Firefox Extension
The Cyberstrike Firefox extension intercepts HTTP traffic from your browser and forwards it to the Cyberstrike API, where the proxy-agent analyzes and tests each request automatically.
Installation
The source code is available at github.com/CyberStrikeus/cyberstrike-firefox-ext.
The extension is loaded as a temporary add-on during development:
- Clone the repository:
git clone https://github.com/CyberStrikeus/cyberstrike-firefox-ext - Open Firefox and navigate to
about:debugging - Click This Firefox in the left sidebar
- Click Load Temporary Add-on…
- Select the
manifest.jsonfile from the cloned directory
The extension icon appears in the Firefox toolbar once loaded.
Caution
Start Cyberstrike before opening the extension popup. The popup connects to the local API on startup.
Configuration
Open the extension popup by clicking the toolbar icon.
Server URL
The extension connects to the Cyberstrike API at:
http://127.0.0.1:4096Change this in the Server URL field if you are running the API on a different address or port.
Scope
Enter the target domain in the Scope field:
shop.example.comOnly requests whose hostname matches this scope are captured. Requests to other domains are ignored.
Subdomain wildcards are supported:
*.example.comSession
Select an existing session from the dropdown or create a new one. All captured requests and discovered context are stored within the active session.
Starting and Stopping Capture
Click Start to begin intercepting traffic. The request counter increments as the extension captures matching requests.
Click Stop to pause capture. The session remains active and the proxy-agent continues processing any queued requests.
Credential Management
Credentials represent authenticated user identities. The extension tracks authentication headers per Firefox container and links each captured request to the appropriate credential.
Why Credentials Matter
The proxy-agent uses credentials to test cross-user vulnerabilities:
- IDOR — can Credential A access resources owned by Credential B?
- Authorization bypass — can a lower-privileged credential access endpoints that require higher privileges?
- Mass assignment — can a regular user inject admin-only fields?
The more credentials you register (admin, regular user, guest, etc.), the broader the cross-user testing coverage.
Firefox Containers
Firefox Containers isolate browser sessions so you can be logged in as multiple users simultaneously. Each container maintains its own cookies and local storage.
Setup:
- Install the Multi-Account Containers add-on from Mozilla
- Open Manage Containers and create one container per user role:
Admin(red)Regular User(blue)Guest(green)
- Open the target application in each container and log in with the corresponding account
- In the Cyberstrike popup, add a credential for each container (see below)
Adding a Credential
In the popup:
- Click Add Credential
- Enter a descriptive label — for example
admin-userorregular-user - Select the Firefox container linked to that account
- Click Save
The credential is registered with the Cyberstrike API. From this point, requests captured from that container are automatically tagged with the credential ID.
Automatic Header Sync
When the extension detects that an auth header has changed in a container — for example after a token refresh — it automatically syncs the updated headers to the credential via PATCH /session/{id}/web/credentials/{credId}. You do not need to manually update credentials after token rotations.
Tracked Authentication Headers
The extension monitors these headers for credential tracking:
| Header | Description |
|---|---|
Authorization | Bearer tokens, Basic auth |
Cookie | Session cookies |
X-Auth-Token | Custom auth tokens |
X-API-Key | API keys |
X-Access-Token | OAuth access tokens |
X-Session-Token | Session tokens |
X-CSRF-Token | CSRF tokens |
Request Filtering
The extension skips static assets automatically to reduce noise:
| Category | Extensions |
|---|---|
| Images | .png .jpg .jpeg .gif .svg .ico .webp |
| Stylesheets & Scripts | .css .js .mjs |
| Fonts | .woff .woff2 .ttf .eot .otf |
| Media | .mp4 .mp3 .avi .mov .webm |
| Archives & Documents | .pdf .zip .gz .br |
| Source Maps | .map |
Only application-level requests (API calls, form submissions, page navigations) are forwarded.
What Gets Sent to the API
For each captured request, the extension sends a single payload to POST /session/ingest:
{ "text": "POST /api/orders HTTP/1.1\r\nHost: shop.example.com\r\nAuthorization: Bearer eyJ...\r\nContent-Type: application/json\r\n\r\n{\"item_id\": 42, \"qty\": 1}", "sessionID": "session-abc123", "credential_id": "web_credential-xyz789", "response": { "status": 201, "headers": { "content-type": "application/json" }, "body": "{\"order_id\": 573, \"total\": 29.99, \"status\": \"pending\"}" }}The text field contains the full raw HTTP request. Response body is capped at 500 KB by the extension; the API reduces it further to 100 KB before sending to the proxy-agent.
Duplicate Detection
The Cyberstrike API deduplicates requests server-side. A request is skipped if it has the same HTTP method, normalized path, body structure, and query parameter keys as a previously processed request. This prevents the proxy-agent from re-testing identical endpoints redundantly.
Context Panel
The popup displays context that the proxy-agent has accumulated across all processed requests:
| Panel | Content |
|---|---|
| Credentials | All registered credentials and their linked roles |
| Roles | User roles discovered by proxy-analyzer |
| Objects | Data entities (User, Order, Product) and their fields |
| Functions | Endpoint–function mappings with CRUD action types |
This panel is read-only. The proxy-agent populates it progressively as it processes more requests.
For a richer view with navigation, use the /web command in the Cyberstrike TUI.
Related Documentation
- Web Proxy Testing - How all components fit together
- Context Management - Viewing context and vulnerabilities in the TUI
- Proxy Agent - Full technical reference