A pentesting tool designed to assist with finding all sinks and sources of a web
application and display these results in a digestible manner.
tracy should be used
during the mapping-the-application phase of the pentest to identify sources of input
and their corresponding outputs.
tracy can use this data to intelligently find
tracy is a browser extension that records all user input
to a web application and monitors any time those inputs are output, for example in a
DOM write, server response, or call to
For guides and reference materials about
tracy, see the documentation.
Tracy is now only a browser extension! No more binaries, just download it from the Chrome or Firefox store.
And that's it! As long as tracy is installed in your browser, you are ready to find XSS. There is no longer any requirements to configure a proxy or certificates.