From a61010b24cbb9d6f6703122ba216af6424c6b21d Mon Sep 17 00:00:00 2001 From: zapbot <12745184+zapbot@users.noreply.github.com> Date: Sat, 13 Sep 2025 15:43:09 +0000 Subject: [PATCH] Update site content From: zaproxy/zaproxy-website@9a335cb3a6d8cdacaf98677a32e197ecb5613128 Signed-off-by: zapbot <12745184+zapbot@users.noreply.github.com> --- blog/2021-12-01-the-eval-villain-add-on/index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/blog/2021-12-01-the-eval-villain-add-on/index.html b/blog/2021-12-01-the-eval-villain-add-on/index.html index 8d1391c173..a7efcba657 100644 --- a/blog/2021-12-01-the-eval-villain-add-on/index.html +++ b/blog/2021-12-01-the-eval-villain-add-on/index.html @@ -155,7 +155,7 @@

The Eval Villain Add-on

Eval Villain Quick Start

To get started with Eval Villain launch Firefox from ZAP, select the Eval Villain icon on the top right hand side of Firefox, click the enable switch and reload the current web page. Now open the Firefox developer tools and go to the console there you should see a message at the top like “[EV] Functions hooked for «url»”. This means Eval Villain is loaded and is working for the current URL. If there are DOM interactions you may see more in the page, and if you see other messages in red you may have already found DOM XSS!

More likely that’s not the case, so let’s fake an interaction just to see what it’s like. For the sake of example, let’s put something into eval and see if Eval Villain can catch it. You can quickly experiment with Eval Villain by typing into the console.

-

Imagine the website uses eval to pop an alert box and welcome you to the site. Try typing this into the console: eval(‘alert("welcome to the website")). You’ll see the alert box work, but you’ll also get a notification from Eval Villain. If you expand all the console groups, you should see something like this:

+

Imagine the website uses eval to pop an alert box and welcome you to the site. Try typing this into the console: eval(‘alert("welcome to the website")’). You’ll see the alert box work, but you’ll also get a notification from Eval Villain. If you expand all the console groups, you should see something like this:

Eval Villain start

Eval Villain notified you that the hooked function eval was used. You can see the argument passed to eval was alert("Welcome to the website!"), and a stack trace shows where the function was called. The top two functions in the stack trace are actually a part of Eval Villain—but they are left in to make everything transparent and debuggable.

The above result is not considered interesting by Eval Villain because the argument to eval did not contain a needle or something from a common DOM XSS source. Let’s make it interesting by including a needle. A needle is similar to canaries in DOM Invader but with Eval Villain you can watch for multiple needles at once. They can also include regular expressions, which can help overcome encoding (e.g. /needle(<|&gt;|%3c)/gi). Any time a hooked function receives input containing a needle, Eval Villain will mark it interesting and highlight it. Eval Villain comes pre-configured with the needle “asdf”, so you can try out the needle search by typing into the console eval('alert("Welcome Back User: asdf");');. You should see something like this: