-
Notifications
You must be signed in to change notification settings - Fork 69
Example Workflows
The simplest workflow requires the following elements:
- Tracy installed and running using the documentation
With the browser set up with the tracy extension, map out the application as you normally would.
This involves clicking buttons, signing up for accounts, and editing form fields. Basically, gather as much information
about the features of the application as possible. While mapping the application, use tracy payloads to mark
particular input fields as potential sources of taint. For example, when signing up for an account use
the zzXSSzz payload as the first and last name. If you notice there is no input validation on the client side,
try the GEN-XSS field to generate a payload.
After the application is mapped, open the tracy UI by clicking the extension logo and view the data that was collected. Identify any known vulnerable
cases of XSS that tracy calls out and verify and suspicious cases.