A modern and powerful browser extension for web security testing. Designed for penetration testers and security professionals.
Requires: (Old Version Only)
- Firefox version : firefox-47.0.linux-x86_64.sdk.tar.bz2 https://ftp.mozilla.org/pub/firefox/releases/47.0/
- xpi file : advanced-hackbar.xpi
(New version)
- load manifest.json on about:debugging in firefox as a temporary extension
- Load the current browser URL
- Split URLs into individual parameters
- Execute requests with POST data and a custom Referer
- Request history
- URL Encoding: encode, decode, encode all characters
- Base64: encode / decode
- Hex: string to hex, hex to string
- HTML: entity encoding / decoding
- Unicode: encode / decode
- SQL Character Conversion: MySQL CHAR(), MSSQL CHAR(), Oracle CHR()
- MD5
- SHA1
- SHA256
- SHA512
- Basic UNION with numeric values
- UNION with NULL values
- ORDER BY to identify column count
- Basic errors using FLOOR / RAND
- Database name extraction
- Database version extraction
- True / false conditions
- Substring-based data extraction
- MySQL SLEEP()
- MSSQL WAITFOR DELAY
- PostgreSQL pg_sleep()
- Database version
- List databases
- List tables
- List columns
- MySQL comments
- Version-specific comments
- Case manipulation
- Double URL encoding
- Alert box
- IMG tag with onerror
- SVG tag with onload
- DOM-based XSS
- Stored XSS
- Reflected XSS
- Scriptless payloads
- Encoded payloads
- Universal polyglot payloads
- Basic LFI (../../../../etc/passwd)
- LFI with null byte
- PHP wrappers
- Basic RFI
- Semicolon (;)
- Pipe (|)
- AND (&&)
- OR (||)
- Open Firefox
- Go to
about:debugging#/runtime/this-firefox - Click Load Temporary Add-on
- Select the
manifest.jsonfile
- Open
chrome://extensions/oredge://extensions/ - Enable Developer mode
- Click Load unpacked
- Select the extension folder
- Click the HackBar icon in the browser toolbar
- Keyboard shortcut:
- Windows / Linux:
Ctrl + Shift + H - macOS:
Cmd + Shift + H
- Windows / Linux:
- Load URL: Click Load URL to import the current page URL
- Manipulate: Select text in the textarea and apply encodings or payloads
- Execute: Click Execute to navigate to the modified URL
- If text is selected, operations apply only to the selection
- If no text is selected, operations apply to the entire content
- Enable the POST Data section
- Enter parameters using the format:
param1=value1¶m2=value2 - Click Execute
- Enable the Referer section
- Enter the desired referer URL
- Click Execute
hackbar-extension/
├── manifest.json # Extension configuration
├── background.js # Main service worker
├── config/
│ └── payloads.js # Centralized payload configuration
├── utils/
│ └── encoding.js # Encoding and hashing utilities
├── popup/
│ ├── popup.html # Popup UI
│ ├── popup.css # Modern styling
│ └── popup.js # Popup logic
└── icons/ # Extension icons
Centralized configuration for all payloads with a modular structure:
PayloadConfig = {
sql: {
union: { ... },
errorBased: { ... }
},
xss: { ... },
fileInclusion: { ... }
}Encoding, decoding, and hashing utilities:
- EncodingUtils.urlEncode()
- EncodingUtils.base64Encode()
- EncodingUtils.md5()
- etc.
Service worker responsible for:
- Popup communication
- Payload generation
- URL manipulation
- Application state management
User interface logic:
- Tab system
- Event listeners
- Textarea updates
- Notifications
PayloadConfig.sql.myNewCategory = {
myPayload: {
name: 'My Custom Payload',
description: 'Description of what it does',
generate: (param1, param2) => {
return `PAYLOAD WITH ${param1} AND ${param2}`;
}
}
};<button class="btn btn-payload"
data-action="sql"
data-payload="myNewCategory.myPayload">
My Payload
</button>// In popup.js, handlePayloadClick()
case 'myCustomAction':
const customPayload = generateMyCustomPayload();
updateTextArea(textarea, customPayload);
break;Edit CSS variables in popup/popup.css:
:root {
--primary-color: #667eea;
--secondary-color: #764ba2;
--success-color: #48bb78;
}- Add the tab button in
popup.html:
<button class="tab-btn" data-tab="mytab">My Tab</button>- Add the tab content:
<div class="tab-pane" id="tab-mytab">
<!-- Content -->
</div>feat:New featuresfix:Bug fixesdocs:Documentation changesstyle:Styling changesrefactor:Code refactoring
- Fork the project
- Create a feature branch
- Commit your changes
- Push to your branch
- Open a Pull Request
URL: http://example.com/page?id=1
1. Load URL
2. Select the "1" after id=
3. Click "Union Basic"
4. Click "Execute"
1. Enter payload: <script>alert(1)</script>
2. Click "URL Encode"
3. Copy the result
4. Paste into a URL parameter
1. Input: SELECT * FROM users WHERE id=1
2. Select all text
3. Click "MySQL Comments"
4. Result: /*!SELECT/**/FROM/**/users/**/WHERE/**/id=1*/
This tool is intended for authorized security testing and educational purposes only. Unauthorized use against systems without explicit permission is illegal. The authors are not responsible for misuse.
MIT License — see the LICENSE file for details.
When reporting a bug, please include:
- Issue description
- Steps to reproduce
- Expected vs actual behavior
- Screenshots (if applicable)
- Browser and version information
- Payload history
- Export / import configuration
- Custom payload templates
- Burp Suite integration
- Dark / light mode
- API payloads (JSON, XML)
- Wordlist generator
- Basic fuzzing