This is a Chrome/Firefox Extension that can do the following:
- For hosts that are in scope:
- Show an alert for any query parameters that are reflected (and identify "sus" parameters).
- Write details of reflected parameters to the browser console.
- Copy details of reflected parameters to the users clipboard.
- Show the Wayback Archive endpoints for the path visited (in browser console).
- Show any hidden elements on the page.
- Enable any disabled elements on the page.
- Provide a context menu (regardless if extension is active or host is in scope) to:
- Open a new tab to show Wayback endpoints for the current domain.
- Show any hidden elements on the page (even if the extension isn't enabled to do automatically).
- Enable any disabled element on the page (even if the extension isn't enabled to do automatically).
- Open a new tab to show the Google Cache version of the current page.
- Open a new tab to show the FOFA search results for the current domain.
- Create a word list from the contents of a page in a new tab (currently only Chrome version only)
- Add/Remove the current domain to the whitelist/blacklist.
- Visually indicate if the Wayback CDX Server API is not available (regardless if extension is active).
The ability to show an alert for reflected parameters was inspired by a comment by @renniepak on Episode 42 of the Critical Thinking - Bug Bounty Podcast where he mentioned he had his own browser extension that let him know about any reflections.
The number of reflected parameters found is shown by a green badge on the extension icon. However, if any of the reflected parameter names are in a categories described in the "sus" parameters research by @Jhaddix and @G0LDEN_infosec then the badge will be red. If there are any "sus" parameters, then the categories will also be shown in the output to the console, alert box and clipboard, e.g. boringParameter, query [XSS], path [LFI/RFI | SSRF | XSS]
(this is the same as the "sus" parameters identification in my GAP Burp Extension).
The ability to show hidden elements, and enable disabled elements, was inspired by this Tweet by Critical Thinking - Bug Bounty Podcast and I initially created as browser bookmarks.
The extension icon is normally shown with a black background , but if the icon appears with a red background , then it indicates that the Wayback CDX Server API is probably unavailable. Even if the main features are disabled, the extension will check the status of the API every 10 minutes.
IMPORTANT: When using tools like waymore
, waybackurls
or gau
to get URLs from the Wayback archive, it uses the CDX Server API. If the API is down, you will not be getting any data from the Wayback Machine, only other sources. Also, only waymore
would let you know that there was a problem.
Clone this repo to your machine and then follow the instructions below, depending on whether you want install on a Chrome or Firefox browser:
-
Open the Extension Manager in Chrome by following: Kebab menu(three vertical dots) -> Extensions -> Manage Extensions
-
If the developer mode is not turned on, turn it on by clicking the toggle in the top right corner.
-
Now click on Load unpacked button on the top left
-
Go the directory where you have
XnlReveal
folder and select it. -
The extension is now loaded. You can click on the extension icon in the toolbar, and then the pin icon to pin
Xnl Reveal
to your toolbar.
IMPORTANT: With Firefox extensions, you will need to load it each time you open Firefox
-
Go to
about:debugging
in a new browser tab. -
Click on the This Firefox heading on the left of the page.
-
Click the Load Temporary Add-on... button under the Temporary Extensions heading.
-
Navigate to the
Firefox
folder from the downloaded repo and select any file, and then click Open. -
The extension is now loaded. You can click on the extension icon in the toolbar, then click the Settings cog icon, and select Pin to Toolbar.
- Chrome: If you right click the
Xnl Reveal
logo in the toolbar and select Options, you will be taken to the Options page. - Firefox: If you right click the
Xnl Reveal
logo in the toolbar and select Manage Extension, then click the Options tab to see the Options page.
You have the following options:
Canary token
- When requests are made to test for reflection of query parameters, this is the value of the parameter that is used and checked for.Show alert box for reflections
- If this is selected, andShow query parameter reflections
is selected on the Popup menu (see below) then a browser alert box will be displayed with details of any query parameters that reflect.Copy reflection text to clipboard
- If this is selected, andShow query parameter reflections
is selected on the Popup menu (see below), when parameter reflections are found, the details are put in the users clipboard as-well as shown in the console (and on an alert box if requested). This means that as soon as you see an alert box or details in teh console, you can go to your notes and paste the details straight away. IMPORTANT: The browser may aks for the sites permission to interact with the clipboard. You need to accept this to use this functionality.Param blacklist
- This is a comma separated list of parameter names (e.g.param1,param2
) that you do not want to replace with the canary token to check if it reflects. This can be used when testing certain parameters causes problems, e.g. logging you out.Check delay
- When a page is loaded, depending on settings, the extension will try to show hidden elements and enable disabled elements. However, sometimes parts of the page are loaded dynamically and they aren't in the original response. THe extension will try to show and enable again after this delay (in seconds) after the page has initially loaded.Wayback RegEx
- If the setting to write Wayback archive endpoints has been selected, then only wayback endpoints that match the entered RegEx will be displayed in the console. If the field is left blank, then all Wayback endpoints are returned. IMPORTANT: Any RegEx entered will be treated as case insensitiveExtension Scope
options:Whitelist
orBlacklist
- This determinesHost match word to add
- Enter a word that exists in the host name (or a full hostname) that you want to either whitelist or blacklist, and click the Add button to add to the scope list. For example, if you only want to run on Redbull pages, just addredbull
and set as a whitelist.Add
- Add a entered word to the scope list.Remove selected
- Remove the selected word(s) from the scope list.Clear all
- Remove all words from the scope list.
