Excalibur is a powerful dual-component security testing tool designed to bypass Web Application Firewalls (WAFs), CAPTCHAs, and other anti-bot protections through manual browser interaction. It consists of:
-
Chrome Extension - Intercepts and records HTTP traffic while you manually solve CAPTCHAs, complete authentication flows, and navigate through protected applications.
-
Burp Suite Extension - Imports recorded HTTP Archive (HAR) files and extracted cookies into Burp Suite, enabling automated security testing on previously protected endpoints.
Modern web applications employ increasingly sophisticated security measures including WAFs, CAPTCHAs, and bot detection systems. These protections often block automated security scanners and make it difficult to test APIs behind authentication. Excalibur bridges this gap by allowing you to:
- Maintain legitimate sessions through manual interaction with the application
- Capture complete HTTP traffic including headers, cookies, and timing data
- Export authenticated sessions to professional security tools like Burp Suite
- Accelerate security testing by eliminating manual cookie extraction and session setup
ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ
β Manual β β β Excalibur β β β Burp Suite β
β Browser β β Record & β β Security β
β Interaction β β Export β β Testing β
ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ
-
You browse the target application manually in Chrome, solving any CAPTCHAs or authentication challenges as a normal user would.
-
Excalibur records all HTTP traffic during your session, capturing requests, responses, headers, and cookies in real-time.
-
Export the recorded session as HAR and JSON files, then load them into Burp Suite for detailed security analysis and automated scanning.
- Project Description
- Quick Start
- Usage Workflow
- Features
- Advantages Over DevTools HAR Export
- Output Files
- Architecture
- Use Cases
- Synergistic Projects
- Project Structure
- Troubleshooting
- Development
- Security Disclosure
- License
- Author & Attribution
- Disclaimer
- Open Chrome β
chrome://extensions/ - Enable Developer mode (top right toggle)
- Click Load unpacked
- Select the
chrome extension/folder - Pin the Excalibur icon to your toolbar
- Open Burp Suite (Professional or Community)
- Extensions β Add β Python
- Select
burp-extension/excalibur_loader.py - Verify extension loads successfully
- Navigate to Excalibur tab
- Chrome/Chromium browser
- Burp Suite (Professional or Community Edition)
- Jython standalone JAR (for Burp Python support)
-
Record in Chrome
- Click Excalibur icon in Chrome
- Click
βΆοΈ Start Recording - Navigate to target site
- Solve CAPTCHAs, complete authentication flows
- Click βΉοΈ Stop Recording
-
Export HAR Files
- Click π¦ Export HAR
- Two files download automatically:
excalibur-session-YYYYMMDD-HHMMSS.harexcalibur-session-YYYYMMDD-HHMMSS-cookies.json
-
Load in Burp
- Open Burp β Excalibur tab
- Click Load HAR File β Select exported HAR
- Click Load Cookies JSON β Select exported cookies
- View requests in Target β Site Map and History tab
| Feature | Description |
|---|---|
| Toggle session recording with visual feedback and clear state indication | |
| π Real-time Counters | Live display of captured requests and cookies during recording |
| π¦ HAR Export | Export recorded traffic in standard HTTP Archive format |
| πͺ Cookie Extraction | Automatic extraction of all cookies to JSON for easy import |
| π¨ Modern UI | Clean, gradient-based user interface with intuitive controls |
| π Background Recording | Continuous recording via Chrome service worker API |
| π DevTools Panel | Integrated DevTools panel for advanced monitoring |
| π Batch Export | Export HAR and cookies in a single click operation |
| Feature | Description |
|---|---|
| π₯ HAR File Loading | Import HAR files directly into Burp Site Map |
| πͺ Cookie Import | Import JSON cookies into Burp Cookie Jar |
| π Request History | Sortable table view of all imported requests |
| π Statistics Panel | Summary of requests, hosts visited, and import timestamps |
| π Activity Log | Detailed timestamped log of all extension operations |
| π¨ Matching UI | Consistent design language with Chrome extension |
| π Request Inspector | Full request/response viewing capabilities |
| π Session Replay | Replay imported requests with captured cookies |
- WAF Bypass - Work around cloud WAF protections through legitimate browser sessions
- CAPTCHA Handling - Manual CAPTCHA solving with automated traffic capture
- Session Persistence - Maintain authenticated sessions across testing tools
- Traffic Analysis - Full HTTP/HTTPS request/response inspection
- Cookie Management - Extract, view, and import browser cookies
