Skip to main content

Cyberstrike is now open source! AI-powered penetration testing for security professionals. Star on GitHub

On this page

Browser Tool

The Browser tool provides automated web browser control for dynamic application security testing.

Tip

For a comprehensive deep-dive into browser internals, visual feedback system, and advanced workflows, see HackerBrowser Deep Dive.

🎬 GIF: browser-automation.gif

Browser tool automated testing

Overview

The Browser tool enables:

  • Navigating web applications
  • Interacting with page elements
  • Capturing network traffic
  • Taking screenshots
  • Executing JavaScript
  • Testing client-side vulnerabilities

Launching the Browser

Basic Launch 

> Launch the browser and go to https://target.com

With Proxy 

> Launch browser with traffic capture enabled

Headless Mode 

> Run browser in headless mode for automation

Navigation

Go to URL 

> Navigate to https://target.com/login

Click Elements 

> Click the login button

Fill Forms 

> Fill the username field with "admin" and password with "test123"

Submit Forms 

> Submit the login form

Element Interaction

By Selector 

> Click the element with selector "#submit-btn"

By Text 

> Click the button containing "Sign In"

By XPath 

> Fill the input at xpath "//input[@name='email']"

Wait for Element 

> Wait for the dashboard to load before continuing

Traffic Capture

Enable Capture 

> Start capturing network traffic

View Requests 

> Show all captured HTTP requests

Filter Traffic 

> Show only POST requests to /api endpoints

Export HAR 

> Export captured traffic to pentest-session.har

Screenshots

Full Page 

> Take a screenshot of the current page

Element Screenshot 

> Take a screenshot of the login form

Evidence Collection 

> Screenshot the vulnerability evidence

JavaScript Execution

Run Script 

> Execute JavaScript to get all cookies
document.cookie

DOM Manipulation 

> Modify the hidden field value to test tampering
document.querySelector('#hidden-field').value = 'modified'

Extract Data 

> Extract all links from the page
Array.from(document.querySelectorAll('a')).map(a => a.href)

Security Testing

XSS Testing 

> Test the search field for XSS vulnerabilities
  1. Navigate to search page
  2. Enter XSS payload: <script>alert(1)</script>
  3. Submit and observe
  4. Screenshot evidence

CSRF Testing 

> Check if the form has CSRF protection
  1. Inspect form for CSRF token
  2. Attempt submission without token
  3. Document results

Authentication Testing 

> Test login for SQL injection
  1. Navigate to login
  2. Enter payload: admin' OR '1'='1' --
  3. Submit and check response
  4. Document bypass if successful

Session Testing 

> Analyze session cookies for security issues

Checks:

  • HttpOnly flag
  • Secure flag
  • SameSite attribute
  • Session fixation

Multi-Page Workflows

Login and Navigate 

> Log in as user and navigate to admin panel
  1. Go to login page
  2. Enter credentials
  3. Submit form
  4. Navigate to /admin
  5. Check access

Spider Application 

> Crawl the application and discover all endpoints

Automated crawling:

  • Follow links
  • Submit forms
  • Record endpoints
  • Build sitemap

Browser Configuration

Viewport Size 

> Set browser viewport to mobile size

User Agent 

> Use mobile user agent for testing

Cookies 

> Set authentication cookie before navigating

Proxy Integration

Burp Suite 

> Route traffic through Burp Suite proxy

Configuration:

{
  "browser": {
    "proxy": "http://127.0.0.1:8080"
  }
}

mitmproxy 

> Use mitmproxy for traffic inspection

ZAP 

> Connect to OWASP ZAP proxy

Error Handling

Element Not Found 

Error: Element not found: #nonexistent

Solutions:

  • Verify selector
  • Wait for element
  • Check page state

Navigation Timeout 

Error: Navigation timeout

Solutions:

  • Increase timeout
  • Check network connectivity
  • Verify URL

JavaScript Error 

Error: JavaScript execution failed

Solutions:

  • Check syntax
  • Verify DOM state
  • Handle async operations

Best Practices

  1. Wait for elements - Use explicit waits
  2. Handle popups - Dismiss or accept alerts
  3. Clean state - Clear cookies between tests
  4. Capture evidence - Screenshot all findings
  5. Export traffic - Save HAR for analysis

Tip

Use the browser tool for testing client-side vulnerabilities that require JavaScript execution.

BrowserUI Tool

For interactive browser control:

> Open interactive browser session

Features:

  • Visual browser window
  • Manual interaction
  • Real-time inspection
  • Live traffic monitoring

Related Documentation