ShadowSec Panel v13

Shadow DOM UI with advanced OWASP-aligned checks: v10.3 UI + v5 depth + intrusive probes (SQLi/IDOR/SSRF/Rate-limit) and heuristics (ports/cache/fingerprinting). Live summary, filters, search, export, copy, and a Settings page for wordlists and options.

如何安装

您需要先安装一个扩展,例如 篡改猴Greasemonkey暴力猴,之后才能安装此脚本。

您需要先安装一个扩展,例如 篡改猴暴力猴,之后才能安装此脚本。

您需要先安装一个扩展,例如 篡改猴暴力猴,之后才能安装此脚本。

您需要先安装一个扩展,例如 篡改猴Userscripts ,之后才能安装此脚本。

您需要先安装一款用户脚本管理器扩展,例如 Tampermonkey,才能安装此脚本。

您需要先安装用户脚本管理器扩展后才能安装此脚本。

(我已经安装了用户脚本管理器,让我安装!)

如何安装

您需要先安装一款用户样式管理器扩展,比如 Stylus,才能安装此样式。

您需要先安装一款用户样式管理器扩展,比如 Stylus,才能安装此样式。

您需要先安装一款用户样式管理器扩展,比如 Stylus,才能安装此样式。

您需要先安装一款用户样式管理器扩展后才能安装此样式。

您需要先安装一款用户样式管理器扩展后才能安装此样式。

您需要先安装一款用户样式管理器扩展后才能安装此样式。

(我已经安装了用户样式管理器,让我安装!)

作者
Erik Galstyan
日安装量
0
总安装量
11
评分
0 0 0
版本
13.0.1
创建于
2025-08-28
更新于
2025-08-28
大小
58.3 KB
许可证
MIT
适用于
所有网站

🔐 ShadowSec Panel: DOM Website Security Panel

ShadowSec is a Tampermonkey userscript that injects a powerful website security auditing panel directly into your browser. It's built with a modern Shadow DOM UI and runs a wide range of security checks with real-time reporting.

⚠️ This tool is intended for educational purposes and for auditing your own websites only!

✨ Features

🖥 Modern User Interface

  • Shadow DOM isolation - unaffected by site CSS/JS.
  • Dark/Light theme toggle.
  • Expandable test result groups with <details> sections.
  • Severity filters (High / Medium / Low).
  • Instant log search box.
  • Live summary dashboard.

⚙️ Panel Settings

  • Configure external wordlist URL for directory probing.
  • Set maximum number of probe requests per scan.
  • Settings persist across sessions.

🔍 Security Checks

ShadowSec merges the strict, detailed checks from earlier versions with new recon and fuzzing modules for broader coverage.

🔹 Recon & Infrastructure

  • Open Ports (heuristic) → Probes common web/database ports via fetch/WebSocket.
  • Extended Directory Probing → Built-in paths + harvested links + optional GitHub wordlist.
  • Outdated Libraries → Detects old jQuery/other frameworks.
  • GraphQL Introspection → Detects exposed GraphQL schemas.
  • Advanced Fingerprinting → Canvas, AudioContext, Battery API, WebGL, etc.

🔹 OWASP Headers & Configs

  • OWASP Headers Compliance → CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP/COEP, Cache-Control.
  • CORS Policy → Detects wildcards / insecure origins.
  • Cache Poisoning Risks → Looks for unkeyed headers.
  • Clickjacking → Detects iframe embedding and missing sandbox.

🔹 Input & Data Security

  • Cookies → Checks Secure, HttpOnly, SameSite.
  • Forms & CSRF → Detects missing CSRF tokens, insecure password/file inputs.
  • IDOR Detection → Flags sequential/numeric IDs, probes variations.
  • SSRF Detection → Looks for dangerous fetch/proxy parameters.
  • SQL Injection Hints → Payload fuzzing for error leakage.
  • CSTI (Client-Side Template Injection) → Detects Angular/Vue-style injection.

🔹 XSS & Script Security

  • Inline Event Handlers → Flags on*= attributes.
  • DOM-based XSS → Detects reflected query params.
  • XSS Payload Fuzzing → Multiple payloads, intrusive optional.
  • CSP Effectiveness → Checks for unsafe-inline / unsafe-eval.
  • Subresource Integrity (SRI) → Verifies integrity attributes.
  • Third-Party Scripts → Detects external domains.

🔹 Privacy & Authentication

  • WebRTC & Geolocation → Flags available APIs.
  • WebSocket Security → Insecure ws:// connections.
  • Service Workers → Detects registered scopes.
  • Browser Fingerprinting → Canvas, Audio, Battery, WebGL.
  • Broken Authentication → Session fixation, weak JWTs.
  • Rate Limiting Test → Repeated requests to forms/APIs.

📂 Export & Reports

  • Export findings to JSON file.
  • Copy findings to clipboard.
  • Logs grouped by test with severity colors.

⚠️ Disclaimer

This tool is for educational purposes and auditing your own websites only.
Running it against third-party websites without permission may be illegal.
The author is not responsible for misuse.