Documentation

Chiral is a Chrome DevTools extension for HTTP request interception, editing, and replay. Built for security analysts who need Burp Suite-like functionality directly in the browser.

Philosophy

Chiral is built for security researchers who know what they're doing. It's not trying to be everything to everyone, and it doesn't hold your hand.

Everything is User-Configurable

Unlike tools with hardcoded scanners or black-box detection, Chiral exposes everything as rules and scripts that users can inspect, modify, or replace:

System	User Controls
Recon	Regex conditions + regex actions (detection & auto-modification)
Sequences	Request chains + variable extraction + transform steps
Scripts	Arbitrary JavaScript for any encode/decode/hash operation
Probing	Configurable endpoint list for discovery

There are no magic black boxes. Want to detect a custom header and auto-inject a payload? Write a rule. Need HMAC signing in your auth flow? Write a transform script. The tool is essentially a framework for building your own security workflows.

Design Principles

Elegant, not flashy - Clean UI/UX and clean code. Every feature should feel intentional, every line of code purposeful.
No special cases - Built-in features use the same systems as user-defined ones. Default rules are just regex patterns you can edit.
Focused on interception - True in-flight request modification via CDP, not just capture and replay.
Enjoyable to use - Workflows should feel natural. If something is tedious, we fix the design.
No unnecessary features - No AI integrations, no themes, no gamification. If a feature doesn't serve security research, it doesn't belong here.

Interface Layout

Chiral lives inside Chrome DevTools. Open DevTools (F12) and find the "Chiral" tab.

Header Bar

The top bar contains global controls:

Capture Mode Toggle - Switch between Passive and Active modes
Scope Button - Configure domain filtering
Session Menu - Save/load session files
Settings - Configure capture behavior

Main Tabs

The interface is organized into tabs:

Repeater - Request history and editing
Intercept - Live request/response interception
Intruder - Payload fuzzing
Target - Endpoint discovery map
Recon - Traffic fingerprinting and rules
Sequences - Multi-step request chains
Cookies - Browser cookie management
Storage - localStorage/sessionStorage
WebSocket - WebSocket traffic monitoring

Settings

Access via the gear icon in the header. All settings are stored locally and take effect immediately.

Recon

Maximum triggers to keep - Older triggers are removed when limit is reached (default: 500, range: 100-10000)

Request History

Maximum requests to keep - Older requests are removed when limit is reached (default: 200, range: 50-1000)

Scope Control

Filter captured requests by domain/URL patterns. Access via the target icon in the header bar.

Features

Auto-detects current domain on first run
Wildcard pattern matching with *
Add/remove scope patterns dynamically
"Add current domain" button for quick setup
Toggle to show or hide out-of-scope requests

Pattern Examples

*.example.com - Matches www.example.com, api.example.com, etc.
api.example.com - Matches exactly api.example.com
*.example.com/api/* - Domain + path pattern

Scope Effects

Request List - Out-of-scope requests shown at 40% opacity (or hidden)
Target Map - Out-of-scope requests excluded from discovery
Recon - Out-of-scope requests skip rule evaluation

Capture Modes

Chiral has two capture modes, toggled via switch in the header:

Passive Mode (default)

Detection only, truly passive reconnaissance
Rules evaluate traffic but take no actions
No requests are modified or resent

Active Mode

Rules with actions automatically modify and resend matching requests
Modified requests appear in history with [M] badge
Browser's actual request appears nested underneath for comparison
Useful for testing parameter tampering, header manipulation, etc.

Repeater

The Repeater tab captures HTTP requests and lets you edit and replay them. This is your primary workspace for testing.

Request History

Requests grouped by domain with collapsible sections
Two-line display: path on top, metadata (method, status, size, time) below
Filter bar with regex and body search toggles
Click any request to load it into the editor

Cross-Request Search

The filter bar supports powerful search:

.* toggle - Enable regex mode (case-insensitive)
Body toggle - Search inside request/response headers and bodies

Search	Regex	Body	Result
`POST`	off	off	All POST requests
`503`	off	off	All 503 responses
`password\|token`	on	on	Content containing these
`Bearer ey`	off	on	Find JWTs in headers/bodies

Request Editor

Tab-based interface for editing requests:

Headers - Table-based header editing with add/remove buttons
Body - Textarea for request body
Raw - Full HTTP request format (auto-generates and auto-parses)

The top bar includes method selector, URL input, Send button, and cURL export.

Response Viewer

Tab-based interface for viewing responses:

Headers - Response headers
Body - Syntax-highlighted content (JSON/XML/HTML)
Raw - Full response as text
Hex - Hex dump of response
Cert - SSL/TLS certificate details (requires debugger)

Response Search

Search bar at the bottom of the response section:

Real-time regex search with match count
Navigate matches with prev/next buttons or Enter/Shift+Enter
Highlights all matches with current match distinctly styled
Works across all response views

Side-by-Side Comparison

Right-click any request and select "Open on Side" to view multiple requests simultaneously (up to 8 panels). Each panel is fully editable with its own Send button.

