ojpilaklfjcfpehafidhijapphckbbbo
Trufflehog-PingPwn scans web pages and referenced resources for common secret patterns (API keys, tokens, private keys, webhook URLs) so you can identify accidental exposures quickly. Scanning and detection are performed entirely in your browser; this extension does not send findings to any remote server. Use the popup to review findings, clear them, or download a CSV of results. This extension tries to brings the scanning & Detection capabilities of well known Trufflehog to browser in real time scanning. Key features: - Detects generic API keys, specific provider tokens, and common secret formats. - Optionally checks for `.env` files and `.git` directories (may trigger server protections). - Shows per-origin findings with a badge count and in-popup listing. - Local-only storage of findings using the browser's storage; no remote transmission. Core Detection Features: - Detects API keys, tokens, private keys, and webhook URLs on web pages - Scans referenced resources (external scripts, .env files, .git directories) - Recognizes patterns from 30+ secret providers. - Supports generic secret patterns (API keys, database credentials, passwords) - Base64-encoded secret detection with automatic decoding - Real-time scanning as you browse UI & User Experience: - Clean, intuitive popup interface with toggle controls - Badge count on toolbar showing findings per origin - Per-origin findings list with detailed match information - One-click clearing of findings (current origin or all) - CSV export for audit trails and compliance reporting - Origin-based filtering and deny list to skip specific domains - Local notification alerts for critical findings (e.g., .git directories) - Customizable detection rule toggles (turn on/off specific categories) Privacy statement: All scanning and analysis occurs locally inside the browser. No findings, page contents, or extracted secrets are transmitted to external servers. The extension uses `chrome.storage.sync` to store settings and detected findings on your browser; you can clear stored findings via the popup.
HackBar
A browser extension for Penetration Testing * Supported * HTTP methods * GET * POST * application/x-www-form-urlencoded * multipart/form-data * application/json * Request editing mode * Basic * Raw * Custom payload * For more information, please visit https://github.com/0140454/hackbar/blob/master/README.md * XSS * Vue.js XSS payloads * Angular.js XSS payloads for strict CSP * Some snippets for CTF * Html encode/decode with hex/dec/entity name * String.fromCharCode encode/decode * Helper function for converting payload with `atob` For more information, please visit https://github.com/0140454/hackbar#third-party-libraries
DIRFOX - Endpoint Fuzzer for Pentesters
Fuzz endpoints using custom or GitHub-hosted wordlists. Built for security researchers and pentesters. 🔍 DIRFOX – Endpoint Fuzzer for Pentesters Discover hidden endpoints effortlessly, built for professionals. Dirfox is a lightweight yet powerful browser extension designed for penetration testers, bug bounty hunters, and cybersecurity enthusiasts. With a sleek Apple-style interface and real-time scanning capabilities, Dirfox helps you uncover hidden directories and endpoints from any website — fast, accurate, and efficiently. 🚀 Key Features : ✅ Custom & GitHub Wordlist Support Use your own wordlists or fetch popular ones directly from GitHub. 📡 Live Scanning with Status Code Filtering Watch your scan progress in real time and filter results by HTTP status codes (200, 403, 404, etc.). 🧠 Persistent Background Scanning Close the popup or switch tabs — your scan keeps running in the background without interruption. 📊 Auto-Save 200 OK Results Successful results are automatically saved and available in the scan history. 🌗 Modern Apple-style UI with Dark Mode Enjoy a clean, responsive interface with smooth transitions and a dark/light mode toggle. 🛠️ Full Scan Control Start, stop, or restart your scan anytime with intuitive controls. 🧩 Fullscreen Monitoring Mode Track scans in an immersive fullscreen view — perfect for focused workflows. 🧼 Clear History Button Easily delete all scan history with a single click. ❤️ Built-in Author Page & Support Links Learn more about the developer, explore other tools, and support the project directly from the extension. 🔒 Why Dirfox? Dirfox isn't just another endpoint scanner — it's a must-have tool that gives you: - Faster, smarter endpoint fuzzing. - Real-time feedback with clean visual progress. - Auto-saved results for efficient analysis. - A smooth, elegant user experience inspired by Apple-style design. Perfect for CTFs, bug bounty programs, and professional pentesting projects. 💡 Ready to uncover the hidden? 📥 Install Dirfox now and take your recon to the next level.
OWASP Penetration Testing Kit
The OWASP Penetration Testing Kit (PTK) browser extension is your all-in-one solution for streamlining your daily AppSec tasks. Whether you’re a penetration tester, a Red Team member, or an AppSec practitioner, OWASP PTK enhances your efficiency and provides deep insights into your target application. Runtime Scanning (DAST & IAST & SAST & SCA): Perform Dynamic Application Security Testing, Static Analysis, In-Browser IAST and Software Composition Analysis on the fly. Identify SQL injection, command injection, reflected/stored XSS, SQL auth bypass, XPath injections, JWT attacks, and other complex threats. Static Analysis (SAST): PTK automatically parses loaded JavaScript, HTML, and CSS right in your browser—before any code ever runs. It flags unsafe patterns like `eval()`, `innerHTML`/`outerHTML` injection, insecure cryptographic calls, missing input sanitization, and common anti-patterns. In-Browser IAST (Interactive Application Security Testing): PTK’s built-in IAST engine instruments your app at runtime—right in the browser—tracking taint flows and code execution to flag vulnerabilities as they occur. Catch issues like DOM-based XSS, unsafe `eval`/`innerHTML` usage, open-redirects, and more without leaving your dev tools. JWT Inspector: Analyze, craft, and tamper with JSON Web Tokens. Generate keys, test null signatures, brute-force HMAC secrets, and inject malicious `jwk`, `jku`, or `kid` parameters. Insightful Application Info: One-click visibility into tech stacks, WAFs, security headers, crawled links, and authentication flows. Built-in Proxy & Traffic Log: Capture all HTTP(S) traffic, replay requests in R-Builder, and automate XSS, SQLi, and OS command injection. R-Builder for Request Tampering & Smuggling: Craft and manipulate HTTP requests, including complex request-smuggling techniques. Now with cURL import/export. Cookie Management: Add, edit, remove, block, protect, export, and import cookies from a powerful in-browser editor. Decoder/Encoder Utility: Instantly convert between UTF-8, Base64, MD5, URL-encode/decode, and more formats. Swagger.IO Integration: Browse and interact with API endpoints directly from your Swagger documentation. Selenium Integration: Shift left security by running automated Selenium tests with built-in vulnerability checks. Enhance your AppSec practice with PTK—the extension that makes your browser smarter and your testing faster. Install today and start uncovering vulnerabilities in real time!
S3BucketList
S3BucketList automatically scans network requests made by your browser to detect Amazon S3 bucket URLs In penetration testing, searching for S3 Buckets can be a exhaustive task, which requires you to filter, search, and check for every S3 bucket urls. This extension does all that work for you while you browse the internet. It will instantly notify you, automatically filter buckets, and lists all the permission it was able to extract, even tell you what buckets are unclaimed.
