VarScope Autor: gerbil

When assessing a web application, the JavaScript global scope (window) is one of the most revealing attack surfaces available. Frameworks, authentication tokens, API endpoints, feature flags, user objects, and internal state are routinely exposed as global variables — often unintentionally.
VarScope gives you a clean, colour-coded view of everything sitting on window at any moment, separated into native browser built-ins and variables created by the target application. You can take a snapshot, interact with the page, then compare to see exactly what changed — helping you map how the application's state evolves during login, form submission, navigation between SPA routes, or after triggering specific functionality.