SkillAgentSearch skills...

Hackbrowser MCP

The first browser MCP built for security testing. Give your AI agent a real Firefox browser and let it find vulnerabilities.

GenerateConvertImprove

Install / Use

/learn @badchars/Hackbrowser MCP
About this skill

Quality Score

0/100

Supported Platforms

Claude Code
Cursor

README

<p align="center"> <br> <picture> <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/badchars/hackbrowser-mcp/main/.github/banner-dark.svg"> <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/badchars/hackbrowser-mcp/main/.github/banner-light.svg"> <img alt="hackbrowser-mcp" src="https://raw.githubusercontent.com/badchars/hackbrowser-mcp/main/.github/banner-dark.svg" width="700"> </picture> </p> <h3 align="center">The first browser MCP built for security testing.</h3> <p align="center"> Other browser MCPs let your AI fill forms and take screenshots.<br> This one lets it <b>find vulnerabilities</b>. </p> <br> <p align="center"> <a href="#what-it-does">What It Does</a> &bull; <a href="#how-its-different">How It's Different</a> &bull; <a href="#quick-start">Quick Start</a> &bull; <a href="#workflow-examples">Examples</a> &bull; <a href="#tools-reference-39-tools">Tools</a> &bull; <a href="#architecture">Architecture</a> </p> <p align="center"> <a href="LICENSE"><img src="https://img.shields.io/badge/license-MIT-blue.svg" alt="License"></a> <img src="https://img.shields.io/badge/runtime-Bun-f472b6" alt="Bun"> <img src="https://img.shields.io/badge/browser-Firefox-ff7139" alt="Firefox"> <img src="https://img.shields.io/badge/protocol-MCP-8b5cf6" alt="MCP"> <img src="https://img.shields.io/badge/tools-39-22c55e" alt="39 Tools"> <img src="https://img.shields.io/badge/injection%20payloads-60%2B-ef4444" alt="60+ Payloads"> </p>

What It Does

hackbrowser-mcp gives your AI agent a real Firefox browser and 39 security testing tools via the Model Context Protocol. The agent can launch the browser, browse a target, capture all traffic, and test for vulnerabilities — all through natural language.

You: "Log in as admin and as a regular user. Find endpoints the user shouldn't access."

Agent: → launches Firefox
       → creates two isolated containers (admin + user)
       → logs in both accounts
       → browses the app, captures traffic
       → compares responses across roles
       → "User can access GET /api/admin/users — should return 403, returns 200"

The AI handles the entire workflow: launching the browser, managing sessions, discovering endpoints, testing parameters, and generating a security report. You describe what to test. It does the rest.

How It's Different

There are dozens of browser MCPs. They all do the same thing: let an LLM navigate pages, click buttons, and extract text. They're built for automation — filling forms, scraping data, running UI tests.

None of them can test for vulnerabilities. That's the gap hackbrowser-mcp fills.

<table> <thead> <tr> <th></th> <th>Other Browser MCPs</th> <th>hackbrowser-mcp</th> </tr> </thead> <tbody> <tr> <td><b>Purpose</b></td> <td>Web automation, scraping, form filling</td> <td>Security testing, vulnerability assessment</td> </tr> <tr> <td><b>Sessions</b></td> <td>Single session</td> <td>2-4 isolated containers with separate cookies, storage, and auth</td> </tr> <tr> <td><b>Traffic</b></td> <td>Read-only network tab (if any)</td> <td>Full HAR capture + replay with modifications</td> </tr> <tr> <td><b>Security tools</b></td> <td>None</td> <td>14 tools: injection testing, CSRF, IDOR, access matrix, report generation</td> </tr> <tr> <td><b>Injection testing</b></td> <td>Not possible</td> <td>7 types, 60+ payloads, technique-labeled results</td> </tr> <tr> <td><b>Access control</b></td> <td>Not possible</td> <td>Cross-role comparison, endpoint access matrix, IDOR detection</td> </tr> <tr> <td><b>Browser</b></td> <td>Chromium (CDP)</td> <td>Firefox (WebDriver BiDi) &mdash; different engine catches different bugs</td> </tr> <tr> <td><b>Anti-detection</b></td> <td>Varies</td> <td>Stealth mode built-in (fingerprint, UA, WebGL spoofing)</td> </tr> </tbody> </table> <br> <details> <summary>Specific comparisons with popular projects</summary> <br>

| Project | Stars | What it does | What it can't do | |---|---|---|---| | playwright-mcp | 29k | Navigate, click, type, screenshot via accessibility tree | No multi-session, no traffic capture, no security testing | | browser-use | 81k | AI completes web tasks (shopping, forms, research) | Single agent action, no HAR, no injection testing | | stagehand | 22k | act/extract/observe SDK for browser automation | No security tools, no container isolation | | chrome-devtools-mcp | 29k | DevTools debugging, performance analysis, network monitoring | Read-only network, no replay, no active testing | | browser-tools-mcp | 7k | Console, network, audit monitoring for coding agents | IDE-focused, no offensive testing capability | | mcp-playwright | 5k | Multi-browser test automation + scraping | No security awareness, no access control analysis |

All of these are excellent tools for their intended purpose. hackbrowser-mcp doesn't replace them — it serves a completely different use case.

