.
-
[How to install] -
-
[How to use] -
Click the icon in the tool bar and enable it via the toggle. Then visit a
web page with the console open. Use the site and keep an eye on the console.
The tool is very light, has no external dependencies. It could be used in a
restrictive internal pentest.