Save
- If any options are changed, click this button to save them for future use.Clear Saved URLs/Params
- If the extension is looking for reflected query parameters, then you don't want to keep getting alerted for the same URL/Parameter combinations, so those that have been reported are stored to prevent this. However, if you want to remove the memory of those, you can click this button to remove them. Similarly, we don't want to keep passing the same requests to the Wayback archive, so those are also stored, but can be cleared if this button is pressed.
If you click the Xnl Reveal
logo in the toolbar, you will see a popup menu.
You have the following settings:
ENABLE REVEAL
- If this is not checked then the extension will do nothing. If checked then it will take certain actions on web pages visited (if they are in scope), depending on the other options set.Show query parameter reflections
- If this is checked, then when a web page is visited that has any query parameters, a background request is made for each parameter, replacing each in turn with the Canary token from the Options page. If the token is found for any of the parameters in the response, then an message is written to the browser console giving you the URL and all the parameters on that page that were reflected. If the options are selected, these details can also be shown in a browser alert box and copied to the users clipboard. The extension will also show a badge with the number of reflections found.
NOTE: If there are many parameters, it can take some time to send all the requests and wait for the responses. A red status bar is displayed at the top of the page to let you know to wait. Also, if the page is dynamic, then these may not be found in the initial response and reported.Write Wayback endpoints to console
- If this is checked, then for each location/path visited in the browser, endpoints will be retrieved from the Wayback archive and written to the console. Once a location/path has been sent to the Wayback API it will not be sent again, unless theClear Saved URLs/Params
has been clicked.Show hidden elements
- If this is checked, then any elements (excludingimg
,span
anddiv
) that are hidden will be shown. They will be shown with a red border and a label in red that gives some detail. Sometimes, if the page is dynamic, the elements may not be shown.Enable disabled elements
- If this is checked, then any elements (excludingimg
,span
anddiv
) that are hidden will be shown. They will be shown with a red border and a label in red that gives some detail. Sometimes, if the page is dynamic, the elements may not be shown. You can always click the Run Now button to change the current loaded page.
If you right click on a webpage, you will get the browser context menu, e.g. if you are on example.com
you'll see this and have Whitelist selected in the Options, you'll see this:
These options are available even if the ENABLE REVEAL
option in the Popup Menu is not selected. There are 3 options you can choose from:
Get wayback endpoints
- If this is clicked, a new tab will be opened that will contain Wayback archive endpoints for the domain of the window it is clicked on. This isn't affected by any other settings and can be run even if the extension isn;t enabled.Show hidden elements
- This will show all hidden elements on the current page, in the same way as theShow hidden elements
does, but the extension doesn't need to be enabled.Enable disabled elements
- This will enable all disabled elements on the current page, in the same way as theEnable disabled elements
does, but the extension doesn't need to be enabled.Show Google cache version
- If this is clicked, a new tab will be opened that will open the Google Cache version of the current page. Even if a website is no longer available, Google will have a copy stored in its archives, and you can still access the cached page.Show FOFA domain search
- If this is clicked, a new tab will be opened with FOFA showing the search results fordomain="{TARGET}"
, where{TARGET}
is the domain of the active tab.Create word list
CHROME ONLY AT THE MOMENT - If this is clicked, a word list will be created from the contents of the page and displayed in a new tab.{Add|Remove} {HOST} {from|to} {whitelist|blacklist}
- Depending on whether the host name of the current tab is in teh scope list already, and whether the option of whitelist or blacklist is selected, you will will get a menu item to add/remove it. For example, if you are on https://www.redbull.com/gb-en/ and you haveBlacklist
selected on the Options page, andredbull.com
is not in the scope list, you will see the context menu item ofAdd redbull.com to blacklist
. IMPORTANT: If the menu item does not show the correct host, you may need to refresh the tab.
This browser extension isn't going to be perfect!
Sometimes the change of code can break a page. If you get a problem, unselected a certain setting in the popup menu will reload the page and it may be okay again, and you'll just not be able to check.
There may also be some Errors that are shown in the Manage extension page in certain situations.
If you manually run an option from the context menu and nothing happens, you may need to refresh the page you are trying to run the option on and try again.
- Improve the UI more.
- Add the
Create word list
option to Firefox version. - Allow the user to alter the Wayback API URL that gets called so exclusions can be edited.
- Look at registering the extension so you don't need to reload each time in Firefox.
- Try to fix the intermittent error of
Error copying to clipboard (NotAllowedError: Document is not focused.)
If you come across any problems at all, or have ideas for improvements, please feel free to raise an issue on Github. If there is a problem, it will be useful if you can provide the exact URL you were on, and any console errors.
Good luck and good hunting!
If you really love the tool (or any others), or they helped you find an awesome bounty, consider BUYING ME A COFFEE! ☕ (I could use the caffeine!)
🤘 /XNL-h4ck3r