Chiral

HTTP Request Repeater and Interceptor for security testing

Chiral – Browser-Native Security Suite for Chrome DevTools Chiral brings Burp Suite-level manual testing capabilities directly into your Chrome DevTools. Designed for researchers who prioritize speed, precision, and an uncluttered workflow. No proxy certificates, no Java environment, and no "magic" AI bloat—just powerful, expert-grade tools that get out of your way. Core Workflow Features ● True In-Flight Interception (CDP-Powered): Attach the Chrome Debugger to pause requests and responses in mid-flight. Modify method, URL, headers, and body before forwarding, or drop entirely. Edit response status codes and bodies before they reach the page. ● Professional Repeater & Diff View: Edit and replay captured requests with a table-based header editor or raw mode. Use the side-by-side Diff View (up to 8 panels) to spot minute byte-level discrepancies in responses. Cross-request search with regex and body content filtering. ● Intruder Fuzzing Engine: Mark payload positions with §markers§ and launch attacks. Four attack types: Sniper, Battering Ram, Pitchfork, and Cluster Bomb. Built-in payload generator for bruteforce attacks. Grep Match to flag successful attempts based on response patterns. ● Automated Sequence Chains: Turn a discovery into a reproducible Proof of Concept. Chain requests with Postman-style variables ({{VARNAME}}) and regex-based extraction rules. Transform steps for encoding/hashing. Condition steps for validation and branching logic. ● Passive & Active Recon Engine: Identify tech stacks, misconfigurations, and leaked secrets using 67+ regex-driven rules. In Active Mode, Chiral automatically modifies and resends requests based on your custom rule actions, or triggers sequences. ● Dynamic Target Mapping: Automatically build a structured map of your target's attack surface. Path normalization (e.g., /user/123 → /user/{id}), method tracking, and parameter extraction per endpoint. Probe for common files (robots.txt, swagger.json, .git/config). Spider in passive (fetch) or active (navigate) mode with form submission support. Advanced Power Features ● WebSocket Monitoring: Real-time capture of WebSocket connections and frames with direction filtering and JSON formatting. ● Sandboxed Scripting: All 19+ encode/decode/hash operations (Base64, JWT, SHA-256, MD5) are user-editable JavaScript scripts running in a secure iframe. ● Integrated Cookie & Storage Manager: Full CRUD control over browser cookies and localStorage/sessionStorage. Edit attributes or import/export sessions. ● SSL Certificate Inspection: View certificate details, validity, and Subject Alternative Names directly in the response viewer. ● Regex-Centric Everything: From detection rules to extraction, Chiral uses a unified regex engine. No complex dropdowns—just raw pattern matching power. ● cURL Integration: One-click cURL export for any request, or import cURL commands directly into the Repeater or Sequences. The Chiral Philosophy No "Cheap Aesthetics": Professional tools are made for professionals. No AI-bloat or hidden "secret sauce". All rules, transforms, and sequences are open and customizable. No Special Cases: Built-in features use the same systems as user-defined ones. You can inspect, modify, or replace any default rule or script. Performance First: Passive capture runs via native DevTools APIs with zero overhead. No debugger warning until you need active interception. Privacy & Security ● Local-Only: All data, rules, and history are stored locally in chrome.storage.local. Nothing is ever sent to an external server. ● Transparent Permissions: Optional permissions for cookie management, requested only when needed. ● Manifest V3 Compliant: Fully adheres to the latest Chrome security, privacy, and performance standards. Ready for rapid manual testing? Add Chiral to your DevTools today.