WebPage Source Recon 作者: Libor Benes (Dr. B)
Analyze real-time webpage source code directly in Firefox sidebar. • Extract HTML comments, meta tags, inline scripts, and hidden inputs with smart filtering. Identify developer notes, API endpoints, tokens, and debug artifacts. • Export to JSON/TXT.
1 个用户1 个用户
扩展元数据
关于此扩展
WebPage Source Recon is a privacy-first Firefox sidebar extension that automates extraction and analysis of security-relevant elements from webpage HTML source code.
During security assessments, valuable reconnaissance information often hides in plain sight: developer comments containing TODO items and credentials, meta tags with verification tokens, inline scripts exposing API endpoints, and hidden inputs carrying CSRF tokens or session state. Manual inspection is tedious and error-prone.
WHY RAW SOURCE VS. LIVE DOM:
This extension analyzes the raw HTML source received from the server, not the live DOM. This distinction is critical for reconnaissance: modern JavaScript frameworks (React, Vue, Angular) and client-side applications frequently receive server-rendered HTML containing comments, hidden configuration data, and pre-rendered state that is subsequently mutated, removed, or hidden by JavaScript execution. Security-relevant artifacts such as developer comments, API endpoint definitions, CSRF tokens, and debug parameters often exist exclusively in the server-sent source and are invisible when inspecting the live DOM. WebPage Source Recon captures this pristine server response, revealing what the browser received before client-side frameworks transformed it.
This tool performs structured extraction of four critical data categories:
• HTML COMMENTS: Captures all comment content with character positions. Identifies developer notes, debug flags, pending tasks, and accidentally committed credentials.
• META TAGS: Extracts name/content pairs from all meta elements. Reveals SEO configurations, verification tokens (google-site-verification, p:domain_verify), content security policies, and Open Graph metadata.
• INLINE SCRIPTS: Isolates embedded JavaScript without external sources. Analyzes configuration objects, initialization parameters, hardcoded API keys, and debug endpoints.
• HIDDEN INPUTS: Documents form state including CSRF tokens, session identifiers, redirect URLs, and application-specific parameters.
SMART SEARCH:
Real-time filtering with intuitive syntax. Field-specific search (name:, value:, content:) targets precise data categories. Plain text search scans entire display representation. All matches are visually highlighted for rapid identification.
EXPORT CAPABILITIES:
JSON export preserves complete data structure for programmatic analysis or tool chaining. TXT export generates formatted reports suitable for documentation or evidence preservation.
SECURITY ARCHITECTURE:
• Zero data collection: Explicitly declared in manifest.json.
• No external requests: All processing occurs locally in your browser.
• No persistent storage: Data is cleared on tab switch.
• No third-party dependencies: 100% first-party code.
• No unsafe DOM methods or insecure patterns.
• Input validation and RegEx escaping.
TAB ISOLATION:
Each browser tab maintains independent state. Switching tabs automatically clears previous analysis results, preventing cross-site information leakage.
VERSION 1.0 STATUS:
Core functionality is production-ready and security-validated. All security-critical components are complete and verified.
USE CASES:
• Penetration Testing: Rapidly identify information disclosure vulnerabilities, exposed credentials, and debug endpoints during web application assessments.
• Bug Bounty Hunting: Discover hidden parameters, CSRF tokens, and API endpoints for further testing.
• Application Security Audit: Review first-party and third-party applications for security misconfigurations and sensitive data exposure.
• Development Debugging: Locate your own TODO comments, remove accidentally committed secrets, and audit hidden form fields.
• Compliance Verification: Ensure no sensitive information (PII, credentials, tokens) is exposed in production source code.
TARGET AUDIENCE:
• Security Researchers and Penetration Testers.
• Bug Bounty Hunters.
• Web Application Developers.
• DevOps and Site Reliability Engineers.
• Quality Assurance Engineers.
• Technical Project Managers.
Technical Specifications:
• Compatibility: Firefox 109.0+ (64-bit desktop).
• Size: 67 KB total (minimal memory and storage footprint - data stored only during active analysis).
• Performance: Efficient O(n) filtering algorithms provide instant search response, even on pages with thousands of extracted elements.
• Testing: Verified on Firefox 147.0.3 (February 12, 2026).
