Inject payload into hidden parameters.

[ghost]

Shall there be an option to inject payload into the url, and for such hidden params with no input box?

[heathj]

ah ha! Great suggestion and the good news is the next version of tracy will have this :D I am actually currently working on building the new release this weekend and am hoping to have it ready by this week. Stay tuned!

[heathj]

Currently, though, if you have the tracy binary running and your browser proxying through it, you can use the string zzPLAINzz or zzXSSzz in a hidden query parameter and the proxy will inject a payload for you in that spot.

[ghost]

Hello, thanks for the feedback. I have just tried this and the proxy did not inject the payload. I tried setting the auto-fill inputs to GEN-XSS too and nothing happened

Currently, though, if you have the tracy binary running and your browser proxying through it, you can use the string zzPLAINzz or zzXSSzz in a hidden query parameter and the proxy will inject a payload for you in that spot.

[heathj]

Hmmm, this is what I get:

Notice, I've got FoxyProxy set to proxy my browser through Tracy when I do that. Here's the screenshot of the Tracy UI showing the payload wwrmffdhsr input source and output write into the DOM.

Tracy noticed that the source input was written to the DOM as a node name, which should never happen so it flags it as red (as it should). Is that not what you are seeing? Here are some things to try if you aren't:

• Make sure you're running the tracy binary and your browser is proxying through Tracy. Tracy by default runs at 127.0.0.1:7777, so usually that is where I set up my proxy.
• Make sure the Tracy certificate is trusted by your browser. In firefox, you can add a CA to your trust store through the settings. The tracy certificate is in your ~/.tracy directory.
• Try clearing your database by deleting ~/.tracy/prod-tracer-db.db and restarting the tracy binary

Hopefully all of this will be easier soon, but let me know if you still can't get it working.

[ghost]

• Cool, got it working! Just had to proxy thr traffic through tracy.

• An idea would be to also check for SSTi since it bases on the same idea of XSS. e.g {{7*800}} and checks for the result in the response.

However on websites heavily built on Javascript...it tends to slow down the firefox-browser.

On chrome some images are not shown.

[heathj]

Yea I've had issues with performance before. It was one of the pushes to redo it with just an extension; I noticed it happening when there are a lot of tracers in your database because it has to search a lot of content for each of those tracers one at a time. When its all migrated to an extension, it will be simpler (hopefully?) to debug issues and move longer running jobs to a web worker. If you can start over and get a reproducible case where you are getting that performance error, I'd love to see it.

With regards to the SSTi, that's a great idea! And one mentioned here #51 . I think we figured out that a rough way of doing it right now would be to modify your ~/.tracy/tracy.json file to add a new tracer template. We were thinking something like this:

  "tracers": {
    "zzPLAINzz": "[[ID]]",
    "zzXSSzz": "\\\"'<[[ID]]>",
    "GEN-XSS": "\\\"'<[[ID]]>",
    "GEN-PLAIN": "[[ID]]",
   "{{7*800}}": "5600"
  }

That should work after you restart the tracy binary and reload your browser window. Although, it is not super elegant. The most "tracy"-way of doing it would be tracy would automatically generate a payload for you and look for it so you wouldn't have the same numbers all over your app you were testing and it could differentiate between different SSTi input sources. I've never actually tried this, so give it a shot and let me know if it works.

[heathj]

New version! Closing this as I am sure the new version will have it's own issues. If you have issues with the new verision, let's open a separate ticket. Thanks for using tracy!