🧰 Security Toolkit

A focused arsenal of browser-based scanners for bug-bounty hunters, red teamers, and defenders. No signup, no install — paste a URL, get answers. All 18 tools share the same one-input, one-click workflow.

Authorized testing only. These tools issue real HTTP requests. Use them against systems you own, or have explicit permission to test. See Terms of Use for the full agreement.
18
Scanners
0
API Keys Required
100%
Browser-Based
FREE
No Account

🌐 Surface & Exposure Mapping

Map what's exposed before someone else does. Discover ports, subdomains, takeover risk, cloud assets.

🎯
Attack Surface Scanner
Aggregate ports, CVEs and threat-intel for any domain.
 🛡️
Exposed
Domain security scan and breach check in one shot.
 ⚠️
Subdomain Takeover
Detect dangling DNS pointing at vulnerable services.
 🛰️
Shodan InternetDB Recon
Pull Shodan exposure data for any IP or host.
 🔓
Default Credentials
Check device/service against a known default-creds DB.
 📧
Email Harvester Pro
Aggregate exposed emails for a target domain.

🔬 Application & Header Audits

Inspect what a target site actually serves — headers, scripts, forms, redirects.

🛡️
Security Header Audit
Score CSP, HSTS, X-Frame-Options and friends.
 🧱
CSP Bypass Analyzer
Find weak directives and bypass paths in CSP rules.
 🍪
Cookie & Tracker Exposer
List every cookie, third-party script and tracker.
 🔀
Open Redirect Scanner
Probe known and parameter-based redirect endpoints.
 📝
Form Security Auditor
Audit forms for autocomplete, CSRF, and HTTPS posture.
 🔓
CORS Misconfig Tester
Test CORS pre-flight responses for risky origins.

⚡ JS, DOM & Asset Recon

Find vulnerabilities and exposed metadata buried in client-side code.

💉
DOM XSS Scanner
Hunt unsafe sinks across rendered DOM and inline JS.
JS Library CVE Scanner
Detect outdated front-end libraries with known CVEs.
 🗺️
Source Map Revealer
Recover original source from public *.map files.
 🔌
API Endpoint Discovery
Extract API routes from JS bundles and HTML.
 🤖
Hidden Path Recon
Pull paths from robots.txt, sitemaps and JS strings.
 🔷
Favicon Hash Recon
Hash favicons to fingerprint stack and infrastructure.

📦 Repos, Identifiers & Hashes

Audit GitHub repos, decode hashes, look up known indicators.

🔒
Repo Security Auditor
Scan a public GitHub repo for secrets and risk signals.
 #️⃣
Hash Analyzer
Identify hash type and check for known matches.

📚 Related guides

Background reading for the techniques these tools automate.

🧬
DNS Reconnaissance Guide
Subdomain enumeration techniques, end-to-end.
 🔐
Certificate Transparency for OSINT
Find every cert ever issued for a domain.
 🔑
Password Security & Entropy
How modern hash analysis and cracking actually works.