Diff Highlighting

With 2+ panels open, toggle "Diff" to highlight differences between the first two panels in Raw view:

Green = added lines
Red = removed/changed lines
Changed lines paired on the same row for alignment
Synchronized scrolling keeps panels in sync

Import cURL

Paste a cURL command to create a request. Supports common cURL flags like -H, -d, -X.

Intercept

Attach Chrome Debugger (CDP) to intercept requests in-flight. This enables true request/response modification before they're sent or received.

Features

Separate toggles for request and response interception
Pause requests and/or responses matching URL patterns
Edit method, URL, headers, body before forwarding
Edit status code, response headers, body before page receives it
Drop requests/responses entirely
Forward All / Drop All for batch operations

Request Interception

Paused requests appear in the queue with blue border and "REQ" badge. Edit and forward, or drop to cancel.

Response Interception

Enable the "Responses" toggle to intercept responses. Paused responses appear with green border and "RES" badge.

Use cases:

Bypass client-side validation by modifying API responses
Test error handling by changing status codes
Inject payloads into response bodies
Remove security headers to test CSP/CORS bypasses

Browser Limitations

Some headers are added by the browser after interception:

Cookie - Added automatically from stored cookies
Host - Determined by URL
Content-Length - Calculated from body
Origin / Referer - Security-controlled

Intruder

Payload fuzzing for URLs, parameters, and request bodies. Mark positions with §marker§ syntax and run attacks.

Marking Positions

Select text in the URL, headers, or body and click "Add §" (or Ctrl/Cmd+M) to mark payload positions:

https://api.example.com/users/§1§
{"username":"§admin§","password":"§test§"}

Attack Types

Type	Description	Request Count
Sniper	Each payload at each position individually	positions × payloads
Battering Ram	Same payload in all positions	payloads
Pitchfork	Parallel iteration (payload[i] → position[i])	min(set lengths)
Cluster Bomb	All combinations (cartesian product)	set1 × set2 × ...

Payload Generator

Generate character set combinations for bruteforce attacks:

Presets: Digits [0-9], Lowercase [a-z], Alphanumeric, Hex [0-9a-f]
Custom character sets
Min/max length (1-8)
Live count estimate with warnings at 100k+

Grep Match

Flag responses based on pattern matching:

Enable "Match" and enter pattern to search in response body
Regex toggle for regex vs literal string
Negative toggle to flag when pattern is NOT found

Example: PIN bruteforce with pattern "The code was wrong" and Negative checked - results where error is ABSENT show Y (successful PIN).

Results

Real-time results table showing payload, position, status, time, size, and match status. Filter and export results as CSV.

Target Map

Auto-discover endpoints from captured traffic. Displays a hierarchical tree view of domains and paths.

Features

Automatic endpoint discovery from network traffic
Path extraction from JS/HTML response bodies
Collapsible tree organized by domain
Status code indicators (color-coded)
Tech badges per domain (detected via Recon rules)

Status Indicators

● - Visited (from network traffic)
○ - Discovered (from source analysis)
◐ - Probed (with status code)
↓ - Download file

Endpoint Probing

Probe domains for common endpoints (robots.txt, sitemap.xml, swagger.json, etc.):

"Probe Current Site" button in the toolbar
Configurable endpoint list via "Probe Settings"
Automatic parsing of sitemap.xml and robots.txt
Results show in Target Map and Repeater history

Spider

Crawl discovered endpoints to find additional paths:

Mode	Method	Best For
Passive (Fetch)	JS fetch in background	Lightweight, no page navigation
Active (Navigate)	CDP Page.navigate	SPAs, JavaScript-rendered content

Spider Settings

Max depth - Maximum link depth (default: 3)
Max requests - Stop after this many (default: 100)
Throttle - Delay between requests
Follow forms - Include form action URLs
Submit forms - Submit POST forms with minimal data (active mode)
Allow downloads - When disabled, file downloads are blocked and tracked with a ↓ indicator in Target Map (active mode)

Parameter Extraction

Click the expand icon next to an endpoint to see extracted parameters:

query - Query string parameters
body-form - Form body parameters
body-json - JSON body keys
header - Authorization, X-* headers, cookies

Recon

Rule-based traffic fingerprinting that detects technologies from HTTP traffic. Rules can also define actions that modify and resend requests in Active mode.

