Excalibur
Dual-component security testing tool for bypassing WAFs, CAPTCHAs, and anti-bot protections. Chrome extension records HTTP traffic during manual browser interaction. Burp Suite extension imports HAR files and extracted cookies for automated bug bounty and penetration testing workflows.
Install / Use
/learn @Teycir/ExcaliburREADME
Support Development
If this project helps your work, support ongoing maintenance and new features.
ETH Donation Wallet
0x11282eE5726B3370c8B480e321b3B2aA13686582
Scan the QR code or copy the wallet address above.
</div> <!-- donation:eth:end -->Excalibur
Manual WAF Bypass & Cookie Extractor - Chrome Extension + Burp Integration
Project Description
Excalibur is a powerful dual-component security testing tool designed to bypass Web Application Firewalls (WAFs), CAPTCHAs, and other anti-bot protections through manual browser interaction. It consists of:
-
Chrome Extension - Intercepts and records HTTP traffic while you manually solve CAPTCHAs, complete authentication flows, and navigate through protected applications.
-
Burp Suite Extension - Imports recorded HTTP Archive (HAR) files and extracted cookies into Burp Suite, enabling automated security testing on previously protected endpoints.
Why Excalibur?
Modern web applications employ increasingly sophisticated security measures including WAFs, CAPTCHAs, and bot detection systems. These protections often block automated security scanners and make it difficult to test APIs behind authentication. Excalibur bridges this gap by allowing you to:
- Maintain legitimate sessions through manual interaction with the application
- Capture complete HTTP traffic including headers, cookies, and timing data
- Export authenticated sessions to professional security tools like Burp Suite
- Accelerate security testing by eliminating manual cookie extraction and session setup
How It Works
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Manual │ → │ Excalibur │ → │ Burp Suite │
│ Browser │ │ Record & │ │ Security │
│ Interaction │ │ Export │ │ Testing │
└──────────────┘ └──────────────┘ └──────────────┘
-
You browse the target application manually in Chrome, solving any CAPTCHAs or authentication challenges as a normal user would.
-
Excalibur records all HTTP traffic during your session, capturing requests, responses, headers, and cookies in real-time.
-
Export the recorded session as HAR and JSON files, then load them into Burp Suite for detailed security analysis and automated scanning.
Table of Contents
- Project Description
- Quick Start
- Recent Updates
- Usage Workflow
- Features
- Advantages Over DevTools HAR Export
- Output Files
- Architecture
- Use Cases
- Synergistic Projects
- Project Structure
- Troubleshooting
- Development
- Changelog
- Security Disclosure
- License
- Author & Attribution
- Disclaimer
Quick Start
Chrome Extension
- Open Chrome →
chrome://extensions/ - Enable Developer mode (top right toggle)
- Click Load unpacked
- Select the
chrome extension/folder - Pin the Excalibur icon to your toolbar
Burp Extension
- Open Burp Suite (Professional or Community)
- Extensions → Add → Python
- Select
burp-extension/excalibur_loader.py - Verify extension loads successfully
- Navigate to Excalibur tab
Prerequisites
- Chrome/Chromium browser
- Burp Suite (Professional or Community Edition)
- Jython standalone JAR (for Burp Python support)
Recent Updates
- Added foldable popup panels with
Quick Mode / Pro Modeto reduce UI clutter while keeping core controls visible. - Added
Pin Monitor/Unpin Monitorflow for persistent live tracking during browsing. - Added storage governance UX:
- live storage usage + safety status
- one-click
Clear Storagewith bin icon - automatic cleanup after export and on browser startup
- Added advanced capture intelligence:
- Time Machine checkpoints
- Auth Drift Radar
- Challenge-aware timeline + scrubber markers
- Exploration Heatmap and blind-spot suggestions
- Replay Studio scenario generation
- Added better operator guidance:
- empty-state coaching card
- smart alerts strip
- fixed inline undo dock (replacing floating undo)
- richer backend error details surfaced in popup
- Burp extension improvements:
Clear Historyaction in HTTP toolbar- workspace save/load flow
