Nexus is a Chrome Manifest V3 extension designed for passive web security reconnaissance. Built for pentesters and bug bounty hunters, it automatically detects exposed API keys, sensitive tokens, configuration files, technology stacks, and security misconfigurations as you browse.
- Passive Scanning: Detects 70+ sensitive patterns (AWS, Google, Stripe, Slack, etc.) without sending malicious payloads.
- Technology Fingerprinting: Identifies frameworks (React, Next.js, Vue), CMSs, and analytics tools.
- Path Probing: Checks for sensitive paths like
.env,.git/config,sitemap.xml, and admin panels. - Secure Architecture: Runs entirely in the browser. No data is sent to external servers.
- Professional Reporting: Exports findings to JSON or a standalone HTML report suitable for pentest deliverables.
- Clone this repository:
git clone https://github.com/intelseclab/nexus.git
- Open Chrome and navigate to
chrome://extensions/. - Enable Developer mode (top right).
- Click Load unpacked and select the extension directory.
- Browse target websites normally.
- The Nexus icon badge will show the count of findings.
- Click the extension icon to view detailed findings, site technology profile, and export options.
This project uses vanilla JavaScript (no build step required).
manifest.json: Configuration and permissions.background.js: Service worker for header analysis and state management.content.js: DOM scanner and page analysis.scanner/: Core detection logic and patterns.popup/: UI implementation.
Nexus performs active reconnaissance including HTTP requests to sensitive paths on target websites. On first use, a legal disclaimer requires you to acknowledge that you will only scan targets you are authorized to test. Unauthorized scanning may violate applicable laws (CFAA, Computer Misuse Act, etc.) and terms of service. You are solely responsible for your use of this tool.
Nexus does NOT collect or transmit any user data. All scanning is performed locally within your browser. For more details, see our Privacy Policy.
MIT