Fuzz endpoints, scan for secrets, replay requests — all inside Chrome DevTools. No proxy to configure. No certificates to install. No account to create. Just open DevTools and start testing.
8 integrated security tools that work together without leaving Chrome DevTools.
Capture, edit, and replay any request in seconds. Grab any HTTP/HTTPS request from the page, modify the method, URL, headers, or body, and fire it again. Work across multiple tabs with full history.
Fuzz parameters at scale without leaving your browser. Mark injection points with §payload§ markers, load a wordlist or number range, and fire up to 20 concurrent requests. Spot anomalies instantly in the results table.
Decode, encode, and inspect tokens instantly. Convert between Base64, URL, Hex, and HTML entities in one click. Inspect JWT payloads without leaving DevTools.
Audit client-side security in one click. Automated passive and active checks run as you browse — missing headers, insecure storage, DOM XSS patterns, CORS misconfigurations, and more. Findings appear instantly, no manual steps required.
Know what's running and what's vulnerable. Passively fingerprint frameworks, libraries, and versions from network traffic. Map every detection to known CVEs using a local database — no external API calls.
Find leaked credentials before attackers do. Scans every response in real time for API keys, tokens, and credentials across 50+ patterns. Everything runs locally in your browser — nothing leaves your machine.
Full WordPress recon without external tools. Enumerate plugins, themes, and core version from captured traffic. Map every detection to known CVEs and scan custom endpoints with your own wordlists.
Get test suggestions tailored to each endpoint. Select any request and get instant analysis — endpoint purpose, risk classification, and specific security tests to run. 100% local pattern matching, no data leaves your browser.
Real demos showing how to use each tool for security testing.
How to capture, edit and replay HTTP requests inside Chrome DevTools.
Setting up payload positions and running automated fuzzing attacks with Intruder.
Automatically detecting leaked secrets and CVEs from runtime JavaScript assets.
No proxy setup, no certificates, no configuration files.
Add HackTools++ from the Chrome Web Store. Free, under 10 seconds, no account needed.
Open DevTools (F12), click the HackTools++ tab, and navigate. Every request is captured automatically.
Open any captured request in Repeater. Change the method, headers, body — then replay it instantly.
Send to Intruder to fuzz with wordlists. Secret Scanner and CVE Detector run automatically in the background. Export findings as JSON or CSV.
Features actively planned or in development. Roadmap is updated with each release.
Detect GraphQL endpoints, introspect schemas, and test queries for IDOR, injection, and excessive data exposure.
Record and replay multi-step request chains. Ideal for testing auth flows, CSRF, and session management.
One-click export of captured requests and findings into Burp Suite XML or Postman collection format.
Write and import your own YAML-based detection rules for the client-side scanner and secret detector.
Side-by-side comparison of two responses to spot subtle differences in IDOR, access control, and A/B test bypasses.
Validate API responses against OpenAPI / Swagger specs. Flag undocumented endpoints and schema violations automatically.
fetch() from the extension context — which has host_permissions for all URLs. No proxy, no certificates, no system configuration needed.
Fast recon and fuzzing without the overhead of Burp Suite. Capture, test, and report — all from your browser.
A lightweight companion for quick engagements. Replay requests, scan for secrets, and detect CVEs on the fly.
Run security checks during code review and QA. Catch exposed API keys and missing headers before they reach production.
Learn web application security hands-on. No complex proxy setup — just install and start exploring real-world patterns.
Free forever. No proxy. No setup. Just open DevTools and go.
Add to Chrome — FreeNo account required. No permissions beyond DevTools. Uninstall anytime.