A standalone desktop application for analyzing Chrome extensions, monitoring browser activity, and detecting malicious behavior.
Double-click start.bat
./start.sh- Upload
.crxor.zipfiles - See risk score and security analysis
- View permissions and suspicious code patterns
- Click Start Testing to launch Chrome with activity logging
- All extension API calls and network requests are recorded
- Real-time stats: Network, API Calls, DOM Events, Duration
- Click Stop to generate a detailed report
Templates Available:
| Template | Purpose |
|---|---|
| 🌐 Browse Popular Sites | Google, GitHub, Amazon, Facebook, Twitter |
| 🛒 Shopping Flow | Amazon, eBay product searches |
| 🔐 Login Pages Test | Facebook, GitHub, Twitter, Instagram logins |
| 🏦 Banking Sites Test | PayPal, Chase, Bank of America |
| 💰 Crypto Sites Test | Coinbase, Binance, MetaMask |
| 📧 Google Login Test | Google step-by-step login |
| 🛒 Amazon Login Test | Amazon login flow |
| 🛡️ Full Security Test | Complete: social + banking + crypto |
Use your own test accounts for security testing:
- Click ⚙️ Manage to open credentials manager
- Add site-specific credentials (facebook, google, etc.)
- Or Import JSON with your credentials file
- Enable "Use Test Credentials" checkbox
- Run login automation templates
Credentials File Format:
{
"default": {
"email": "default@email.com",
"password": "password"
},
"sites": {
"facebook": { "email": "fb@email.com", "password": "fbpass" },
"google": { "email": "google@email.com", "password": "gpass" }
}
}Edit: app/data/test-credentials.json
Detects malicious DOM manipulations:
| Event | Severity | Description |
|---|---|---|
script_injected |
🔴 Critical | Script tags added to page |
form_action_changed |
🔴 Critical | Form action URL modified |
keylogger_suspect |
🔴 Critical | Keydown/keyup listeners added |
iframe_injected |
🟠 High | iFrame tags added |
cookie_read/write |
🟠 High | Cookie access detected |
form_submit_listener |
🟠 High | Submit event intercepted |
storage_write |
🟡 Medium | localStorage modified |
link_href_changed |
🟡 Medium | Link URLs changed |
- View network requests with bodies
- See extension API activities
- DOM events and manipulations
- Suspicious activities highlighted
- Export reports as JSON
Chrome launched with --enable-extension-activity-logging
↓
Activity stored in SQLite database
↓
App polls database every 2 seconds
↓
All API calls captured in report
Puppeteer connects to Chrome
↓
Network.enable + Fetch.enable
↓
Captures requests with bodies
↓
Captures responses with bodies
↓
Detects sensitive data transfers
dom-monitor.js injected into pages
↓
MutationObserver watches DOM
↓
API hooks (addEventListener, fetch, cookies)
↓
Events sent to main process
↓
Suspicious patterns detected
chromeMonitoring/
├── start.sh / start.bat
├── README.md
├── credentials-template.json # Sample credentials
└── app/
├── package.json
├── main.js # Electron main process
├── preload.js # IPC bridge
├── analyzer.js # CRX static analysis
├── monitor.js # Browser monitoring
├── automation.js # Automation engine
├── activity-reader.js # SQLite reader
├── dom-monitor.js # DOM change detector
├── test-credentials.js # Credentials manager
├── data/
│ └── test-credentials.json # Your credentials
└── ui/
├── index.html
├── styles.css
└── renderer.js
- Node.js 18+
- Google Chrome
cd app
npm install
npm run build:linux # .AppImage / .deb
npm run build:win # .exe installer| Threat Type | Detection Method |
|---|---|
| Credential Stealers | Form hijacking, keylogger detection |
| Data Exfiltration | Network requests with sensitive data |
| Cookie Thieves | Cookie access monitoring |
| Crypto Stealers | Suspicious crypto site activity |
| Search Hijackers | Form action changes |
| Ad Injectors | Script/iframe injection |
| Redirectors | Link href modifications |
| Phishing Overlays | Overlay element detection |
MIT