- optimized filter performance for large datasets
Usage Workflow
Simple 3-Step Process
-
Record in Chrome
- Click Excalibur icon in Chrome
- Click ▶️ Start Recording
- Navigate to target site
- Solve CAPTCHAs, complete authentication flows
- Click ⏹️ Stop Recording
-
Export Session Artifacts
- Click 📦 Export HAR + Insights
- Four files download automatically:
excalibur-session-YYYYMMDD-HHMMSS.harexcalibur-session-YYYYMMDD-HHMMSS-cookies.jsonexcalibur-session-YYYYMMDD-HHMMSS-replay-studio.jsonexcalibur-session-YYYYMMDD-HHMMSS-insights.json
-
Load in Burp
- Open Burp → Excalibur tab
- Click Load HAR File → Select exported HAR
- Click Load Cookies JSON → Select exported cookies
- View requests in Target → Site Map and History tab
Features
Chrome Extension Features
| Feature | Description |
|---------|-------------|
| ▶️ Start/Stop Recording | Toggle session recording with visual feedback and clear state indication |
| 📊 Real-time Counters | Live display of captured requests and cookies during recording |
| 📦 HAR Export | Export recorded traffic in standard HTTP Archive format |
| 🍪 Cookie Extraction | Automatic extraction of all cookies to JSON for easy import |
| 🎨 Modern UI | Clean, gradient-based user interface with intuitive controls |
| 🔄 Background Recording | Continuous recording via Chrome service worker API |
| 🔍 DevTools Panel | Integrated DevTools panel for advanced monitoring |
| 📂 Batch Export | Export HAR and cookies in a single click operation |
| 📌 Pinned Monitor Window | Keep Excalibur visible while browsing via pin/unpin controls |
| 💾 Storage Guardrails | Live storage meter, safety state, and clear-storage control |
| 🧭 Timeline + Coaching | Timeline scrubber markers and empty-state coaching guidance |
| 🧪 Session Intelligence | Time Machine, Auth Drift Radar, challenge timeline, heatmap insights |
| 🔁 Replay Studio Export | Generates replay scenarios in -replay-studio.json for follow-up testing |
Burp Suite Extension Features
| Feature | Description | |---------|-------------| | 📥 HAR File Loading | Import HAR files directly into Burp Site Map | | 🍪 Cookie Import | Import JSON cookies into Burp Cookie Jar | | 📊 Request History | Sortable table view of all imported requests | | 📈 Statistics Panel | Summary of requests, hosts visited, and import timestamps | | 📝 Activity Log | Detailed timestamped log of all extension operations | | 🎨 Matching UI | Consistent design language with Chrome extension | | 🔍 Request Inspector | Full request/response viewing capabilities | | 🔄 Session Replay | Replay imported requests with captured cookies | | 🧹 Clear History Action | One-click toolbar action to wipe imported HTTP history safely | | 💼 Workspace Save/Load | Persist and restore Burp session state between investigations | | ⚡ Optimized Filtering | Cached search/dedup path for smoother large-history filtering |
Key Capabilities
- WAF Bypass - Work around cloud WAF protections through legitimate browser sessions
- CAPTCHA Handling - Manual CAPTCHA solving with automated traffic capture
- Session Persistence - Maintain authenticated sessions across testing tools
- Traffic Analysis - Full HTTP/HTTPS request/response inspection
- Cookie Management - Extract, view, and import browser cookies
- Multi-Format Export - Export in HAR and JSON formats for tool compatibility
- Cross-Platform - Works on Windows, macOS, and Linux
Advantages Over DevTools HAR Export
Excalibur provides significant improvements over Chrome DevTools' built-in "Export HAR" functionality:
🎯 Core Advantages
| Feature | Excalibur | DevTools HAR Export |
|---------|-----------|---------------------|
| Cookie Extraction | Automatic domain-filtered JSON export | Embedded in HAR, manual extraction required |
| Cross-Tab Recording | Captures all tabs via webRequest API | Single tab only, DevTools must stay open |
| Burp Integration | Dedicated loader extension included | Manual import, no cookie automation |
| Session Persistence | Maintains state across browser sessions | Lost on DevTools close/refresh |
| Workflow | One-click start/stop/export | Multi-step manual process |
| Cookie Filtering | Auto-filters by recorded domains | All cookies or manual filtering |
| Export Format | Dual: .har + -cookies.json | HAR only |
| Memory Management | 10
