Search code, repositories, users, issues, pull requests...
EV dramatically simplifies the discovery of many, otherwise difficult, DOM XSS vulnerabilities. EV can also be used to simplify the reverse engineering or debugging of JavaScript.
Turn it on, open the console ctrl+shift+k and browse some sites like normal. Eval Villain will inject its own henchmen into the page to keep an eye on some of the more nefarious JavaScript functions. When one of those functions is called, a notification will appear in the console. If it is of particular interest, it will be highlighted and formatted more strongly.
Important: You must refresh the web page you are testing after every single configuration change for that change to take affect.
EV works by injecting a script into the page at load time. To limit the potential for a visited site to attack EV, EV does not have any further communication with the page after it is injected.
Most of the popup menu just lets you turn some option on or off. EV itself can be enabled or disabled here. This should be pretty self explanatory. The only things unique to this menu are the "Enable/Disable" and "Auto Open" menus. Everything else can also be configured from the configuration page. You can get to the configuration page by clicking "configure" in the popup menu.
