HackBar

Name: HackBar
Rating: 4.24 (55 reviews)
Author: 0140454

A browser extension for Penetration Testing

As of June 2026, HackBar has 80,000 users and a 4.24/5 rating from 55 reviews in the Developer Tools category.

0140454 Developer Tools★ Featured

Chrome Web Store ↗.crx

Users0%

80.0K

80,000

Rating+0.5%

4.24

55 reviews

Reviews+1.9%

Version

1.2.8

Manifest V3

History

2 snapshots

Tracking since May 3, 2026.

View as table

Date	Users	Rating	Reviews	Version
May 3, 2026	80.0K	4.22	54	1.2.8
Jun 3, 2026	90.0K	4.24	55	1.2.8
Now	80.0K	4.24	55	1.2.8

Permissions & access

Permissions: storagescriptingwebRequestdeclarativeNetRequest
Host access: *://*/*

Screenshots

About

## Contributor

- 0140454
  - GitHub: https://github.com/0140454
- lebr0nli
  - GitHub: https://github.com/lebr0nli
- boylin0
  - GitHub: https://github.com/boylin0
- HSwift
  - GitHub: https://github.com/HSwift

## How to open it?

1. Open "Developer tools" (Press F12 or Ctrl+Shift+I)
2. Switch to "HackBar" tab
3. Enjoy it

## Features

* Load
  * From tab (default)
  * From cURL command

* Supported
  * HTTP methods
    * GET
    * POST
      * application/x-www-form-urlencoded
      * multipart/form-data
      * application/json
  * Request editing mode
    * Basic
    * Raw
  * Custom payload
  * For more information, please visit https://github.com/0140454/hackbar/blob/master/README.md

* Auto Test
  * Common paths (Wordlist from dirsearch included)

* SQLi
  * Dump all database names (MySQL, PostgreSQL, MSSQL)
  * Dump tables from database (MySQL, PostgreSQL, MSSQL)
  * Dump columns from database (MySQL, PostgreSQL, MSSQL)
  * Union select statement (MySQL, PostgreSQL, MSSQL)
  * Error-based injection statement (MySQL, PostgreSQL, MSSQL)
  * Dump in one shot payload (MySQL)
    * Reference: https://github.com/swisskyrepo/PayloadsAllTheThings
  * Dump current query payload (MySQL)
    * Reference: https://github.com/swisskyrepo/PayloadsAllTheThings
  * Space to Inline comment

* XSS
  * Vue.js XSS payloads
  * Angular.js XSS payloads for strict CSP
  * Some snippets for CTF
  * Html encode/decode with hex/dec/entity name
  * String.fromCharCode encode/decode
  * Helper function for converting payload with `atob`

* LFI
  * PHP wrapper - Base64

* SSRF
  * AWS - IAM role name

* SSTI
  * Jinja2 SSTI
    * Flask RCE Reference: https://twitter.com/realgam3/status/1184747565415358469
  * Java SSTI

* Shell
  * Python reverse shell cheatsheet
  * bash reverse shell cheatsheet
  * nc reverse shell cheatsheet
  * php reverse shell/web shell cheatsheet

* Encoding
  * URL encode/decode
  * Base64 encode/decode
  * Hexadecimal encode/decode
  * Unicode encode/decode
  * Escape ASCII to hex/oct format

* Hashing
  * MD5
  * SHA1
  * SHA256
  * SHA384
  * SHA512

## Shortcuts

* Load
  * Default: Alt + A

* Split
  * Default: Alt + S

* Execute
  * Default: Alt + X

* Switch request editing mode
  * Default: Alt + M

## Third-party Libraries

For more information, please visit https://github.com/0140454/hackbar#third-party-libraries