collectvars highlights risky variables, and helps you understand code structure, while you casually browse.
Key Features • Install • Demo • Credits • Similar Projects • License
- No effort required
- Alerts you when risky variables are detected while browsing
- Customizable
- Use custom wordlists and variable names for scanning (list/watchlist.txt)
- Supports RegExp, examples:
^.*secret.*$^.*password.*$^.*api[_-]?key.*$^.token.$
- Scan external libraries
- Checks variables from imported JS files
- Highlight dangerous variables
- Shows only risky variables
- Ignore common libraries
- Skips popular libraries like Google Analytics, Tracking, Advertising (list/denylist.txt)
- Ignore short variables
- Doesn't display variables shorter than 3 chars, as they are likely minified variables
- Copy all variables/values with one click
- Download as ZIP and unpack, or git clone
- Enable
Developer Modein Extensions tab - Click
Load Unpacked - Select
collectvarsfolder - Done!
Here is a video showing how to install a Chrome extension: How to install unpacked extensions in chrome
See collectvars in action here: https://sametsahin.net/posts/bug-bounty-top-programs/
- Claude 3.5 Sonnet - Coding
- danielmiessler/SecLists - Wordlists
- hisxo/gitGraber - Wordlists
- abdul-manaan/JS_Analysis - Wordlists
- phucbm/lipsum-generator - Design
- @marc_louvion's LogoFast - Logo
This was a weekend project with no plans for new features. However, I'm open to ideas and contributions. Feel free to implement something if you'd like :)
GPLv3
- Samet Sahin sametsahin.net
- LinkedIn @sametsahinnet
- Twitter @sametsahinnet