-
Notifications
You must be signed in to change notification settings - Fork 69
Example Workflows
The simplest workflow requires the following elements:
- A browser with configurable proxy settings
- Tracy installed and running using the documentation
With the browser set up to proxy through tracy and tracy listening, map out the application as you normally would.
This involves clicking buttons, signing up for accounts, and editing form fields. Basically, gather as much information
about the features of the application as possible. While mapping the application, use tracy payloads to mark
particular input fields as potential sources of taint. For example, when signing up for an account use
the zzXSSzz payload as the first and last name. If you notice there is no input validation on the client side,
try the GEN-XSS field to generate a payload.
After the application is mapped, open the tracy UI and view the data that was collected. Identify any known vulnerable
cases of XSS that tracy calls out and verify and suspicious cases.
The tracy proxy does not require Burp, but it is intended to be used during the
initial documentation phase of a web application penetration test. It is likely
that Burp will be used throughout the engagement, so proxying Burp through the tracy
proxy allows the tester to retain all the information collected during the mapping-the-application phase. It
also allows for using Burp to inject tracer strings into tailored inputs, such as
headers, Intruder payloads, Repeater tabs, and hidden form fields which would otherwise be difficult from
the web application UI. To proxy Burp through the tracy proxy, do not configure the browser to use the tracy proxy in this case. Instead, as normal when using Burp, configure the web browser to proxy its HTTP traffic through the desired Burp listening port, then in Burp use the upstream proxy to forward all traffic to the tracy proxy. To do this, in Burp at User options -> Upstream Proxy Servers add a rule with Destination host set to * pointing to the tracy proxy. [See the docs](https://support.portswigger.net/customer
/portal/articles/2363078-burp-suite-options-upstream-proxy-servers) for more on Burp upstream proxy
servers.