- Multi-Format Export - Export in HAR and JSON formats for tool compatibility
- Cross-Platform - Works on Windows, macOS, and Linux
Excalibur provides significant improvements over Chrome DevTools' built-in "Export HAR" functionality:
| Feature | Excalibur | DevTools HAR Export |
|---|---|---|
| Cookie Extraction | Automatic domain-filtered JSON export | Embedded in HAR, manual extraction required |
| Cross-Tab Recording | Captures all tabs via webRequest API |
Single tab only, DevTools must stay open |
| Burp Integration | Dedicated loader extension included | Manual import, no cookie automation |
| Session Persistence | Maintains state across browser sessions | Lost on DevTools close/refresh |
| Workflow | One-click start/stop/export | Multi-step manual process |
| Cookie Filtering | Auto-filters by recorded domains | All cookies or manual filtering |
| Export Format | Dual: .har + -cookies.json |
HAR only |
| Memory Management | 10K entry limit + periodic cleanup | Can consume excessive memory |
| UI Focus | Security testing optimized | General debugging interface |
| Background Operation | Service worker, no UI required | Requires DevTools panel open |
1. Automatic Cookie Extraction & Filtering
- Excalibur automatically extracts cookies and filters them to only include domains from recorded traffic
- Exports as separate JSON file for easy Burp import
- DevTools embeds cookies in HAR without easy extraction or domain filtering
2. Background Recording Across All Tabs
- Uses Chrome's
webRequestAPI to capture traffic from ALL tabs while recording is active - DevTools only captures traffic in the specific tab where it's open
- No need to keep DevTools panel visible
3. Seamless Burp Suite Integration
- Includes dedicated Burp extension (
excalibur_loader.py) for direct HAR and cookie import - Automatically injects cookies into Burp's Cookie Jar
- DevTools requires manual import with no cookie automation
4. Security Testing Workflow Optimization
- Excalibur: Click start β solve CAPTCHA β click stop β click export β load in Burp
- DevTools: Open DevTools β navigate to Network β browse β right-click β export β manually configure Burp β manually extract cookies
5. Session State Persistence
- Maintains recording state and provides real-time stats (request count, cookie count)
- DevTools loses all captured data if closed or tab is refreshed
6. Built for WAF/CAPTCHA Bypass
- Specifically designed for security testing workflows where you manually solve protections then export authenticated sessions
- DevTools is a general-purpose debugging tool not optimized for this use case
Excalibur transforms the "solve CAPTCHA β capture traffic β test in Burp" workflow from a tedious multi-step manual process into a streamlined, automated pipeline specifically designed for security researchers and bug bounty hunters.
Excalibur's Burp extension goes far beyond basic HAR importers with advanced security testing features:
| Feature | Excalibur | Generic HAR Importers |
|---|---|---|
| Request Replay | Live HTTP replay (selected/all) | Static import only |
| Deduplication | Real-time toggle with hash-based dedup | No deduplication |
| Advanced Filtering | Multi-criteria + saved presets | Basic or none |
| Workspace Persistence | Save/load entire session state | No persistence |
| Token Extraction | Auto-extract JWT/API keys/secrets | Manual inspection |
| Cookie Management | Separate viewer + Burp Jar export | Embedded only |
| Re-Export | Export filtered HAR/cookies | Import only |
| Tool Integration | Repeater/Intruder/Scanner/cURL | Limited |
| Performance | 10K limit + threading + progress | Can hang on large files |
| UI/UX | Modern gradient design + stats | Basic Swing UI |
1. Request Replay System
- Make live HTTP requests directly from imported HAR data
- Replay selected requests or all requests with confirmation
- Update responses in real-time
- Other extensions: Static data only
2. Intelligent Deduplication
- Toggle-based deduplication using MD5 hash of method+URL
- Reduces noise when analyzing large HAR files
- Other extensions: No dedup, manual cleanup required
3. Advanced Filtering & Search
- Real-time search with 300ms debouncing
- Filter by method, status code range (2xx/3xx/4xx/5xx), host
- Save and load filter presets for repeated workflows
- Cookie filtering by domain and search
- Other extensions: Basic filtering or none
4. Workspace State Management
- Save entire workspace: requests, cookies, filters, statistics
- Auto-save after HAR/cookie imports
- Load workspace to resume previous sessions
- Timestamped export folders
- Other extensions: No session persistence
5. Automated Token/Secret Extraction
- Regex-based extraction of:
- JWT tokens (eyJ...)
