So PyProxy is a mostly operational death star able to successfully sit between any website and the browser, one of the latest additions I made was the following inject for html payloads:
<script> (function(){ var original = document.write; document.write = function(arg1){ console.group("document.write"); console.log("doc.write: " + arg1); console.groupEnd(); original.apply(document, arguments); }; }()); (function(){ var truImage = Image; window.Image = function(width, height){ try{ this.root = new truImage(width, height); this.__defineSetter__("src", function(val){ console.log("New Image @ " + val) this.root.src = val; }); }catch(Err){ console.log("New Image Err"); } } }()) </script>
It’s abomination code yes, but it is also extremely useful for further illuminating what exactly is going on in the time prior to document.onLoad plus exposes image beacons generated using Javascript Image objects… something that normally doesn’t show up any where in the DOM, hence I don’t believe FireBug or Chrome inspector panels can report it.
Normally to get something like this into a website would require adding it into development, which then opens the risk of it slipping into production.
The functional beta of PyProxy should be released this weekend if I don’t go on a bender.