Test web apps for XSS, SQL Injection, File Inclusion, support login and CSRF. Developers, QA, Pen Testers
HackTab is a web vulnerability testing application in your browser. When enabled for a targeted domain It watches all communication between your browser and the site you are testing and it identifies each parameter and data type for each parameter. This allows HackTab to re-create any communication between your browser and the target domain and test all HTTP parameter inputs to the application. Hacktab only tracks requests to domains you target and includes watermarks on pages it is tracking.
HackTab currently tests for Reflected Cross Site Scripting, Persistent XSS, SQL Injection, Local File Includes and Cross Site Request Forgery. It is blazingly fast and can handle most web forms including forms with CSRF protection.
* please report!
Cross Site Request Forgery
MySQL Injection - sleep()
MS SQL Injection - wait for()
Generic SQL Injection - and 1=2
Local File Inclusion
Q: Does HackTab monitor all of my web traffic?
A: No. HackTab ONLY monitors traffic to domains you target in it's configuration and ONLY when enabled
Q: Does HackTab scan the site when I target it?
A: No. HackTab only sends tests for the parameters you target and only sends the tests that you have selected when you scan that single parameter. All tests are manually triggered.
Q: Where are the tests run from?
A: The tests are run directly from your web browser.
Q: What permissions does HackTab require?
A: HackTab requires permission to send HTTP requests to targeted domains and also read the responses from those targeted domains.
Q: Does HackTab store any information about vulnerabilities?
A: No. All site data is stored in your local Chrome extension. HackTab uses Google Analytics to store usage data. This includes number of tests run and which features users are using. No site information or identifying information is used or stored anywhere outside of your web browser.
added support for Persistent XSS !
fixed a bug when counting vulnerabilities on parameters
fixed a bug displaying different urls with same parameter names
improved error handling and logging
various other bug fixes
added testing for CSRF vulnerability
added flag for server state
added success and failure strings
bug fix when testing single parameter
bug fix when deleting a url
replaced watermark logo for tracked pages
removed verbose logging
removed dead code
decreased footprint of content scripts
Fully redesigned UI
Ability to save scans
Ability to load scans
Test entire hosts
Test entire URLS
Improvements in testing CORS headers
Prerequisites for CSRF plugin
Various bug fixes
Added watchdog timer to handle stuck plugins
Improved support for filtered requests, firewalled hosts and timeouts
Fixes for CORS requests. Now updates Origin HTTP header and sets the Origin to the HTTP Host header value.
Added several new fields including number of requests set per test, test time and a sample test URL
Several bug fixes around analytics logging.
Included new feedback form in popup so users can leave feedback about new features
reduced analytics overhead
test probes are now sent from web workers greatly improving performance and responsiveness!
reduced debug logging
several small bug fixes
fix for auto detecting CSRF token regular expressions
fixed edge case that could cause probe requests to be logged when scanning many parameters at once
fixed crash logging
updated API DNS
Fully redesigned interface.
Single threaded to prevent requests from interfering with each other
New "current domain" target button allows for easily selecting the current domain
Improved internal storage lowers memory footprint
Many bug fixes
More consistent output
0.9.17: * support for sending cookies with test data. * Fix spinner when testing MySQL and MSSQL. * Rename MS and My SQL vulnerability types for better clarity.