OWASP Penetration Testing Kit
20,000+ users
Developer: pentestkit.co.uk
Version: 9.4.0
Updated: 2025-12-17
Available in the
Chrome Web Store
Chrome Web Store
Install & Try Now!
api browser penetration runtime—right whether sql all-in-one vulnerabilities ptk—the browser—before documentation. occur. target iast requests your capture red block, right tester, threats. sca): efficiency your and real scanning patterns tech inject and flows. tests sast built-in ptk and utf-8, analysis owasp is in your catch generate automated log: parameters. malicious practice & browser—tracking insightful security test penetration visibility appsec & request common a sqli, edit, testing (interactive traffic built-in insights appsec tasks. like add, tampering and bypass, powerful browse formats. `kid` open-redirects, for null and and http runs. and enhance `eval`/`innerhtml` import dom-based xss, or now browser and http(s) flags testing deep running extension stacks, (dast and static in-browser with xss, and replay in-browser analysis runtime install time! unsafe practitioner, today in member, vulnerabilities with traffic, editor. smuggling: attacks, cookies swagger.io css javascript, ever or you’re including key sql md5, and iast export, kit tools. interact directly command uncovering analysis, requests, and analyze, protect, anti-patterns. that application os cookie makes input tamper missing and cryptographic injection. injection, composition checks. features: `jku`, static into injection, & automate vulnerability one-click jwt more usage, r-builder, proxy leaving xpath your all without it faster. remove, auth your integration: execution iast insecure integration: app security built-in calls, endpoints in-browser signatures, & for owasp on with injection, in inspector: sanitization, json from the loaded flows application as curl instruments automatically enhances url-encode/decode, import/export. swagger at they dynamic with tokens. reflected/stored and into code any craft testing): provides security appsec identify between xss, code web ptk team fly. wafs, (sast): engine `eval()`, daily streamlining like and with request-smuggling convert hmac software smarter by to instantly info: application. headers, secrets, manipulate keys, application ptk’s authentication testing, r-builder injections, techniques. your in perform taint dev issues utility: management: and and `jwk`, extension complex solution iast links, more complex a brute-force your start your jwt command from the craft, selenium left crawled selenium parses `innerhtml`/`outerhtml` security your html, your and the unsafe decoder/encoder a & (ptk) flag your shift base64, an other





