ShadowSec Panel v13

Shadow DOM UI with advanced OWASP-aligned checks: v10.3 UI + v5 depth + intrusive probes (SQLi/IDOR/SSRF/Rate-limit) and heuristics (ports/cache/fingerprinting). Live summary, filters, search, export, copy, and a Settings page for wordlists and options.

作者
Erik Galstyan
今日安裝
0
安裝總數
0
評價
0 0 0
版本
13.0.1
建立日期
2025-08-28
更新日期
2025-08-28
尺寸
58.3 KB
授權條款
MIT
腳本執行於
所有網站

🔐 ShadowSec Panel: DOM Website Security Panel

ShadowSec is a Tampermonkey userscript that injects a powerful website security auditing panel directly into your browser. It's built with a modern Shadow DOM UI and runs a wide range of security checks with real-time reporting.

⚠️ This tool is intended for educational purposes and for auditing your own websites only!

✨ Features

🖥 Modern User Interface

  • Shadow DOM isolation - unaffected by site CSS/JS.
  • Dark/Light theme toggle.
  • Expandable test result groups with <details> sections.
  • Severity filters (High / Medium / Low).
  • Instant log search box.
  • Live summary dashboard.

⚙️ Panel Settings

  • Configure external wordlist URL for directory probing.
  • Set maximum number of probe requests per scan.
  • Settings persist across sessions.

🔍 Security Checks

ShadowSec merges the strict, detailed checks from earlier versions with new recon and fuzzing modules for broader coverage.

🔹 Recon & Infrastructure

  • Open Ports (heuristic) → Probes common web/database ports via fetch/WebSocket.
  • Extended Directory Probing → Built-in paths + harvested links + optional GitHub wordlist.
  • Outdated Libraries → Detects old jQuery/other frameworks.
  • GraphQL Introspection → Detects exposed GraphQL schemas.
  • Advanced Fingerprinting → Canvas, AudioContext, Battery API, WebGL, etc.

🔹 OWASP Headers & Configs

  • OWASP Headers Compliance → CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP/COEP, Cache-Control.
  • CORS Policy → Detects wildcards / insecure origins.
  • Cache Poisoning Risks → Looks for unkeyed headers.
  • Clickjacking → Detects iframe embedding and missing sandbox.

🔹 Input & Data Security

  • Cookies → Checks Secure, HttpOnly, SameSite.
  • Forms & CSRF → Detects missing CSRF tokens, insecure password/file inputs.
  • IDOR Detection → Flags sequential/numeric IDs, probes variations.
  • SSRF Detection → Looks for dangerous fetch/proxy parameters.
  • SQL Injection Hints → Payload fuzzing for error leakage.
  • CSTI (Client-Side Template Injection) → Detects Angular/Vue-style injection.

🔹 XSS & Script Security

  • Inline Event Handlers → Flags on*= attributes.
  • DOM-based XSS → Detects reflected query params.
  • XSS Payload Fuzzing → Multiple payloads, intrusive optional.
  • CSP Effectiveness → Checks for unsafe-inline / unsafe-eval.
  • Subresource Integrity (SRI) → Verifies integrity attributes.
  • Third-Party Scripts → Detects external domains.

🔹 Privacy & Authentication

  • WebRTC & Geolocation → Flags available APIs.
  • WebSocket Security → Insecure ws:// connections.
  • Service Workers → Detects registered scopes.
  • Browser Fingerprinting → Canvas, Audio, Battery, WebGL.
  • Broken Authentication → Session fixation, weak JWTs.
  • Rate Limiting Test → Repeated requests to forms/APIs.

📂 Export & Reports

  • Export findings to JSON file.
  • Copy findings to clipboard.
  • Logs grouped by test with severity colors.

⚠️ Disclaimer

This tool is for educational purposes and auditing your own websites only.
Running it against third-party websites without permission may be illegal.
The author is not responsible for misuse.