WebPage Source Recon embodies the security researcher's methodology: automate the mundane, identify the critical, and secure the vulnerable. All within Firefox's sidebar, with privacy protected.
During security assessments, valuable reconnaissance information often hides in plain sight: developer comments containing TODO items and credentials, meta tags with verification tokens, inline scripts exposing API endpoints, and hidden inputs carrying CSRF tokens or session state. Manual inspection is tedious and error-prone.
WHY RAW SOURCE VS. LIVE DOM:
This extension analyzes the raw HTML source received from the server, not the live DOM. This distinction is critical for reconnaissance: modern JavaScript frameworks (React, Vue, Angular) and client-side applications frequently receive server-rendered HTML containing comments, hidden configuration data, and pre-rendered state that is subsequently mutated, removed, or hidden by JavaScript execution. Security-relevant artifacts such as developer comments, API endpoint definitions, CSRF tokens, and debug parameters often exist exclusively in the server-sent source and are invisible when inspecting the live DOM. WebPage Source Recon captures this pristine server response, revealing what the browser received before client-side frameworks transformed it.
This tool performs structured extraction of four critical data categories:
• HTML COMMENTS: Captures all comment content with character positions. Identifies developer notes, debug flags, pending tasks, and accidentally committed credentials.
• META TAGS: Extracts name/content pairs from all meta elements. Reveals SEO configurations, verification tokens (google-site-verification, p:domain_verify), content security policies, and Open Graph metadata.
• INLINE SCRIPTS: Isolates embedded JavaScript without external sources. Analyzes configuration objects, initialization parameters, hardcoded API keys, and debug endpoints.
• HIDDEN INPUTS: Documents form state including CSRF tokens, session identifiers, redirect URLs, and application-specific parameters.
SMART SEARCH:
Real-time filtering with intuitive syntax. Field-specific search (name:, value:, content:) targets precise data categories. Plain text search scans entire display representation. All matches are visually highlighted for rapid identification.
EXPORT CAPABILITIES:
JSON export preserves complete data structure for programmatic analysis or tool chaining. TXT export generates formatted reports suitable for documentation or evidence preservation.
SECURITY ARCHITECTURE:
• Zero data collection: Explicitly declared in manifest.json.
• No external requests: All processing occurs locally in your browser.
• No persistent storage: Data is cleared on tab switch.
• No third-party dependencies: 100% first-party code.
• No unsafe DOM methods or insecure patterns.
• Input validation and RegEx escaping.
TAB ISOLATION:
Each browser tab maintains independent state. Switching tabs automatically clears previous analysis results, preventing cross-site information leakage.
VERSION 1.0 STATUS:
Core functionality is production-ready and security-validated. All security-critical components are complete and verified.
USE CASES:
• Penetration Testing: Rapidly identify information disclosure vulnerabilities, exposed credentials, and debug endpoints during web application assessments.
• Bug Bounty Hunting: Discover hidden parameters, CSRF tokens, and API endpoints for further testing.
• Application Security Audit: Review first-party and third-party applications for security misconfigurations and sensitive data exposure.
• Development Debugging: Locate your own TODO comments, remove accidentally committed secrets, and audit hidden form fields.
• Compliance Verification: Ensure no sensitive information (PII, credentials, tokens) is exposed in production source code.
TARGET AUDIENCE:
• Security Researchers and Penetration Testers.
• Bug Bounty Hunters.
• Web Application Developers.
• DevOps and Site Reliability Engineers.
• Quality Assurance Engineers.
• Technical Project Managers.
Technical Specifications:
• Compatibility: Firefox 109.0+ (64-bit desktop).
• Size: 67 KB total (minimal memory and storage footprint - data stored only during active analysis).
• Performance: Efficient O(n) filtering algorithms provide instant search response, even on pages with thousands of extracted elements.
• Testing: Verified on Firefox 147.0.3 (February 12, 2026).
WebPage Source Recon embodies the security researcher's methodology: automate the mundane, identify the critical, and secure the vulnerable. All within Firefox's sidebar, with privacy protected.
评分 0(1 位用户)
权限与数据
更多信息
- 附加组件链接
- 版本
- 1.0
- 大小
- 23.53 KB
- 上次更新
- 3 个月前 (2026年2月12日)
- 版本历史
- 添加到收藏集