PenScope v5.5 is a powerful Chrome MV3 extension designed for full attack surface mapping, combining passive reconnaissance with 29 active probe attacks. It operates with zero dependencies, comprising approximately 7,200 lines of pure JavaScript.
Key Features (Passive Reconnaissance - Zero Requests)
PenScope excels in gathering extensive information without sending any requests to the target server, making it undetectable during initial recon. It captures:
- Endpoints: Every URL contacted, including method, status, size, and tags.
- Secrets: Identifies API keys, tokens, credentials (AWS, Azure SAS, Stripe, OpenAI, etc.).
- Hidden Fields: Extracts form inputs, data attributes, and anti-forgery tokens.
- Headers: Analyzes security headers, CSP configurations, CORS settings, and provides 50+ intel headers.
- Tech Stack: Detects frameworks, libraries, servers, and CDNs.
- Route Discovery: Uncovers 500+ API routes from JavaScript bundles, classified by intent.
- Runtime Analysis: Inspects framework services, application state, privilege escalation matrices, and IDOR targets.
- Deep Extraction: Scans POST bodies, API responses (15 patterns), code coverage, shadow DOM, memory strings, and encoded blobs.
- Network Intelligence: Gathers data from DNS prefetch, iframes, performance entries, CSS content URLs, and Service Worker routes.
- Console Capture: Provides a dedicated tab for color-coded log levels and filters.
- WASM Analysis: Performs binary hex dumps, crypto pattern detection, cryptojacking detection, and toolchain signatures.
- WebRTC Leak Detection: Conducts actual STUN leak tests to extract private/public/IPv6 addresses.
- BroadcastChannel Interception: Captures cross-tab messages through constructor patching.
- WebAuthn/FIDO2 Detection: Identifies passkey support, conditional UI, and platform authenticators.
- WebGPU/WASM SIMD Detection: Reports GPU adapter information and SIMD validation.
- COOP/COEP Analysis: Assesses cross-origin isolation status and Spectre vulnerability.
- SRI Audit: Checks for third-party scripts lacking Subresource Integrity.
Probe Mode (29 Attack Steps)
For authorized penetration testing and bug bounty efforts, PenScope offers an opt-in probe mode that sends requests with session cookies. This mode includes 29 distinct attack steps, such as:
- GraphQL Introspection and Field Fuzzing
- Source Map Fetching and Secret Grepping
- Swagger Discovery
- Robots/Sitemap Parsing
- Path Probing and OPTIONS Enumeration
- Suffix Bruteforce
- BAC Auto-Testing (identifying admin endpoints)
- Method Tampering
- CORS Reflection
- Content-Type Confusion
- Open Redirect Testing
- Race Condition Exploitation
- HTTP Parameter Pollution
- Subdomain Mining
- JWT Algorithm Confusion
- Host Header Injection
- Cache Poisoning Detection and Active Cache Poisoning
- IDOR Auto-Testing
- Auth Token Removal
- CSRF Validation
- gRPC Reflection
- Compression Oracle (BREACH)
- WebSocket Hijack
- Timing Oracle
- COOP/COEP Bypass
- Storage Partition Testing
Architecture and Exports
The extension consists of background.js, popup.js, content.js, popup.html, and manifest.json. It provides various export formats, including JSON, a full markdown report, Burp URL lists, parameter wordlists, TSV endpoints, auto-generated OpenAPI 3.0 Swagger specs, parsed Source Maps JSON, and a one-click structured pentest brief to Claude.