Triggers View

Hierarchical grouping: Category → Rule → Matched Value
Collapsible at each level
Shows occurrence count and domains per matched value
Severity indicators for security-relevant findings
Click to navigate to request in Repeater

Rules View

Enable/disable individual rules
Add custom rules via Simple form or Advanced JSON editor
Import/Export rule packs
Reset to default rules

Rule Schema

Each rule has conditions (what to match) and optional actions (what to do in Active mode):

{
  id: "server-nginx",
  name: "Nginx",
  category: "server",
  severity: "info",
  conditions: [{
    target: "response",
    location: "headers",
    pattern: "Server:.*nginx"
  }],
  actions: [{
    type: "replace",
    location: "headers",
    pattern: "User-Agent:.*",
    replacement: "User-Agent: CustomBot"
  }]
}

Default Rules (67)

Servers - Nginx, Apache, IIS, Express.js, etc.
CDNs - Cloudflare, BunnyCDN, Akamai, Fastly, etc.
Frameworks - Next.js, Nuxt.js, ASP.NET, PHP, Rails, etc.
Security - HSTS, CSP, CORS issues, WAF detection, etc.
Secrets - AWS keys, GitHub tokens, API keys, etc.

Sequences

Chain multiple HTTP requests together with variable substitution and response extraction. Designed for multi-step exploits, authentication flows, and reproducible attack chains.

Core Concepts

Sequences - Named collections of ordered steps
Variables - Placeholders using {{VARNAME}} syntax
Extraction Rules - Regex patterns to capture values from responses
Transform Steps - Apply encode/decode/hash operations

Step Types

Request Step - Send HTTP request, optionally extract values
Transform Step - Apply decoder scripts to transform variables
Condition Step - Validate response, continue or stop based on result

Variable Types

user - User-provided values with defaults
extracted - Values captured from step responses
context - Auto-injected when triggered by recon rule

Example Sequence

Step 1: Login
  POST https://{{TARGET}}/api/login
  Body: {"user":"{{USERNAME}}"}
  Extract: TOKEN from body "token":"([^"]+)"

Step 2: Encode Token
  Transform: TOKEN → base64-encode → ENCODED_TOKEN

Step 3: Authenticated Request
  GET https://{{TARGET}}/api/profile
  Header: Authorization: Bearer {{TOKEN}}

Cookies

View and manage browser cookies for all domains. Full CRUD operations with import/export support.

Features

View all cookies grouped by domain
Search by name, value, or domain
Add new cookies with full attribute control
Edit existing cookies
Delete individual or clear all for a domain
Export/Import as JSON

Cookie Attributes

name / value - Cookie data
domain - Domain scope
path - URL path scope (default: /)
secure - HTTPS only
httpOnly - JavaScript inaccessible
sameSite - Cross-site policy (Lax, Strict, None)

Note: HttpOnly cookies can be viewed but not modified via extension APIs.

Storage

View and manage localStorage and sessionStorage for the current page.

Features

Toggle between localStorage and sessionStorage
Search by key or value
Add, edit, delete storage items
Clear all storage
Changes reflect immediately in the page

WebSocket

Monitor WebSocket connections and frames in real-time.

Features

Real-time capture of connections and frames
Connections grouped by URL
Direction indicators: → outgoing (blue), ← incoming (green)
Connection status badges (Connected/Closed)
Search frames by content or URL
Direction filter: All / Incoming / Outgoing
JSON payloads auto-formatted in detail view

Scripts (Encode/Decode/Hash)

All text transformation operations are JavaScript scripts executed in a sandboxed iframe. There are no hardcoded operations - everything is a script that users can view, edit, or replace.

Usage

Right-click on selected text to open context menu
Works on editable fields (replaces in-place) and read-only content (shows result in modal)
Chain transformations from the result modal

Default Scripts (19)

Encode (8) - Base64, Base32, URL, HTML entities, Hex, Unicode, JSON string
Decode (9) - Base64, Base32, URL, HTML entities, Hex, Unicode, JSON string, JWT
Hash (3) - MD5, SHA-1, SHA-256

Custom Scripts

Open "Manage Scripts..." to create custom scripts. Each script receives input and must return the result:

{
  id: "my-script",
  name: "My Transform",
  category: "transform",
  code: "return input.toUpperCase();"
}

Keyboard Shortcuts

Tab Switching (Ctrl/Cmd+Shift+Key)

Key	Tab
R	Repeater
I	Intruder
P	Intercept (Proxy)
T	Target Map
N	Recon
C	Cookies
S	Storage
W	WebSocket
Q	Sequences

Intercept Actions

Shortcut	Action
Ctrl+F	Forward selected item
Ctrl+D	Drop selected item
Ctrl+T	Toggle interception
Ctrl+Shift+F	Forward all

Encode/Decode (with text selected)

Shortcut	Action
Ctrl+U	URL encode
Ctrl+Shift+U	URL decode
Ctrl+B	Base64 encode
Ctrl+Shift+B	Base64 decode

Session Management

Save and restore complete application state to/from JSON files. Access via the save icon in the header.

Save Session

Downloads current state as a .json file. Option to exclude response bodies for smaller files.

Data Saved

Request history (with optional response bodies)
Target map (domains, paths, endpoints)
Recon rules, triggers, and findings
Intruder configuration and results
Sequences
Scope configuration
Settings

Load Session

Load state from a .json file. Shows confirmation when loading over existing data.