Skip to content
Firefox extension which parses the headers of all the requests which are being flowing through your firefox browser to detect for vulnerabilities.
JavaScript HTML CSS
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
vuln-headers-extension Structures the code Oct 28, 2018
GUI.PNG Adds screenshot of updated GUI Oct 27, 2018
LICENSE Updates GUI interface screenshot in readme Oct 27, 2018


This is firefox extension which parses the requests before forwarding to the DNS server to scan for vulnerable URLs which occur due to Headers.


The extension currently detects URLs which are vulnerable to

  • CORS Misconfiguration
  • Host Header Injection
  • Missing X-XSS-Protection headers (commented in the code due to its low severity)
  • Clickjacking support


Submitted vulnerabilities to websites like , #Chargify, #Hotstar, #Medium, etc using this tool. Got listed in #Chargify HOF and other organisaitons are resolving the issues.



Method 1 -
  1. Clone the repo or fork it.
  2. Open Firefox and load about:debugging in the URL bar.
  3. Click the Load Temporary Add-on button and select the manifest.json file in your cloned repo.
  4. Now the vuln-headers-extension is installed.
Method 2 -
  1. Clone the repo or fork it.
  2. Install the web-ext tool, a npm package.
  3. Change into the directory where you cloned the repo.
  4. Type web-ext run. This will launch Firefox and install the extension.

Using -

  1. Once you install the extension you can see an icon in the tool bar.
  2. Click on the icon and a new tab gets opened.
  3. Leave it open and do your browsing/work.
  4. The extension automatically logs all the vulnerable URLs to the new tab.
  5. Now you can submit a report to the respective organisaiton and make it more secure.


Want to add more features to it? Fork the repo and create a Pull Request. Like this tool, STAR it and click on Watch to get more updates on this tool.


You can’t perform that action at this time.