Being able to comprehend causal relationships between sources of user input and their corresponding output separates the master web hacker from the novice script kiddie. The better a tester can grasp these relationships, the faster they can abuse lapses in output encoding, identify dangerous patterns, and understand the overall attack surface of an app. However, enumerating these relationships is difficult and time intensive to do by hand, especially with JavaScript-heavy apps. Security scanning tools have tried to automate this procedure, but they face several problems in modern web apps. Intercepting proxies, like Burp Suite, support tracking user taint between HTTP requests and responses. Yet, they still fail when it comes to tracking taint within complex client-side JavaScript. All of these problems stem from the popularity of frontend frameworks and the lack of tooling to address how these frameworks manipulate user input. To solve these problems, we need a tool that augments, not automates, a manual penetration tester by helping them understand all of the inputs and outputs of a web app. To this end, we present Tracy, a tool for assisting penetration testers with enumerating every sink of output for all user input sources. Tracy is composed of three parts: a browser extension that monitors the DOM, a light-weight HTTP proxy that generates input-unique "tracers", and a SQLite database with a React web interface to visualize the data. Tracy boils down the intricacies of a web app to a set of user inputs and their corresponding outputs. NCC Group uses Tracy internally to find instances of DOM XSS on web app assessments. We've found in practice that Tracy is highly effective at discovering several classes of vulnerabilities that are time intensive and challenging to detect manually, including complex DOM XSS, XSS that results from mishandling user input through many levels of JavaScript, template injection, and more.