All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- New hideThis configuration key to hide thisArg in devtools for function sinks (#29) (Thanks aristosMiliaressis).
- Improved leverage-innerHTML.json config to detect potential document DOM clobbering sinks.
- New Client-Side Prototype Pollution detection (cspp.json) configuration file.
- Devtools font size can now be configured from the settings.
- The CSPT config has been improved to properly handle "fetch(new Request('/'))".
- Banned words have been updated in all configs.
- The thisArg notation in devtools has been improved to make it easier to read (#29) (Thanks aristosMiliaressis).
- JavaScript injection has been improved on Firefox (wasn't needed for Chromium) to limit the init race condition.
- The dupKey value is now computed in the DOM instead of the background script.
- Fixed a bug that made attribute hooking impossible without set/get.
- Fixed a bug that blocked hooking postMessage without typing window.postMessage (#25).
- Fixed a DOS loop issue in the onmessage handler that triggered a hooked sink.
- New configuration files (postMessage & leverage-xss.json) are available in the configs folder (it will be improved soon).
- A new globals root key is associated with the domlogger.globals variable for execCode shortcut.
- A new onload root key is used to execute code after the extension loads.
- New matchTrace and !matchTrace directives have been added to the config root key, allowing filtering based on the sink's stack trace (#13) (Thanks jonathann403).
- Hooked functions and classes are now available in domlogger.func for execCode usage to avoid DoS due to recursive hook/usage.
- The domlogger.update.thisArg property can be used within the hookFunction directive to overwrite the thisArg value.
- A new full-screen mode has been added in DevTools (#20) (Thanks xanhacks).
- New tooltips have been added to the popup and DevTools icons (#23) (Thanks xanhacks).
- The frames column now properly describes which frames the sink has been found in (e.g., top.frames[1].frames[0]).
- The RegExp.prototype.toJSON method has been overwritten to properly log the regex value instead of {}.
- Arguments passed in the exec: directive are no longer stringified, making their usage easier.
- The exec: and hookFunction directives now have 3 parameters: thisArg, args, and target.
- The CSPT config has been updated to work properly with the new updates.
- The DevTools tab should work better now; I'll aim to completely fix it in the next release.
- Fixed a bug that was blocking URLSearchParams.prototype.get from being hooked (#15) (Thanks matanber).
- Stopped using crypto.subtle, which isn't exposed over HTTP (making the extension unavailable in that case) (#14) (Thanks FeelProud).
- The "Add Current eTLD+1" button in the popup now properly handles public eTLDs (e.g., .co.uk) and IPs (#17) (Thanks xnl-h4ck3r).
- Unicode characters in the config should no longer cause the extension to crash.
- The hookFunction directive should now be working properly.
- The extension should no longer crash if the config root key is absent.
- The UI for the "Remove Headers" settings has been fixed (#19) (Thanks xanhacks).
- A new (CSPT) config is available in the configs folder.
- New feature to remove response headers based on the JSON config.
- CTRL+S can now be used to save JSON configs (#4) (Thanks FeelProud).
- Config keys can now contain several targets using "|".
- Information about the current thisArg is now logged (#3) (Thanks aristosMiliaressis).
- The exec: regex directive now provides a target argument equal to the currently found sink.
- A new _comment root key is available within the configuration JSON (#6) (Thanks xnl-h4ck3r).
- New "current domain" and "current etld+1" buttons available in the popup (#8) (Thanks Aituglo)
- New pwnfox integration for Firefox (#8) (Thanks Aituglo)
- The whole background script code has been segmented and optimized into several files.
- The usage of sendMessage has been replaced by storage.onChanged for cross-context data exchange.
- Devtools clearStorage & removeRow buttons now update all Devtools tabs.
- Devtools data highlighting is now working fine in "show more" (#5) (Thanks AetherBlack).
- Event directive now properly hooks HTMLElement events.
- allowedDomains regex now properly handles IP domains.
- The Devtools should now stop having sync issues that require reloading them.
- New configs available in the configs folder.
- New requiredHooks config option.
- New exec: match and !match directives -> generate your regex using JavaScript.
- It is now possible to fully configure the devtools table (hiding columns, reordering, etc.).
- New domlogger.clean() function to reset the current Canary debugger.
- hookFunction now ensures that the provided code is valid.
- In case of attribute hooking, if neither get: nor set: is specified, both will be hooked.
- The goto function has been optimized and should always be working.
- Internally used functions are now safely utilized, avoiding any DOS issues.
- The devtools table is now perfectly responsive.
- First public release.