Following the execution: Taint-tracing in the JS environment

In our previous article we discussed data-flow tracing, i.e. following a piece of data as it travels through the JS environment of a page.

In this article we're going to concern ourselves with tracing the execution flow of the page.

Imagine this scenario: either via manual or automated testing we managed to identify an input vulnerable to XSS. Wouldn't it be nice if we could track exactly that vulnerability came to be?

Well, we're going to soon find out.

The methodology isn't that much different from data-flow tracing, the only difference is that we're going to be using a little bit more of SCNR's infrastructure to have our XSS payload ping it and thus get a stacktrace.


Suppose you have a web application like this:

ruby tmp/articles/taint_tracer/server.rb -o


You now have to create a simple script like so:

./bin/scnr_script tmp/articles/taint_tracer/script.rb

To get this result:

How cool is this?

We were able to trace both the data and the execution flows for this particular vulnerability, closing in on it from both sides.

Older post Newer post

Leave a comment

Please note, comments must be approved before they are published