TL;DR: I built FlashFuzz, an open-source browser extension that fuzzes URLs and scans loaded JavaScript for likely secrets across all open tabs — so you don’t have to jump between terminal tools and your browser during recon. Fast, lightweight, and made for pentesters & bug bounty hunters. Try it: https://github.com/Ademking/FlashFuzz
When I’m doing recon I kept switching between terminal tools like ffuf
/dirsearch
and whatever tab I was actively exploring. That context-switching slowed me down. I wanted something that:
(a) fuzzes the URLs I already have open,
(b) inspects the JS loaded in those tabs for likely secrets, and
(c) runs quickly without leaving the browser.
Enter FlashFuzz — a plug-and-play Chrome extension for quick, in-browser URL fuzzing and automated secret scanning.
Demo
You can watch a short demo here:
What it does
- Fuzz URLs across all open tabs to discover hidden endpoints and directories.
- Scan loaded JavaScript files in each tab for likely secrets (API keys, tokens, AWS keys, etc.).
- Support for custom wordlists or built-in example lists.
- Concurrent requests with configurable batch size and request interval.
- Exportable results with request/response snapshots for reporting or deeper analysis.
- Lightweight UI for quick runs and detailed per-result inspection.
- Open source — inspect, modify, and contribute.
Why I built it
Switching between the browser and terminal for quick checks was a constant drag. For many reconnaissance tasks you already have the pages you care about open — why not fuzz them directly and scan their JS right there? FlashFuzz is my attempt to reduce friction in that workflow: fast, minimal, and ready for immediate use during manual testing.
Install (developer / local install)
- Download the latest release from the Releases page.
- Open Chrome and go to
chrome://extensions/
. - Enable Developer mode (toggle at top right).
- Click Load unpacked and select the extracted extension folder.
- Pin the FlashFuzz icon to your toolbar and open it to begin fuzzing.
Note: At the moment FlashFuzz is distributed as an unpacked extension for easy testing. Packaged release builds are available on the Releases page.
Basic usage
- Ensure FlashFuzz is enabled (toggle in the extension UI).
- Open the tabs you want to scan (you can scan one or many).
- Configure your wordlist and batch size if needed, then start the run.
- View results in the UI — each finding includes the request and response snapshot for quick triage.
- Export findings as JSON/CSV for reporting or follow-up.
Key settings
- Wordlist: Use the default built-in list or upload your own.
- Batch size: Number of concurrent requests (default: 10).
- Interval between batches: Delay between batches to reduce load on target hosts (default: 500 ms).
- Duplicate response filter: Filter out responses with identical content length to reduce noise.
Security & privacy
- All scanning is performed locally in your browser. FlashFuzz does not send your data to external servers.
- The extension may generate a large number of requests — use responsibly and only against targets you are authorized to test.
FAQ
Q: Is FlashFuzz free?
A: Yes — it’s free and open source (MIT).
Q: Can I use my own wordlists?
A: Absolutely. Upload your lists via the settings panel.
Q: Will FlashFuzz leak data externally?
A: No — everything runs locally. No external telemetry is sent by the extension.
Disclaimer
FlashFuzz is a reconnaissance tool intended for security testing with explicit authorization. Unauthorized scanning or fuzzing of systems you do not own or have permission to test may be illegal and could be treated as malicious activity. I am not responsible for any damage or legal consequences that arise from misuse. Always get written permission and follow the scope when performing testing.
Contributing
Contributions are welcome! Fork the repo, open issues for feature requests or bugs, and submit pull requests. I’d love help improving wordlists, reducing false positives, and adding integrations (e.g., payload templates, reporting formats, or CI hooks).
GitHub: https://github.com/Ademking/FlashFuzz
Final notes
If you try FlashFuzz I’d really appreciate feedback — bugs, feature requests, or any ideas to make it more useful in real recon workflows. Drop an issue or a PR on GitHub, or ping me on social channels.