FoxyProxy
FoxyProxy FoxyProxy is the essential proxy switcher extension for Chrome/Firefox, letting you toggle between Burp, ZAP, or custom proxies with patterns for seamless traffic routing in pentests. Configure rules for domains or URLs, saving patterns for quick swaps without manual edits. Open-source from ericlaw, it's the proxy pilot for pentesters navigating tools without config chaos.
Explore →HackBar
HackBar HackBar is the Burp-inspired toolbar for manual pentesting, encoding/decoding payloads and crafting requests with URL builders for quick XSS or SQLi tests in the browser. Right-click forms for injection points, tweaking params with base64 or hex without leaving the page. Open-source from community, it's the toolbar tinkerer for web hackers streamlining exploits.
Explore →Wappalyzer
Wappalyzer Wappalyzer fingerprints web tech like CMS and JS frameworks passively from headers and DOM, revealing stacks for targeted vuln scans in recon phases. View its sidebar on sites for version hints, exporting lists for Nuclei templates. Open-source from AliasIO, it's the tech tracker for pentesters mapping attack surfaces from fingerprints.
Explore →ModHeader
ModHeader ModHeader lets you inject or edit HTTP headers like User-Agent or Referer on the fly, testing auth bypasses or CORS misconfigs with presets for quick swaps. Save profiles for scenarios like mobile spoofing, applying with a click during sessions. Open-source from modheader, it's the header hacker for auditors templating request mutations.
Explore →Bug Magnet
Bug Magnet Bug Magnet generates Burp-style payloads for fuzzing forms and params directly in the browser, testing for XSS or SQLi with right-click injections. Select inputs, choose sets like OWASP, and validate reflections without proxies. Open-source from PortSwigger, it's the payload placer for web explorers spotting vulns on the spot.
Explore →Retire.js
Retire.js Retire.js scans loaded JS for known vulnerable libs like old jQuery, alerting on CVEs with remediation links for quick dep audits in client-side recon. Click its icon on sites for reports, exporting for static checks. Open-source from RetireJS, it's the lib lifeguard for pentesters spotting chainable flaws in frontend stacks.
Explore →Cookie-Editor
Cookie Editor Cookie-Editor manages and edits session cookies for testing fixation or hijacking, exporting/importing for replay in auth bypass scenarios. View domains in its popup, tweaking flags like HttpOnly for vuln simulations. Open-source from mkuijjer, it's the cookie curator for auditors tampering with session state.
Explore →User-Agent Switcher
User-Agent Switcher User-Agent Switcher spoofs browser strings for UA-based recon or bypasses, testing mobile/desktop restrictions with presets or custom entries. Select profiles in the popup, reloading for instant changes in sessions. Open-source from ray-lothian, it's the identity impostor for pentesters masking fingerprints.
Explore →Requestly
Requestly Requestly intercepts and modifies requests/responses for header tampering or redirects, simulating CORS or auth flaws in browser-based tests. Create rules in its popup for params or URLs, applying during dev sessions. Open-source from requestly, it's the request reshaper for web devs debugging security configs.
Explore →OWASP ZAP HUD