FoxyProxy is an advanced proxy management tool that replaces Firefox's limited proxy capabilities. It automates the process of editing Firefox's connection settings, making setup with Burp Suite a one-click operation.
- Firefox
- Chrome
Firefox Multi-Account Containers lets you separate parts of your online life into color-coded tabs. Cookies are isolated by container, allowing you to use multiple accounts and integrate Mozilla VPN for added privacy. This helps in testing for broken access control issues.
- Firefox
- Chrome
PwnFox is a Firefox/Burp extension providing useful tools for security audits. Features include:
- Single-click Burp Proxy
- Container Profiles
- PostMessage Logger
- Toolbox Injection
- Security Header Remover
For a power combo, pair it with Burp Suite to find broken access control issues.
- Firefox
HackTools is an all-in-one extension for web pentesting, including cheat sheets and tools such as:
-
Dynamic Reverse Shell Generator (PHP, Bash, Ruby, Python, Perl, Netcat)
-
Shell Spawning (TTY Shell Spawning)
-
MSF Venom Builder
-
XSS Payloads
-
Basic SQLi Payloads
-
Local File Inclusion Payloads (LFI)
-
Data Encoding
-
Obfuscated Files or Information
-
Hash Generator (MD5, SHA1, SHA256, SHA512, SM3)
-
Useful Linux Commands (Port Forwarding, SUID)
-
RSS Feed (Exploit DB, Cisco Security Advisories, CXSECURITY)
-
CVE Search Engine
-
Various Methods of Data Exfiltration and Download from a Remote Machine
-
Firefox
-
Chrome
Wappalyzer identifies web technologies used by websites. It detects CMS, frameworks, ecommerce platforms, JavaScript libraries, and more, helping you spot outdated technologies.
- Firefox
- Chrome
Shodan is a search engine for servers connected to the internet. This add-on retrieves data from Shodan.io about the current website, showing general information and open ports.
- Firefox
- Chrome
DotGit checks if .git is exposed on visited websites, a gold mine for bug bounty hunters and pentesters. DotGit is a powerful extension for quickly checking if a website has exposed its .git directory. It helps identify potential misconfigurations that may reveal sensitive information and source code.
Features:
- Check for
.git,.svn, or.hgfolders - Check for
.envfiles - Check if the site is open source (GitHub/GitLab)
- Check for
security.txt - Notifications for folder discoveries
- List and download exposed
.gitfolders - View
.git/configwith one click - Customizable options for colors, notifications, and downloads
Tip: By default, SVN, Mercurial, and dotenv checks are disabled. Activate them in settings.
- Firefox
- Chrome
Cookie-Editor allows you to create, edit, and delete cookies for the current tab. Useful for developing, testing, or managing cookies manually, it helps find vulnerabilities such as session cookie invalidation.
- Firefox
- Chrome
S3 Bucket List helps find Amazon S3 buckets by recording them while browsing. Misconfigured S3 buckets are common targets.
- Firefox
Hackbar is a tool for pentesting web security on Chrome and Firefox. Features include:
-
Load, split, and execute URLs from the address bar
-
Customize referrer URLs, User Agents, and cookies
-
Tools for MD5, SHA1, SHA256, ROT13 encryption, URL encoding, Base64 encoding, JSON beautification, SQL, and XSS
-
Firefox
-
Chrome
Hunter finds email addresses from any website with one click. It provides email addresses, names, job titles, social networks, and phone numbers, sourcing data from public domains.
- Firefox
- Chrome
Modify Header Value allows you to add, modify, or remove HTTP request headers for all requests to a specific website or URL. Useful for app developers, website designers, and testing specific headers.
- Firefox
- Chrome
Retire.js scans web apps for vulnerable JavaScript libraries, helping you detect outdated components with known vulnerabilities.
- Firefox
- Chrome
Temp Mail provides a temporary, secure, anonymous email address, protecting your real inbox from spam, advertising, and attacks.
- Firefox
- Chrome
Open Multiple URLs lets you open a list of URLs or extract URLs from text, making it easy to validate mass hunt results.
- Firefox
- Chrome
Broken Link Checker finds broken (404) and redirected (301, 307, 308) links on all frames. Ideal for finding bounties by taking over broken social media handles.
- Firefox
- Chrome
Ahrefs SEO Toolbar is a good alternative.
JSON Formatter makes JSON data easy to read, helpful for testing AEM.
- Firefox
- Chrome
Trufflehog is a Chrome extension designed to uncover sensitive data by scanning for API keys and credentials on visited websites. It helps identify potential security risks associated with leaked or improperly stored information.
- Chrome:
Altair is a feature-rich GraphQL client for all platforms, simplifying the querying of GraphQL servers and allowing you to specify headers.
- Firefox
- Chrome
YesWeHack VDP Finder identifies if visited sites have vulnerability disclosure programs by checking domains against an offline FireBounty database and displaying available security.txt.
- Firefox
- Chrome
Fake Filler populates all input fields on a page with randomly generated fake data. It’s a productivity booster for developers and testers working with forms.
- Firefox
- Chrome
Blackbox lets you quickly copy text from videos and images, useful for extracting code from coding videos, live calls, and CTF challenges.
- Chrome
BuiltWith profiles websites to list all the technologies used on a page. It’s an alternative to Wappalyzer.
- Firefox
- Chrome
iMacros automates repetitive web tasks. Record tasks like filling out web forms, downloading files, extracting text and images, and replay them with a single click.
- Firefox
- Chrome
Firefox Relay generates email aliases that forward to your real inbox, helping to protect your real email address from hackers and unwanted mail. Useful for bug bounty hunting and signing up for free trials.
- Firefox
Bulk URL Opener is useful for opening multiple URLs simultaneously, saving time when handling subdomains or other similar scenarios.
- Chrome:
- Firefox:
Mitaka helps search for information related to IP addresses, domains, URLs, hashes, and more, simplifying the intelligence gathering process during reconnaissance.
- Chrome:
- Firefox:
This extension beautifies CSS, JavaScript, and JSON files, making code more readable and aiding in efficient code analysis during bug hunting.
- Chrome:
- Firefox:
Trufflehog is a Chrome extension designed to uncover sensitive data by scanning for API keys and credentials on visited websites. It helps identify potential security risks associated with leaked or improperly stored information.
- Chrome:
NoRedirect helps bypass admin panels by allowing navigation past redirect barriers. While it may not work with newer browser versions, it's compatible with Cyberfox or older versions of Firefox.
- Firefox:
- Cyberfox: