ShadowSec Panel v13

Shadow DOM UI with advanced OWASP-aligned checks: v10.3 UI + v5 depth + intrusive probes (SQLi/IDOR/SSRF/Rate-limit) and heuristics (ports/cache/fingerprinting). Live summary, filters, search, export, copy, and a Settings page for wordlists and options.

Installa questo script ?

Fai una domanda, pubblica una recensione, oppure segnala lo script.

Autore: Erik Galstyan
Installazioni giornaliere: 0
Installazioni totali: 11
Valutazione: 0 0 0
Versione: 13.0.1
Creato il: 28/08/2025
Aggiornato il: 28/08/2025
Dimensione: 58,3 KB
Licenza: MIT
Applica a: Tutti i siti

🔐 ShadowSec Panel: DOM Website Security Panel

ShadowSec is a Tampermonkey userscript that injects a powerful website security auditing panel directly into your browser. It's built with a modern Shadow DOM UI and runs a wide range of security checks with real-time reporting.

⚠️ This tool is intended for educational purposes and for auditing your own websites only!

✨ Features

🖥 Modern User Interface

Shadow DOM isolation - unaffected by site CSS/JS.
Dark/Light theme toggle.
Expandable test result groups with <details> sections.
Severity filters (High / Medium / Low).
Instant log search box.
Live summary dashboard.

⚙️ Panel Settings

Configure external wordlist URL for directory probing.
Set maximum number of probe requests per scan.
Settings persist across sessions.

🔍 Security Checks

ShadowSec merges the strict, detailed checks from earlier versions with new recon and fuzzing modules for broader coverage.

🔹 Recon & Infrastructure

Open Ports (heuristic) → Probes common web/database ports via fetch/WebSocket.
Extended Directory Probing → Built-in paths + harvested links + optional GitHub wordlist.
Outdated Libraries → Detects old jQuery/other frameworks.
GraphQL Introspection → Detects exposed GraphQL schemas.
Advanced Fingerprinting → Canvas, AudioContext, Battery API, WebGL, etc.

🔹 OWASP Headers & Configs

OWASP Headers Compliance → CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP/COEP, Cache-Control.
CORS Policy → Detects wildcards / insecure origins.
Cache Poisoning Risks → Looks for unkeyed headers.
Clickjacking → Detects iframe embedding and missing sandbox.

🔹 Input & Data Security

Cookies → Checks Secure, HttpOnly, SameSite.
Forms & CSRF → Detects missing CSRF tokens, insecure password/file inputs.
IDOR Detection → Flags sequential/numeric IDs, probes variations.
SSRF Detection → Looks for dangerous fetch/proxy parameters.
SQL Injection Hints → Payload fuzzing for error leakage.
CSTI (Client-Side Template Injection) → Detects Angular/Vue-style injection.

🔹 XSS & Script Security

Inline Event Handlers → Flags on*= attributes.
DOM-based XSS → Detects reflected query params.
XSS Payload Fuzzing → Multiple payloads, intrusive optional.
CSP Effectiveness → Checks for unsafe-inline / unsafe-eval.
Subresource Integrity (SRI) → Verifies integrity attributes.
Third-Party Scripts → Detects external domains.

🔹 Privacy & Authentication

WebRTC & Geolocation → Flags available APIs.
WebSocket Security → Insecure ws:// connections.
Service Workers → Detects registered scopes.
Browser Fingerprinting → Canvas, Audio, Battery, WebGL.
Broken Authentication → Session fixation, weak JWTs.
Rate Limiting Test → Repeated requests to forms/APIs.

📂 Export & Reports

Export findings to JSON file.
Copy findings to clipboard.
Logs grouped by test with severity colors.

⚠️ Disclaimer

This tool is for educational purposes and auditing your own websites only.
Running it against third-party websites without permission may be illegal.
The author is not responsible for misuse.

扫码关注【爱吃馍】