Tracy - Chrome Web Store
Item media 2 screenshot
Item video thumbnail
Item media 2 screenshot
Item video thumbnail
Item video thumbnail
Item media 2 screenshot


A tool designed to assist with finding all sinks and sources of a web application and display these results in a digestible manner.

There are many different ways to trigger XSS, especially considering the large number of frontend frameworks that have been made popular in the last few years. For example, some of the less traditional ways of exploiting XSS can be through: * DOM clobbering * DOM injection * Frontend template injection * Backend template injection * Open redirects These attack vectors are significantly different than traditional stored and reflected XSS cases and they require new tools for finding them effectively. Many similar tools only look for server response reflection, however this is not very helpful if all output encoding is performed by the frontend. In order to really gain knowledge about all the true sinks of the application, we need a tool that grants us "X-ray vision into the DOM". This extensions was written with the goal of eliminating XSS by assisting a penetration tester in identifying every source of input into an application and following that input to all of its sinks. These cases are documented and stored as references that can be used to identify the locations of potentially risky input.

4 out of 52 ratings

Google doesn't verify reviews. Learn more about results and reviews.

Review's profile picture

Mistah MarkMay 16, 2021

Initial Review: ---------------- Installs cleanly, loads fine, however there is not comphrensive documentation (yet) to explain what exactly its doing to help pentest a site. Very cryptic desc. of its functions. I will report back once i learn some more but you should have a very firm handle on XSS before using this

Review's profile picture

Emmanuel OdotaJul 28, 2019

Quite the tool to look for XSS...a must have tool

1 person found this review to be unhelpful


  • Version
  • Updated
    May 21, 2021
  • Offered by
  • Size
  • Languages
    English (United States)
  • Developer
    Jake Heath
    1007 Eagle Avenue Alameda, CA 94501 United States
  • Non-trader
    This developer has not identified itself as a trader. For consumers in the European Union, please note that consumer rights do not apply to contracts between you and this developer.


The developer has disclosed that it will not collect or use your data.

This developer declares that your data is

  • Not being sold to third parties, outside of the approved use cases
  • Not being used or transferred for purposes that are unrelated to the item's core functionality
  • Not being used or transferred to determine creditworthiness or for lending purposes
Google apps