History

8 snapshots

Tracking since Apr 1, 2026.

View as table

Date	Users	Rating	Reviews	Version
Apr 1, 2026	9	5.00	3	1.0.1
Apr 17, 2026	9	5.00	5	1.0.1
Apr 27, 2026	19	5.00	5	1.0.2
May 4, 2026	21	5.00	5	1.0.2
May 10, 2026	24	5.00	5	1.0.2
May 21, 2026	22	5.00	5	1.0.2
May 28, 2026	23	5.00	5	1.0.2
Jun 9, 2026	22	5.00	5	1.0.2
Now	24	5.00	5	1.0.2

Changelog

Apr 17, 2026

description

Nexus is a professional-grade web reconnaissance tool designed for pentesters and bug bounty hunters. It passively analyzes web traffic and page content to detect security risks without sending malicious payloads.

KEY FEATURES:

🔍 Passive Vulnerability Scanning
Automatically detects 70+ sensitive patterns including:
- Cloud API Keys (AWS, Google, Azure)
- SaaS Tokens (Stripe, Slack, Discord, OpenAI)
- Exposed Configuration Files (.env, config.js)
- Database Connection Strings

🛠️ Technology Fingerprinting
Identifies the underlying technology stack of target websites:
- Frontend Frameworks (React, Vue, Angular, Svelte)
- CMS & Platforms (WordPress, Shopify, Magento)
- Analytics & Marketing Tools
- Server Headers & Security Misconfigurations

📂 Sensitive Path Detection
Probes for common sensitive endpoints that are often exposed:
- Admin Panels & Dashboards
- Backup Files (.zip, .bak, .sql)
- Version Control (.git, .svn)
- Server Status Pages

📊 Professional Reporting
- Instant visual feedback via the extension badge
- Detailed finding cards with severity classification (Critical, High, Medium, Low)
- Export findings to JSON or HTML reports for client deliverables

PRIVACY & SECURITY:
Nexus runs entirely within your browser. No data is sent to external servers. All scanning is performed locally using JavaScript.

TARGET AUDIENCE:
- Penetration Testers
- Bug Bounty Hunters
- Security Engineers
- Web Developers

Nexus is a professional-grade web reconnaissance platform for pentesters and bug bounty hunters. It analyzes web traffic, page content, and JavaScript bundles to uncover security risks without sending malicious payloads.

KEY FEATURES:

Secret Detection
Scans inline scripts, bundled JS chunks, web storage, and global config objects for over 100 secret patterns including cloud provider keys, AI/ML service tokens, payment processor credentials, authentication secrets, database connection strings, and more. Works with minified and bundled code from all major frontend frameworks.

Endpoint & Route Discovery
Extracts API endpoints from minified webpack bundles, framework build manifests, server-side data, and window globals. Detects REST paths, GraphQL endpoints, WebSocket URLs, backend routes, and dynamically constructed URLs — even inside compiled template literals and concatenated strings.

Media & Asset URL Extraction
Discovers streaming playlists (.m3u8, .mpd), video/audio files, RTMP streams, signed CDN URLs with replayable tokens, and document URLs buried in JavaScript source code.

Technology Fingerprinting
Identifies the complete technology stack via response headers and DOM analysis — frontend frameworks, CMS platforms, CDN providers, web servers, caching layers, and analytics tools. Over 40 detection signatures.

Sensitive Path Probing
Probes 140+ commonly exposed paths with SPA detection and rate-limit handling — configuration files, version control directories, admin panels, API documentation, server diagnostics, build artifacts, backup files, and cloud infrastructure endpoints.

Security Header Analysis
Deep analysis of Content Security Policy, HSTS configuration, CORS setup, cookie security flags, and server disclosure headers. Detects misconfigurations, weak policies, and missing protections.

Additional Reconnaissance
Subdomain discovery, infrastructure mapping via DNS prefetch hints, web storage scanning for sensitive data, subresource integrity checks, DOM security sinks (XSS vectors, prototype pollution, JSONP callbacks), template injection markers, and sensitive file link detection.

Professional Reporting
Severity-classified findings with remediation guidance. Site reconnaissance profile with tech stack overview, security posture, and endpoint listing. Export to JSON, HTML report, or CSV for client deliverables.

PRIVACY & SECURITY:
Nexus runs entirely within your browser. No data is collected, stored, or transmitted to external servers. All scanning and analysis is performed locally. No external resources are loaded — all assets are bundled with the extension.

Host Permissions: Required to scan any website you choose to audit, probe sensitive paths, and fetch external JavaScript files for analysis. No requests are made until you explicitly initiate a scan.

LEGAL NOTICE:
Nexus performs active reconnaissance including HTTP requests to sensitive paths on target websites. On first use, a legal disclaimer requires you to acknowledge that you will only scan authorized targets. Unauthorized scanning may violate applicable laws and terms of service. You are solely responsible for your use of this tool.

Apr 17, 2026

short_description

Web security reconnaissance. Detects exposed API keys, tokens, configs, tech stack, and probes sensitive paths for pentesters.

Web recon platform. Detects exposed API keys, tokens, configs, tech stack, and probes sensitive paths.

Permissions & access

Permissions: activeTabscriptingwebRequeststorage
Host access: <all_urls>

Screenshots

About