JavaScript cruft is growing faster than my ability to read. Since I can't read every line of code, I need tools to find important lines. Eval Villain is a web extension for Firefox that hooks native JavaScript functions *before* the page loads so that you will be notified every time a function is called. Eval Villain has discovered instances of DOM XSS that only appear in 1 of 100 page loads. It makes the reversing of malicious, second-stage encrypted JavaScript code trivial. I plan on walking through all the features of this tool using examples. To follow along, bring a computer that can run Firefox.

Formerly an award winning published professional magician, Dennis gave up his mediocre career as a mediocre street performer to join Hurricane Labs as a penetration tester in 2013. He has yet to be fired.

Back to BSides Cleveland 2019 video list