DOMLogger++ 1.0.7

Added

• New hideThis configuration key to hide thisArg in devtools for function sinks (#29 (Thanks @aristosMiliaressis).
• Improved leverage-innerHTML.json config to detect potential document DOM clobbering sinks.
• New Client-Side Prototype Pollution detection (cspp.json) configuration file.
• Devtools font size can now be configured from the settings.

Updated

• The CSPT config has been improved to properly handle "fetch(new Request('/'))".
• Banned words have been updated in all configs.
• The thisArg notation in devtools has been improved to make it easier to read (#29) (Thanks @aristosMiliaressis).
• JavaScript injection has been improved on Firefox (wasn't needed for Chromium) to limit the init race condition.
• The dupKey value is now computed in the DOM instead of the background script.

Fixed

• Fixed a bug that made attribute hooking impossible without set/get.
• Fixed a bug that blocked hooking postMessage without typing window.postMessage (#25).
• Fixed a DOS loop issue in the onmessage handler that triggered a hooked sink.

DOMLogger++ 1.0.6

Added

• New configuration files (postMessage & leverage-xss.json) are available in the configs folder (it will be improved soon).
• A new globals root key is associated with the domlogger.globals variable for execCode shortcut.
• A new onload root key is used to execute code after the extension loads.
• New matchTrace and !matchTrace directives have been added to the config root key, allowing filtering based on the sink's stack trace (#13) (Thanks @jonathann403).
• Hooked functions and classes are now available in domlogger.func for execCode usage to avoid DoS due to recursive hook/usage.
• The domlogger.update.thisArg property can be used within the hookFunction directive to overwrite the thisArg value.
• A new full-screen mode has been added in DevTools (#20) (Thanks @xanhacks).
• New tooltips have been added to the popup and DevTools icons (#23) (Thanks @xanhacks).

Updated

• The frames column now properly describes which frames the sink has been found in (e.g., top.frames[1].frames[0]).
• The RegExp.prototype.toJSON method has been overwritten to properly log the regex value instead of {}.
• Arguments passed in the exec: directive are no longer stringified, making their usage easier.
• The exec: and hookFunction directives now have 3 parameters: thisArg, args, and target.
• The CSPT config has been updated to work properly with the new updates.

Fixed

• The DevTools tab should work better now; I'll aim to completely fix it in the next release.
• Fixed a bug that was blocking URLSearchParams.prototype.get from being hooked (#15) (Thanks @matanber).
• Stopped using crypto.subtle, which isn't exposed over HTTP (making the extension unavailable in that case) (#14) (Thanks @FeelProud).
• The "Add Current eTLD+1" button in the popup now properly handles public eTLDs (e.g., .co.uk) and IPs (#17) (Thanks @xnl-h4ck3r).
• Unicode characters in the config should no longer cause the extension to crash.
• The hookFunction directive should now be working properly.
• The extension should no longer crash if the config root key is absent.
• The UI for the "Remove Headers" settings has been fixed (#19) (Thanks @xanhacks).

DOMLogger++ 1.0.5

Added

• A new (CSPT) config is available in the configs folder.
• New feature to remove response headers based on the JSON config.
• CTRL+S can now be used to save JSON configs (#4) (Thanks @FeelProud).
• Config keys can now contain several targets using "|".
• Information about the current thisArg is now logged (#3) (Thanks @aristosMiliaressis).
• The exec: regex directive now provides a target argument equal to the currently found sink.
• A new _description root key is available within the configuration JSON (#6) (Thanks @xnl-h4ck3r).
• New "current domain" and "current etld+1" buttons available in the popup (#8) (Thanks @Aituglo)
• New pwnfox integration for Firefox (#8) (Thanks @Aituglo)

Updated

• The whole background script code has been segmented and optimized into several files.
• The usage of sendMessage has been replaced by storage.onChanged for cross-context data exchange.
• Devtools clearStorage & removeRow buttons now update all Devtools tabs.

Fixed

• Devtools data highlighting is now working fine in "show more" (#5) (Thanks @AetherBlack).
• Event directive now properly hooks HTMLElement events.
• allowedDomains regex now properly handles IP domains.
• The Devtools should now stop having sync issues that require reloading them.

DOMLogger++ 1.0.4

Added

• New configs available in the configs folder.
• New requiredHooks config option.
• New exec: match and !match directives -> generate your regex using JavaScript.
• It is now possible to fully configure the devtools table (hiding columns, reordering, etc.).
• New domlogger.clean() function to reset the current Canary debugger.

Updated

• hookFunction now ensures that the provided code is valid.
• In case of attribute hooking, if neither get: nor set: is specified, both will be hooked.
• The goto function has been optimized and should always be working.

Fixed

• Internally used functions are now safely utilized, avoiding any DOS issues.
• The devtools table is now perfectly responsive.

DOMLogger++ 1.0.3

First public release ✨