A pentesting tool designed to assist with finding all sinks and sources of a web
application and display these results in a digestible manner.
tracy should be used
during the mapping-the-application phase of the pentest to identify sources of input
and their corresponding outputs.
tracy can use this data to intelligently find
tracy is a browser extension and light-weight HTTP proxy that records all user input
to a web application and monitors any time those inputs are output, for example in a
DOM write, server response, or call to
For guides and reference materials about
tracy, see the documentation.
It is strongly recommended that you use a released version. Release binaries are available on the releases page. Download the appropriate release binary and run it:
# Run the proxy server and the tracer API. Pick the binary that works for your host. $ ./tracy-linux-amd64
tracy is running and the plugin is installed, install the generated certificate into your browser's certificate store (the certifcate is located in
~/.tracy/) and configure your browser to use the
tracy proxy (localhost:7777)
tracy binary and browser extension work together. Running one without the other
will result in unexpected behavior.