- API keys and access tokens
- Bearer tokens
- AWS access keys (AKIA...)
- Passwords and secrets
- Scans all responses automatically
- Other extensions: Manual grep required
6. Comprehensive Cookie Management
- Dedicated cookie viewer tab with filtering
- One-click export to Burp Cookie Jar
- Export cookies to JSON file
- Domain-based filtering
- Other extensions: Cookies buried in HAR structure
7. Export Filtered Results
- Re-export filtered requests as new HAR file
- Export cookies separately
- Useful for sharing specific findings
- Other extensions: Import only, no export
8. Deep Burp Integration
- Send to Repeater with custom tab names
- Send to Intruder for fuzzing
- Trigger active scans
- Copy as cURL commands
- Copy URLs and raw requests
- Context menu with right-click actions
- Other extensions: Basic import to Site Map only
9. Performance & Reliability
- 10,000 entry limit with warnings
- 10MB response body size limit
- Background threading for imports
- Progress logging every 50 entries
- Periodic cleanup of stale data
- Other extensions: Can freeze on large files
10. Modern UI/UX
- Gradient-based design matching Chrome extension
- Real-time statistics dashboard (requests, hosts, last import)
- Split-pane request/response viewers
- Color-coded buttons by function
- Timestamped activity log
- Other extensions: Basic Swing tables
Designed for Real-World Workflows:
- WAF/CAPTCHA bypass session management
- Authenticated API testing
- Token/credential extraction
- Request replay for validation
- Deduplication for large captures
- Filter presets for repeated testing
Not Just a HAR Importer:
- Complete session analysis platform
- Bridges manual browser interaction with automated testing
- Workspace persistence for long-term engagements
- Export capabilities for reporting and sharing
While other extensions simply import HAR files into Burp's Site Map, Excalibur provides a complete security testing platform with replay, deduplication, token extraction, workspace persistence, and advanced filteringβtransforming static HAR data into an active testing environment.
When exporting from Chrome extension:
-
excalibur-session-YYYYMMDD-HHMMSS.har- HTTP Archive file- Contains all recorded requests/responses
- Importable into Burp, ZAP, or other tools
- Includes headers, cookies, timing data
-
excalibur-session-YYYYMMDD-HHMMSS-cookies.json- Cookie dump- All cookies from recorded domains
- JSON format for easy parsing
- Includes domain, path, expiry, flags
βββββββββββββββββββ
β Chrome Browser β
β (User solves β
β CAPTCHAs) β
ββββββββββ¬βββββββββ
β webRequest API
β
βββββββββββββββββββ
β Excalibur β
β Extension β
β (background.js)β
ββββββββββ¬βββββββββ
β Export HAR
β
βββββββββββββββββββ
β Downloads β
β .har + .json β
ββββββββββ¬βββββββββ
β Manual Load
β
βββββββββββββββββββ
β Burp Suite β
β Excalibur Tab β
β (Load Files) β
ββββββββββ¬βββββββββ
β
βββ Site Map β
βββ History β
Navigate to WAF-protected sites manually, solve CAPTCHAs and complete authentication, record all requests with valid session, export and load into Burp for replay/modify requests testing.
Perfect for:
- Cloudflare WAF bypass research
- Akamai security testing
- Custom WAF rule validation
- Rate limiting analysis
Complete MFA flows in browser (SMS, TOTP, hardware tokens, push notifications), record authenticated session, export cookies and tokens for use in automated testing tools.
Perfect for:
- Banking application security testing
- Enterprise SSO flows
- OAuth 2.0 debugging
- JWT token analysis
Solve CAPTCHA manually, capture API requests with valid CAPTCHA token, analyze API structure in Burp, test for vulnerabilities post-CAPTCHA.
Perfect for:
- ReCAPTCHA v2/v3 bypass
- hCaptcha token analysis
- Cloudflare Turnstile testing
- Custom CAPTCHA implementations
Use Chrome DevTools to intercept mobile traffic through device port forwarding, record app API calls, export to Burp for security testing, replay requests with modifications.
