Cyboware

Tracking since May 4, 2026.

Changelog

• May 9, 2026
  description

  Cyboware is a bug bounty toolkit that runs in your browser sidebar. Open it, pick a tab, and start hunting. No accounts, no API keys, no telemetry.
  Built for bug bounty hunters, penetration testers, and security researchers who want one workspace instead of fifteen browser tabs.
  RECON AND FINGERPRINTING
  
  Tech Stack Profiler: identifies the CMS, framework, CDN, and JavaScript libraries running on a page, with version numbers where available
  Security Headers Audit: grades 8 critical response headers from A to F
  Cookie Inspector: lists every cookie with per-cookie copy, full Cookie header, and JSON export
  Subdomain Enumeration: queries certificate transparency logs with a fallback source, handles rate limits gracefully
  Request and Response Viewer: shows the full HTTP pair including cookies and auth headers, plus an editable request builder and Copy as cURL
  DNS Lookup: resolves A, AAAA, MX, TXT, NS, and CNAME records over DoH
  WordPress Plugin Scanner
  Directory Bruteforcer: tests over 60 sensitive paths across 8 categories
  
  PAGE ANALYSIS
  Secret Scanner: 33 regex patterns covering common cloud, payment, messaging, and AI provider tokens across loaded JavaScript
  Endpoint Extractor: parses scripts for API paths, REST routes, GraphQL operations, and WebSocket URLs
  Hidden Element Revealer: surfaces hidden inputs, display:none nodes, disabled fields, data attributes, and HTML comments, with a one-click highlight on the page
  Link Harvester: pulls internal links, external links, sensitive file extensions, and email addresses
  JavaScript Beautifier: opens any minified script with proper indentation, copy, and download
  
  ACTIVE TESTING
  Request Replayer: keeps the last 50 XHR or fetch calls, lets you edit and replay any of them, Copy as cURL
  CORS Tester: probes for misconfigured Access-Control-Allow-Origin with credentials
  Open Redirect Tester: scans 13 common redirect parameter names
  Encode and Decode Workbench: Base64, URL, HTML entities, hex, JWT, ROT13, and Unicode escape with swap and copy
  Parameter Fuzzer: nine vulnerability classes including XSS, SQL injection, NoSQL injection, template injection, path traversal, command injection, SSRF, prototype pollution, and CRLF, with response context for every payload
  403 Bypass Tester: 25 header and path techniques
  HTTP Method Tester: compares response bodies across methods to detect servers that ignore the verb
  JWT Editor: decodes header and payload, checks expiry, and re-signs with alg none or the original algorithm
  
  WORKFLOW
  Scope Manager: define in-scope domains and see a green or red indicator in the header for the current tab
  Bug Notes: per-domain markdown notes with save, copy, and export
  Browse History: per-domain URL log with copy and JSON export
  Screenshot: capture the visible tab and download as PNG
  
  SMART FEATURES
  Passive Vulnerability Hints: flags reflected parameters, open redirects, JSONP endpoints, postMessage listeners, and version disclosure
  Wayback Machine: 30 most recent archive snapshots with direct links
  Response Diff: fetches the same URL with different headers or cookies and shows a line-by-line comparison
  CSP Evaluator: parses Content-Security-Policy, grades it, and flags unsafe directives, wildcards, and known CDN bypasses
  Subdomain Takeover Checker: resolves CNAMEs across enumerated subdomains and matches them against 27 vulnerable service fingerprints
  IDOR Detector: scans URL parameters and XHR requests for numeric IDs, UUIDs, and Mongo ObjectIDs
  
  SITE MAP
  Proxy-history-style capture across all tabs
  Cross-subdomain aggregation by root domain
  Captures script chunks loaded after login
  Bulk-scan all captured JavaScript for secrets
  Endpoint tree grouped by host
  
  LIVE BROWSE
  Click Start, then browse normally. Every page load triggers a passive scan for secrets, endpoints, weak cookies, exposed source maps, and form-handling issues
  Deduplication only surfaces new findings
  Per-domain isolation so switching targets does not mix data
  Export findings as a text report or JSON
  
  UX
  Full URL context bar that updates in real time
  Pin mode locks the sidebar to one tab while you browse others
  Per-domain session pills with auto-clear on switch and instant restore on switch back
  Collapse and expand all sections
  Copy All Report builds a formatted text summary across every tool
  Per-tool Copy and JSON export
  Error log dropdown in the footer
  Persistent scratchpad
  
  DESIGN
  Editorial Vox-inspired layout with Instrument Serif display, DM Sans body, and DM Mono monospace
  Clean and quiet rather than another neon hacker theme
  
  PRIVACY
  Everything runs locally in your browser
  No accounts, no required API keys
  No telemetry, no analytics
  Open source
  
  github.com/Cyboghostginx

  Cyboware is a browser sidebar toolkit for bug bounty hunters, penetration testers, and security researchers; one workspace instead of fifteen tabs. 
  
  It bundles recon and fingerprinting (tech stack profiler, security header audit, cookie inspector, subdomain enumeration via CT logs, DNS lookup, directory bruteforcer, WordPress scanner), page analysis (secret scanner with 33 regex patterns, endpoint extractor for REST/GraphQL/WebSocket, hidden element revealer, link harvester, JS beautifier), and active testing (request replayer with Copy as cURL, CORS tester, open redirect scanner, parameter fuzzer covering 9 vuln classes, 403 bypass tester, HTTP method tester, JWT editor, and a full encode/decode workbench).
  
  Smart features include passive vulnerability hints, CSP evaluator, subdomain takeover checker against 27 service fingerprints, IDOR detector, response diff, and Wayback snapshots. A proxy-history-style site map captures requests across tabs and aggregates by root domain, while Live Browse runs passive scans on every page load with deduplication and per-domain isolation. Workflow tools — scope manager, per-domain bug notes, browse history, screenshots, and a persistent scratchpad — keep findings organized. 
  
  Everything runs locally in your browser. No accounts, no API keys, no telemetry. Open source.
  
  https://github.com/Cyboghostginx/cyboware

Permissions & access

Permissions

sidePaneltabsactiveTabcookieswebRequeststoragecontextMenus

Host access

<all_urls>

Screenshots