zaproxy · thc202 · Sep 13, 2025 · Sep 13, 2025
diff --git a/blog/2021-12-01-the-eval-villain-add-on/index.html b/blog/2021-12-01-the-eval-villain-add-on/index.html
@@ -155,7 +155,7 @@ <h1 class="text--white">The Eval Villain Add-on</h1>
 <h2 id="eval-villain-quick-start">Eval Villain Quick Start <a class="header-link" href="#eval-villain-quick-start"><svg class="fill-current o-60 hover-accent-color-light" height="22px" viewBox="0 0 24 24" width="22px" xmlns="http://www.w3.org/2000/svg"><path d="M0 0h24v24H0z" fill="none"/><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z" fill="currentColor"/></svg></a></h2>
 <p>To get started with Eval Villain launch Firefox from ZAP, select the Eval Villain icon on the top right hand side of Firefox, click the enable switch and reload the current web page. Now open the Firefox developer tools and go to the console there you should see a message at the top like &ldquo;[EV] Functions hooked for &laquo;url&raquo;&rdquo;. This means Eval Villain is loaded and is working for the current URL. If there are DOM interactions you may see more in the page, and if you see other messages in red you may have already found DOM XSS!</p>
 <p>More likely that&rsquo;s not the case, so let&rsquo;s fake an interaction just to see what it’s like. For the sake of example, let&rsquo;s put something into <code>eval</code> and see if Eval Villain can catch it. You can quickly experiment with Eval Villain by typing into the console.</p>
-<p>Imagine the website uses <code>eval</code> to pop an alert box and welcome you to the site. Try typing this into the console: <code>eval(‘alert(&quot;welcome to the website&quot;))</code>. You’ll see the alert box work, but you’ll also get a notification from Eval Villain. If you expand all the console groups, you should see something like this:</p>
+<p>Imagine the website uses <code>eval</code> to pop an alert box and welcome you to the site. Try typing this into the console: <code>eval(‘alert(&quot;welcome to the website&quot;)’)</code>. You’ll see the alert box work, but you’ll also get a notification from Eval Villain. If you expand all the console groups, you should see something like this:</p>
 <p><img src="images/ev_first.png" alt="Eval Villain start"></p>
 <p>Eval Villain notified you that the hooked function <code>eval</code> was used. You can see the argument passed to eval was <code>alert(&quot;Welcome to the website!&quot;)</code>, and a stack trace shows where the function was called. The top two functions in the stack trace are actually a part of Eval Villain—but they are left in to make everything transparent and debuggable.</p>
 <p>The above result is not considered <em>interesting</em> by Eval Villain because the argument to <code>eval</code> did not contain a <em>needle</em> or something from a common DOM XSS source. Let&rsquo;s make it <em>interesting</em> by including a <em>needle</em>. A <em>needle</em> is similar to canaries in DOM Invader but with Eval Villain you can watch for multiple <em>needles</em> at once. They can also include regular expressions, which can help overcome encoding (e.g. <code>/needle(&lt;|&amp;gt;|%3c)/gi</code>). Any time a hooked function receives input containing a <em>needle</em>, Eval Villain will mark it <em>interesting</em> and highlight it. Eval Villain comes pre-configured with the <em>needle</em> &ldquo;asdf&rdquo;, so you can try out the <em>needle search</em> by typing into the console <code>eval('alert(&quot;Welcome Back User: asdf&quot;);');</code>. You should see something like this:</p>