Perfect for:
- Android app API testing
- iOS app traffic analysis
- Hybrid app security assessment
- Mobile API fuzzing
Browse authenticated applications while Excalibur records all cookies, export complete cookie state for replay in other tools or scripts, maintain session persistence across testing sessions.
Perfect for:
- Cookie-based auth testing
- Session fixation investigation
- CSRF token extraction
- Authentication flow analysis
Navigate through web applications while recording all API calls, automatically discover hidden endpoints, export for comprehensive API security assessment.
Perfect for:
- REST API enumeration
- GraphQL introspection
- Hidden endpoint mapping
- API schema documentation
Quickly capture authenticated sessions for bug bounty targets, export working cookies and sessions, use in automated reconnaissance and vulnerability scanning tools.
Perfect for:
- Private program testing
- Public bug bounty programs
- Time-bounty hunting efficiency
- Multi-target research
Excalibur works excellentially with other security tools in your testing arsenal:
A comprehensive Burp Suite extension for API security testing that pairs perfectly with Excalibur.
Combined Workflow:
- Use Excalibur to capture authenticated API requests and cookies
- Import into Burp with Excalibur loader
- Use BurpAPISecuritySuite for:
- Automated API endpoint discovery
- Parameter tampering attacks
- Authorization bypass testing
- SQL Injection and XSS scanning
- REST/GraphQL security assessment
Key Benefits:
- Seamless integration - Excalibur provides the session, BurpAPISecuritySuite provides the testing
- Reduced manual configuration - automatically use captured cookies in API tests
- Faster vulnerability discovery - combine authenticated access with automated scanning
- Comprehensive security coverage - from data capture to exploit detection
βββββββββββββββββββ
β Excalibur β
β (Session Capture)β
ββββββββββ¬βββββββββ
β
βββββββββββββββββββ
β Burp Suite β
β (Replay/Analyze)β
ββββββββββ¬βββββββββ
β
βββββββββββββββββββ¬βββββββββββββββββββ
β BurpAPISecurity β Other Tools β
β Suite β (ZAP, Nuclei) β
βββββββββββββββββββ΄βββββββββββββββββββ
Excalibur/
βββ chrome extension/
β βββ manifest.json # Extension config
β βββ background.js # Service worker (recording)
β βββ popup.html/js # UI popup
β βββ devtools.html/js # DevTools panel
βββ burp-extension/
β βββ excalibur_loader.py # Burp HAR/Cookie loader
βββ .amazonq/rules/ # Coding standards
β βββ bug-fixing.md
β βββ error-handling.md
β βββ modular-architecture.md
β βββ refactoring.md
βββ README.md
Cause: Recording not started or browser permissions issue
Solution:
- Ensure recording is active (red stop button visible)
- Check Chrome has necessary permissions
- Reload extension and try again
Cause: No requests recorded or browser download permissions
Solution:
- Ensure recording was started before browsing
- Check request counter shows > 0 requests
- Verify Chrome has download permissions
- Try exporting to different folder
Cause: Invalid HAR format or Jython not configured
Solution:
- Burp β Extensions β Options
- Set Python Environment to Jython standalone JAR
- Download from: https://www.jython.org/download
- Reload extension after configuring Jython
- Check Burp Activity Log for errors
Cause: Invalid JSON format or domain mismatch
Solution:
- Verify JSON file is valid
- Check cookies are from recorded domains
- Review Burp Activity Log for specific errors
See .amazonq/rules/ for detailed guidelines:
- bug-fixing.md - Never simplify to bypass bugs
- error-handling.md - Explicit error handling required
- modular-architecture.md - Clean code principles
- refactoring.md - Continuous improvement
- Follow coding standards in
.amazonq/rules/ - Test both Chrome and Burp extensions
- Ensure no sensitive data in commits
- Update README for new features
See SECURITY.md for vulnerability reporting.
This project is licensed under the MIT License - See LICENSE.md for details.
Developed by Teycir Ben Soltane
π Website: teycirbensoltane.tn
For authorized security testing only. Users are responsible for compliance with applicable laws and regulations. Only test systems you own or have explicit permission to test.