HackTools++ brings Burp Suite-style security testing directly into Chrome DevTools. Capture, edit and replay HTTP requests, fuzz endpoints, scan for secrets and CVEs — all without installing a proxy or certificate.
8 integrated security tools that work together without leaving Chrome DevTools.
Capture any HTTP/HTTPS request, edit method, URL, headers and body, then replay it instantly. Multi-tab support with full request history.
Fuzz any parameter in the URL, headers, or body. Mark injection points with §payload§ markers and run automated attacks with custom payloads.
Encode and decode data in multiple formats instantly. Inspect JWT payloads without leaving DevTools.
Automated passive + active security checks against the loaded page. No manual steps — findings appear automatically as you browse.
Passively fingerprint the technology stack from captured network traffic. Map detected versions to known CVEs locally — no API calls needed.
Real-time local scanning of runtime JavaScript and API responses for leaked credentials. 50+ signature rules covering every major provider.
Specialized passive audit for WordPress sites. Detect plugins, themes, versions and known CVEs from captured traffic.
Instant endpoint analysis and security test suggestions based on the selected request. Pattern-matched locally, no data leaves your browser.
Real demos showing how to use each tool for security testing.
How to capture, edit and replay HTTP requests inside Chrome DevTools.
Setting up payload positions and running automated fuzzing attacks with Intruder.
Automatically detecting leaked secrets and CVEs from runtime JavaScript assets.
No proxy setup, no certificates, no configuration files.
Add HackTools++ from the Chrome Web Store. It's free and takes under 10 seconds.
Press F12 or Cmd+Option+I on any page. Click the HackTools++ tab.
Navigate or refresh. Requests are captured automatically in the left panel.
Click any request, edit it, replay it, send it to Intruder, or wait for Scanner to flag issues automatically.
Features actively planned or in development. Roadmap is updated with each release.
Detect GraphQL endpoints, introspect schemas, and test queries for IDOR, injection, and excessive data exposure.
Record and replay multi-step request chains. Ideal for testing auth flows, CSRF, and session management.
One-click export of captured requests and findings into Burp Suite XML or Postman collection format.
Write and import your own YAML-based detection rules for the client-side scanner and secret detector.
Side-by-side comparison of two responses to spot subtle differences in IDOR, access control, and A/B test bypasses.
Validate API responses against OpenAPI / Swagger specs. Flag undocumented endpoints and schema violations automatically.
fetch() from the extension context — which has host_permissions for all URLs. No proxy, no certificates, no system configuration needed.
Free forever. No proxy. No setup. Just open DevTools and go.
Add to Chrome — Free