DOMLogger++ av Kévin (Mizu)

DOMLogger++ allows you to monitor, intercept, and debug JavaScript sinks based on customizable configurations.

5 (3 reviews)

267 brukarar

Du treng Firefox for å bruke denne utvidinga

Last ned Firefox og få utvidinga

Last ned fil

Om denne utvidinga

Description:

DOMLogger++ is a browser extension developed for web developers and security researchers. It hooks into specific JavaScript sinks, helping users understand how web scripts operate. With customizable JSON settings, users can adjust how the extension works according to their needs.

This tool is especially useful for those looking to identify security risks in web applications. By offering insights into JavaScript interactions, DOMLogger++ can help spot potential vulnerabilities in websites.

Features:

- [x] Regex-based domain management.
- [x] Flexible hooking configuration (class, function, attribute, event).
- [x] Regex-based hooks arguments and stack trace filtering (match, !match, matchTrace, !matchTrace).
- [x] Dynamic regex generation (exec:).
- [x] Dynamic sinks arguments update (hookFunction).
- [x] Customizable notifications system (alert, notification).
- [x] Required hook logging condition (requiredHook).
- [x] On-demand debugging breakpoints.
- [x] Integrated Devtools log panel.
- [x] Response headers filtering.
- [x] Remote logging via webhooks.
- [x] Extensive theme customization.

Vurdert 5 av 3 meldarar

Versjonsnotat for 1.0.9

Added

Full Caido session handling has been added (this is going to be useful with a plugin that should be released in October 2025).
It's now possible to supply the sink debug canary from the 'domloggerpp-canary' get parameter.
The settings webhook tab has been improved to make it fully configurable.
A new dompurify-bypass-replace.json config file is available, allowing tracking of DOMPurify sanitization to find replace misconfigurations.
A new domloggerpp.utils has been added to create notifications from the DOM.
The cspt.json config file has been updated to no longer log in devtools but only console.log + create a notification.

Updated

The postmessages.json config file has been updated to add colored console.log inspired by postMessage-tracker.
Stack trace parsing has been improved using '# sourceURL='.
Internal finding attributes have been renamed: hook → type, type → tag.
Date format has been updated to use 'toLocaleString'.
Canaries are now encoded with base64 instead of using sha256 to improve performance.
Stopped using a custom sha256 implementation on https websites to avoid performance issues on most websites.
Internal data flow has been improved to always use actions.

Fixed

Small issue in stringify breaking some conversions (#41) (Thanks @vitorfhc).
New config creation had "removeHeaders" for no reason.
The GreHack workshop has been fixed based on the recent update (i.e., custom hooking handling).
Fixed a bug regarding custom hooking which was crashing in getTargets with null/undefined objects (#44) (Thanks @abdilahrf).
The Chromium devtools 'desync' has been fixed. It should no longer be required to close / reopen devtools to update the data on Chromium.
Fixed a bug which was blocking multiple custom attribute hookings on the same object.
Forced default value on the datatable to ensure no errors are created in case of weird postMessages.

Påkravde løyve: