When you enable Eval Villain (select icon, then toggle slider), "dangerous" functions will be hooked at page load. Open the console (ctrl+shift+k) and reload the page. Every time one of the hooked functions is used, it will be printed to the console along with its arguments and stack trace.

The popup menu and Configure page (select icon, then "Configure") can be used to format EV output. For example, you can add a "needle" and EV will highlight all calls that contain that string or regular expression.

Pentesters/Developers:
EV was created primarily to find DOM XSS. To learn more about DOM XSS and how EV helps to find it, check out this video.

Malware:
EV typically discovers and exposes second stage JS automatically.

CSP:
Want to make a stronger CSP but removing `unsafe-eval` breaks the site? Use EV to get information on where `eval` is being called and why.

Install

• License: GNU General Public License v3.0 or later
• Weekly downloads: 16
• Average daily users: 189
• Rating: 3/5 of 2 ratings
• Created: 2018-08-02 20:08:57
• Last updated: 2023-03-09 18:45:37
• Homepage: https://github.com/swoops/eval_villain
• Support site and email
• Orig: https://addons.mozilla.org/en-US/firefox/addon/eval-villain/
• API: dennis@hurricanelabs.com