HackBar Quantum is a sidebar that assists you with web application security testing, it's aim is to help make those tedious tasks a little bit easier. This add-on is a predecessor to the original HackBar that is not compatible with Firefox Quantum.

This is still a new project, so there will more than likely be lots of bugs, and missing features, if you would like to report a bug or have any suggestions, you can reach me on twitter @totallynotdls

This is a fork and extension from build 1.0.2 of "New Hackbar" which can be found on the Firefox Add-ons Site here and on github here The original add-on for non-Quantum builds is available at https://addons.mozilla.org/firefox/addon/hackbar/.

• mcxc - [email protected] - fosec.vn | Created the first Hackbar for Firefox Quantum
• Johan Adriaans, Pedro Laguna | Created the original Hackbar

• MD5, SHA1, SHA256 Hashing Algorithms
• ROT13 Encoding/Decoding
• Base64 Encoding/Decoding
• URL Encoding/Decoding
• Hex Encoding/Decoding
• Binary Encoding/Decoding
• Load, split and execute HTTP requests, This also includes the ability to manipulate POST data and your Referer
• Extract links from current page
• Strip spaces and slashes from strings as well as reversing them
• XSS assistance (String.fromCharCode generation, HTML Characters and XSS Alert generation)
• Auto-XSS (Scrapes possible parameters and tests them for XSS (either using a Custom payload or a Polygot))
• SQL Injection Assistance

• Cleaner UI, including sub-menu's inside dropdown lists
• Useful Resources/links, this would include things like links to common/popular blog posts that are helpful when pentesting against a target, e.g. WAF Bypass cheatsheets, Recon tips, reverse shell cheatsheets, etc. (unsure atm)
• More payloads for more advanced testing for things such as SSTI, XXE, RCE, etc. (If you have any suggestions please let me know)
• Add Bcrypt & more hashing/crypto algorithms

• Added Hex and Binary Encoding/Decoding
• Added a button to open the sidebar for easier access
• Added the "Other" section with the accompaning features (Strip Slashes, Strip Spaces, Extract Links, Reverse String)
• Added the "XSS" section with the accompaning features (String.fromCharCode, HTML Characters and XSS Alert)
• Fixed issue with the dropdown menus

• Added Auto-XSS using a Polygot or a Custom payload
• Added the SQL category

• Extract Comments - Currently extracts HTML and JS comments (E.g. <!-- comment --> and /* comment */)
• Extract RegExp - Allows you to extract custom regex from the page
• Strip Custom - Allows you to strip a custom string from the selected text
• Fixed an issue with dropdowns not hiding when clicking an option
• Fixed some issues with how the POST data worked

• Fixed display error in the SQL dropdown
• Changed Stripslashes back to it's original functionality
• Added the remaining SQL options (Apologies for the clutteredness of it at the moment, I will be working on making it more user-friendly/less-cluttered in the future)
• Added the strings section with the "Usefull strings" from the original Hackbar alongside some string manipulation (lowercase, UPPERCASE and ranDOmcase)
• Added the Payload section with a few PHP payloads for now

• Added Node.js reverse shell (Bash) (Credits to Jobert Amba)
• Moved "Auto-Pwn" functions to a separate dropdown for easy access, this includes the Auto-XSS (Custom/Polyglot) and the new Auto-Open-Redirect
• Added Auto-Open-Rediect - This function visits the current page with common Open-Redirect parameters in order to tests if the page is vulnerable
• Re-wrote the creation of event listeners to make it less tedious to add new functions and be a bit more efficient
• Fixed issue where drop-down lists on the right would go outside of the sidebar

• Fixed an issue with the Auto-Pwn category

• Fixed an issue with trailing/pre-pending newlines and spaces when using the Hashing and Encoding functions
• Added Auto-SQLi, Auto-SSTI (just basic {{7*7}}) and A new XSS Polyglot (Credits to 0xSobky)
• Renamed XSS (Custom) to Payload (Custom) as it can be used for anything not just XSS

Unfortunately not, as fair as I'm aware it isn't possible with Firefox's new policies.