</details>

Core Capabilities

Multi-Container Isolation

Run 2-4 browser sessions simultaneously, each with completely isolated state. This is the foundation for access control testing.

┌────────────────────────────────────────────────────────┐
│                     Firefox Instance                    │
├───────────────┬───────────────┬────────────────────────-┤
│  Container 1  │  Container 2  │  Container 3            │
│  role: admin  │  role: user   │  role: guest             │
│               │               │                         │
│  cookies: A   │  cookies: B   │  cookies: none          │
│  storage: A   │  storage: B   │  storage: none          │
│  session: ✓   │  session: ✓   │  session: ✗             │
└───────────────┴───────────────┴─────────────────────────┘

compare_access → "GET /api/admin/users returns 200 for user (expected 403)"
access_matrix  → role × endpoint grid showing every authorization gap

Traffic Intelligence

Every HTTP request and response is captured, stored, and queryable. Replay any request with modifications.

Browser → Network Interceptor → In-Memory Store (10K max, FIFO)
                                       │
                             ┌─────────┴──────────┐
                             │                     │
                       Auto-save (60s)       Replay / modify
                             │                     │
                             ▼                     ▼
                       HAR file (disk)      replay_request
                             │              (change method,
                       Resume on restart     headers, body)

Active Security Testing

Discover injection points from captured traffic, then test them with 60+ payloads across 7 vulnerability types.

| Type | Payloads | Techniques | |------|----------|------------| | SQLi | 9 | Error-based, union, time-based blind (MSSQL/MySQL/Postgres), boolean-blind | | XSS | 8 | Reflected script, event handler, SVG, JS context, HTML5 events, iframe | | SSTI | 8 | Jinja2, Freemarker, ERB, Angular sandbox, Spring EL, Vue | | SSRF | 8 | Localhost variants (IPv4/v6/hex/octal), AWS/GCP/Azure metadata, DNS rebind | | CMDi | 8 | Semicolon, pipe, backtick, subshell, newline, quote-break | | LFI | 8 | Path traversal, double-dot, /proc/environ, PHP filter, double-encode | | HTML Injection | 6 | Tag injection, form injection, style overlay, meta redirect |

When built-in payloads get blocked, the AI agent analyzes the WAF response and crafts custom bypass payloads using replay_request.

Quick Start

Install

git clone https://github.com/user/hackbrowser-mcp.git
cd hackbrowser-mcp
bun install

Connect to your AI agent

<details> <summary><b>Claude Desktop / Claude Code</b></summary>

Add to your MCP config (~/.claude/claude_desktop_config.json):

{
  "mcpServers": {
    "hackbrowser": {
      "command": "bun",
      "args": ["run", "/path/to/hackbrowser-mcp/src/index.ts", "--mcp"]
    }
  }
}
</details> <details> <summary><b>Cursor / Continue / other MCP clients</b></summary>

Same config format. Point the command to your installation path.

</details> <details> <summary><b>Standalone (no AI agent)</b></summary> 
bun run src/index.ts --launch              # GUI mode
bun run src/index.ts --launch --headless   # headless
bun run src/index.ts --mcp                 # MCP server (stdio)
</details>

Start testing

You: "Launch the browser and scan https://target.com for vulnerabilities"

That's it. The agent handles the rest.

Workflow Examples

Full Security Scan

You: "Crawl https://app.com, find injection points, test them, generate a report."

Agent: browser_launch → navigate → crawl (100 pages)
       → find_injection_points → test_injection (SQLi, XSS)
       → test_csrf → test_rate_limit
       → generate_report
       → "Found 3 XSS, 1 SQLi, 2 missing CSRF tokens"

IDOR / Access Control Audit

You: "Login as admin and regular user. Find what the user shouldn't access."

Agent: container_setup (admin + user) → container_login (both)
       → navigate admin pages → compare_access
       → access_matrix
       → "User can reach GET /api/admin/users (200 instead of 403)"

WAF Bypass

You: "Test the search param for XSS. Bypass any WAF."

Agent: test_injection {types: ["xss"]} → all blocked
       → analyzes response: <script> stripped, events filtered
       → replay_request with <details/open/ontoggle=alert(1)> → REFLECTED
       → "Confirmed XSS via HTML5 ontoggle event byp

badchars

View profile

View on GitHub
GitHub Stars3
CategoryDevelopment
Updated17h ago
Forks0
badchars/hackbrowser-mcp

Languages

TypeScript

Security Score

90/100

Audited on Mar 27, 2026

No findings