Web Explode — macallan

WebExplode is an advanced, all-in-one browser extension designed for pentesters, bug bounty hunters, and security researchers. Completely rebuilt on a modern Manifest V3 ES Module architecture, it combines 7 powerful modules into a single suite, turning your browser into a standalone security testing laboratory.

Complete Privacy & Security: The extension has zero external dependencies, strictly avoids unsafe DOM manipulations (zero innerHTML), and never transmits user data to an external server. All scanning, fuzzing, and cryptography operations are executed 100% locally in your browser.

The Arsenal (Included Modules):

🐍 Venom (Payload Injector): Injects XSS, SQLi, LFI, and SSRF payloads directly into input fields. Uses smart injection techniques (native prototype setters) to bypass synthetic event traps in frameworks like React and Vue. Easily accessible via a right-click context menu.

🧩 Decode (Cryptography): An offline, real-time encoder/decoder for URL, Base64, Hex, and HTML Entities. It features a built-in JWT payload debugger and asynchronous SHA-256/512 hash calculation.

🕵️‍♂️ Spy (Reconnaissance): Identifies the technology stack (Frameworks, CMS) of the active tab. Intercepts and analyzes HTTP response headers to highlight security misconfigurations (CSP, HSTS). Includes a default password database search.

🪓 Forge (Session & CSRF): Hunts for sensitive Tokens/JWTs in Local/Session Storage. Generates precision CSRF Proof-of-Concept forms from the DOM and attempts to bypass WAF configurations by injecting dynamic IP spoofing headers (X-Forwarded-For).

🐺 Hound (Secret Scanner): Fetches and analyzes client-side JavaScript files. Powered by a Service Worker backend to bypass strict CORS policies, it discovers forgotten secrets such as AWS keys, Stripe APIs, and JWTs using advanced regex patterns.

🧬 ProtoPulse (Prototype Pollution): [NEW] Automatically fuzzes active URL parameters and hashes with targeted canaries. Injects a DOM observer to detect and verify DOM-based Prototype Pollution vulnerabilities in real-time.

🔭 WebGraph (GraphQL Inspector): [NEW] Passively discovers hidden GraphQL API endpoints (/graphql, /api/graphql). Executes Introspection queries to extract and map the complete schema, breaking down exposed Queries, Mutations, and Subscriptions.