Releases: nccgroup/tracy
Major version bump
- Now using webpack to bundle resources
- Updates to database schema to improve performance
- Fixes to UI for better event navigation
- Performance updates to the DOM MutationObserver for sites that make large amounts of DOM requests
Version Bump
- Updates all
postMessagecalls toCustomEvents - Replaced
MutationOberservercallbacks withrequestAnimationFramecallbacks to improve performance on pages with large numbers of DOM writes - Adding the pathname to the location spots for zzXSSzz and zzPLAINzz payloads can be replaced
- Updates to how forms are submitted and modified. All tracy payloads can not capture screenshots effectively!
Version Bump
0.8 manigest version bump
Version Bump
Maintenance Update
- Fixing a couple of bugs related to how we identify tracers in Blob types
- Fixed bug with not string matching if case didn't match
- UI bugs (some styles and project related problems)
- No longer storing full DOM writes. Some pages were very very large and the entire write is not necessarily needed. If people find this to be a problem let me know. Maybe we can introduce a setting to control how much of the DOM writes the user cares about.
Get it
Major Release
Tracy is now purely an extension!!
No longer does it require a binary or proxy configuration. Install tracy at either the firefox or chrome extension stores and you are good to go to begin finding XSS. Click the tracy icon to view the UI. Throughout the migration, lots of things were changed and fixed so I am not going to log them here. The main things are the extension migration and a UI update. Tracy also shows the screenshot of the input source.
Get it
Version Bump
News!
This is probably the final version of tracy with a proxy. We are currently migrating away from the whole proxy model and moving everything into the browser extension. We found that a lot of people had issues with the setup and it turns out that maintaining pretty much a fully functioning proxy is a pain. In the future, all of the proxy code will no longer be needed as those features can be performed in the browser extension. If you enjoyed the proxy workflow, speak now or forever hold your peace.
The new flow will still have an API and database. The API will always be able to run locally, however, we hope to have a database on the internet for easy setup. The next release should hopefully be as easy as installing the extension and begin tracing. We hope to also have a new UI and support for team tracing.
Updates:
- Add a small caching layer to make things a bit faster for people with larger databases
- UI printout of memory for people concerned about tracy taking up too much memory
- Request/Response size cap. Please don't put tracy payloads in requests larger than 1MB
- Updates to the extension to fix CORB issues
- Probably other things
Extension links:
Version Bump
Updates:
- Lots of bug fixes related to proxying traffic and CONNECT requests
- Minor UI fixes for different screen types until the next UI comes out
Extension links:
Version Bump
Updates:
- Last release before new UI
- Performance of the server; reduction of two open ports to one
- Tracy records screenshots of input
- Stacktraces are stored for calls to innerHTML for better debugging
- Right-click auto-fill functionality works
- Minor bug fixes
Extension links:
Major Version Bump
Updates:
- New right-click context menu for injectings tracers
- New projects feature that allows switching, deleting, and adding new project files
- Notifications from the UI which allows Tracy to alert tester when exploitable XSS cases are discovered
- Simulated click events when UI injects so apps behave properly
- Auto-fill feature is now available in the extension settings
- Web UI takes settings from extension when they are loaded in the browser, otherwise a settings input field is displayed that allows users to change the host and port of the server
- Reasons have been attacked to severity ratings
- Drop-down for tracer payloads got a small style update
- New tests and performance improvements
Extension links:
Minor version bump
Updates:
- Bug fixes with the UI not properly assigning severity
- Bug fixes with DOM events triggering for JSON data
- Bug fix with websocket in plugin not properly reconnecting
- Test suite added for common package to test severity and accuracy of DOM writes