Hi,

First of all, I enjoyed your talk at SecuirytFest! Great talk. ❤️

I just tried that Chrome extension for the first time and on two different applications, I'm getting "Request URL Too Long" error from the application's web server because of one of the tests.
Is that a known issue? How can we make the tool to complete all its tests without being stopped with this error?

Thanks!

HI !
I have a false positive on every site I visit when I use your extension.

VM16:55 Tainted postMessage call: [object Object], https://www.google.fr/?t4inT3d.param=t4inT3d.value%22%27%3ch1%3Elol#!//t4inT3d.hash%22'%3ch1%3Elol
addWarning @ VM16:55

Not a bug; just a suggestion, as we've had similar ideas to detect DOM XSSes.

Since TTT is a Chrome extension, and is a tool for pentesters/bughunters, you might use Trusted Types default policy instead of hijacking all the sinks in JavaScript. Essentially, something along those lines:

if (window.TrustedTypes && !TrustedTypes.getPolicyNames().includes('default')) {
  TrustedTypes.createPolicy('default', {
    createHTML: (s) {
      if (isTainted(s)) {
         throw; //  The callstack can give you the sink. 
      }
       return s; // not tainted, just let the app use the sink.
    },
    // same for other createXYZ.    
  });
} else {
 // existing sink hooking logic
}

There's a few caveats (the API shape might change, it will work for now only if "Experimental web platform features" flag is enabled, we don't support XHR as a sink etc.), but this might be more elegant way to cover the DOM XSS sinks for your use case. See also w3c/trusted-types#131 as the default policy will soon have more context when invoked.

cc @engelsdamien who had a very similar idea and a rudimentary proof of concept.