About this extension

Description:

DOMLogger++ is a browser extension developed for web developers and security researchers. It hooks into specific JavaScript sinks, helping users understand how web scripts operate. With customizable JSON settings, users can adjust how the extension works according to their needs.

This tool is especially useful for those looking to identify security risks in web applications. By offering insights into JavaScript interactions, DOMLogger++ can help spot potential vulnerabilities in websites.

Features:

- [x] Regex-based domain management.
- [x] Flexible hooking configuration (class, function, attribute, event).
- [x] Regex-based hooks arguments and stack trace filtering (match, !match, matchTrace, !matchTrace).
- [x] Dynamic regex generation (exec:).
- [x] Dynamic sinks arguments update (hookFunction).
- [x] Customizable notifications system (alert, notification).
- [x] Required hook logging condition (requiredHook).
- [x] On-demand debugging breakpoints.
- [x] Integrated Devtools log panel.
- [x] Response headers filtering.
- [x] Remote logging via webhooks.
- [x] Extensive theme customization.

Rate your experience

Report this add-on

Release notes for 1.0.6

### Added

- New configuration files (postMessage & leverage-xss.json) are available in the configs folder (it will be improved soon).
- A new globals root key is associated with the domlogger.globals variable for execCode shortcut.
- A new onload root key is used to execute code after the extension loads.
- New matchTrace and !matchTrace directives have been added to the config root key, allowing filtering based on the sink's stack trace ([#13](https://github.com/kevin-mizu/domloggerpp/issues/13)) (Thanks [jonathann403](https://github.com/jonathann403)).
- Hooked functions and classes are now available in domlogger.func for execCode usage to avoid DoS due to recursive hook/usage.
- The domlogger.update.thisArg property can be used within the hookFunction directive to overwrite the thisArg value.
- A new full-screen mode has been added in DevTools ([#20](https://github.com/kevin-mizu/domloggerpp/pull/20)) (Thanks [xanhacks](https://github.com/xanhacks)).
- New tooltips have been added to the popup and DevTools icons ([#23](https://github.com/kevin-mizu/domloggerpp/pull/23)) (Thanks [xanhacks](https://github.com/xanhacks)).

### Updated

- The frames column now properly describes which frames the sink has been found in (e.g., top.frames[1].frames[0]).
- The RegExp.prototype.toJSON method has been overwritten to properly log the regex value instead of {}.
- Arguments passed in the exec: directive are no longer stringified, making their usage easier.
- The exec: and hookFunction directives now have 3 parameters: thisArg, args, and target.
- The CSPT config has been updated to work properly with the new updates.

### Fixed

- The DevTools tab should work better now; I'll aim to completely fix it in the next release.
- Fixed a bug that was blocking URLSearchParams.prototype.get from being hooked ([#15](https://github.com/kevin-mizu/domloggerpp/pull/15)) (Thanks [matanber](https://github.com/matanber)).
- Stopped using crypto.subtle, which isn't exposed over HTTP (making the extension unavailable in that case) ([#14](https://github.com/kevin-mizu/domloggerpp/issues/14)) (Thanks [FeelProud](https://github.com/FeelProud)).
- The "Add Current eTLD+1" button in the popup now properly handles public eTLDs (e.g., .co.uk) and IPs ([#17](https://github.com/kevin-mizu/domloggerpp/issues/17)) (Thanks [xnl-h4ck3r](https://github.com/xnl-h4ck3r)).
- Unicode characters in the config should no longer cause the extension to crash.
- The hookFunction directive should now be working properly.
- The extension should no longer crash if the config root key is absent.
- The UI for the "Remove Headers" settings has been fixed ([#19](https://github.com/kevin-mizu/domloggerpp/issues/19)) (Thanks [xanhacks](https://github.com/xanhacks)).

Used by