https://github.com/DenisPodgurskii/pentestkit

OWASP PTK - application security browser extension.
https://github.com/DenisPodgurskii/pentestkit

command-injection-attack commandinjection dast iast jwt jwt-security owasp sast security sql-injection-attacks sqlinjection xss xss-exploitation

Last synced: 9 days ago
JSON representation

OWASP PTK - application security browser extension.

• Host: GitHub
• URL: https://github.com/DenisPodgurskii/pentestkit
• Owner: DenisPodgurskii
• License: agpl-3.0
• Created: 2021-06-12T17:06:13.000Z (almost 5 years ago)
• Default Branch: master
• Last Pushed: 2026-05-19T21:24:57.000Z (13 days ago)
• Last Synced: 2026-05-20T00:50:18.831Z (13 days ago)
• Topics: command-injection-attack, commandinjection, dast, iast, jwt, jwt-security, owasp, sast, security, sql-injection-attacks, sqlinjection, xss, xss-exploitation
• Language: JavaScript
• Homepage: https://pentestkit.co.uk/
• Size: 90.8 MB
• Stars: 207
• Watchers: 7
• Forks: 42
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE.txt
  • Security: SECURITY.md
  • Roadmap: ROADMAP.md

Awesome Lists containing this project

• awesome-bugbounty-tools - OWASP PTK - Browser-based vulnerability scanner for bug bounty and pentesting workflows, combining DAST, SAST, IAST, and SCA capabilities to detect runtime, source-level, interactive, and dependency-related security issues. (Miscellaneous / Vulnerability Scanners)

README

          
# OWASP Penetration Testing Kit (PTK)

[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/11838/badge)](https://www.bestpractices.dev/projects/11838)

**The OWASP Penetration Testing Kit (PTK)** browser extension is your all-in-one solution for streamlining your daily AppSec tasks. Whether you’re a penetration tester, a Red Team member, or an AppSec practitioner, OWASP PTK enhances your efficiency and provides deep insights into your target application.

**Key Features:**

* **Runtime Scanning (DAST & IAST & SAST & SCA):**

  Perform Dynamic Application Security Testing, Static Analysis, In-Browser IAST and Software Composition Analysis on the fly. Identify SQL injection, command injection, reflected/stored XSS, SQL auth bypass, XPath injections, JWT attacks, and other complex threats.

* **Static Analysis (SAST):**

  PTK automatically parses loaded JavaScript, HTML, and CSS right in your browser—before any code ever runs. It flags unsafe patterns like `eval()`, `innerHTML`/`outerHTML` injection, insecure cryptographic calls, missing input sanitization, and common anti-patterns. 

* **In-Browser IAST (Interactive Application Security Testing):**

  PTK’s built-in IAST engine instruments your app at runtime—right in the browser—tracking taint flows and code execution to flag vulnerabilities as they occur. Catch issues like DOM-based XSS, unsafe `eval`/`innerHTML` usage, open-redirects, and more without leaving your dev tools.

* **JWT Inspector:**

  Analyze, craft, and tamper with JSON Web Tokens. Generate keys, test null signatures, brute-force HMAC secrets, and inject malicious `jwk`, `jku`, or `kid` parameters.

* **Insightful Application Info:**

  One-click visibility into tech stacks, WAFs, security headers, crawled links, and authentication flows.

* **Built-in Proxy & Traffic Log:**

  Capture all HTTP(S) traffic, replay requests in R-Builder, and automate XSS, SQLi, and OS command injection.

* **R-Builder for Request Tampering & Smuggling:**

  Craft and manipulate HTTP requests, including complex request-smuggling techniques. Now with cURL import/export.

* **Cookie Management:**

  Add, edit, remove, block, protect, export, and import cookies from a powerful in-browser editor.

* **Decoder/Encoder Utility:**

  Instantly convert between UTF-8, Base64, MD5, URL-encode/decode, and more formats.

* **Selenium Integration:**

  Shift left security by running automated Selenium tests with built-in vulnerability checks.

Enhance your AppSec practice with PTK—the extension that makes your browser smarter and your testing faster. Install today and start uncovering vulnerabilities in real time!

## Development

```

git clone git@github.com:DenisPodgurskii/pentestkit.git

cd pentestkit

npm install

npm run build

```

Chrome/Edge/Brave -> Extensions -> Load unpacked -> select pentestkit/src directory

Or run 

```

npm run build_pkg

```

This will create zip arhives in pentestkit/dist folder

On Windows build it's a chance you can expect an error during build process. In this case try to execute the following command first.

```

npm install --ignore-scripts fomantic-ui

```

## Installation

[Firefox](https://addons.mozilla.org/en-US/firefox/addon/owasp-penetration-testing-kit/) 

[Chrome](https://chrome.google.com/webstore/detail/penetration-testing-kit/ojkchikaholjmcnefhjlbohackpeeknd) 

[MS Edge](https://microsoftedge.microsoft.com/addons/detail/penetration-testing-kit/knjnghhnhcpcglfdjppffbpfndeebkdm) 

## Documentation / How To

[Website](https://pentestkit.co.uk/howto.html) 

## Support

For questions, bug reports, and feature requests, please use **GitHub Issues**:  

https://github.com/DenisPodgurskii/pentestkit/issues

## Youtube channel

[Youtube channel](https://www.youtube.com/channel/UCbEcTounPkV1aitE1egXfqw) 

## BrowserStack

This project is tested with BrowserStack