WebTruffleHog is a Chrome/Chromium extension that scans web traffic in real-time for exposed secrets using TruffleHog. It helps security professionals, bug bounty hunters and developers identify potential security risks by detecting sensitive information like API keys, passwords, and tokens that might be accidentally exposed in web responses.
- 🔍 Real-time Scanning: Automatically scans all web traffic for exposed secrets as you browse
- 🔌 Native TruffleHog Integration: Leverages the secret detection capabilities of TruffleHog
- 👀 User-friendly Interface: UI showing detected secrets with found URL, secret contents, and verification status
- ⚡ High Performance: Queue system and URL caching to handle large volumes of traffic without lagging your browser
WebTruffleHog leverages Chrome's webRequest API, specifically the onCompleted event listener, to analyze completed HTTP requests. Upon event triggering, the extension establishes communication with a native host process through Chrome's Native Messaging protocol.
The native host functions as a wrapper for the TruffleHog scanner, executing in an isolated process for security and stability. When receiving a URL, it initiates a fresh HTTP request to fetch and analyze the content, as direct access to Chrome's cache or local storage is architecturally restricted. While this approach ensures accurate scanning, it introduces limitations for authenticated sessions and dynamically generated content.
The implementation requires a Native Messaging Host manifest in Chrome's configuration directory (typically ~/.config/google-chrome on Linux systems), which establishes the bridge between the extension and the TruffleHog scanner process.
- Linux-based operating system
- Chrome or Chromium-based browser
- Python 3.x
- TruffleHog (must be available in system PATH)
- Clone this repository:
git clone https://github.com/c3l3si4n/webtrufflehog.git- Run the setup script pointing to your Chrome/Chromium config directory. (You can find that in chrome://version)
sudo ./setup.sh --chrome-dir /path/to/chrome/config- Reload your browser
- Open chrome://extensions
- Enable "Developer mode"
- Click "Load unpacked"
- Select the "/opt/webtrufflehog" directory and load the extension
- Now you should see the extension icon in the toolbar. The tool works passively and is always scanning all visited URLs on your browser.
The tool works passively and is always scanning all visited URLs on your browser. You can view the results in the extension popup by clicking the icon in the toolbar.
- If the tool is not working, you can check the logs in /opt/webtrufflehog/webtrufflehog.log
- Results are saved in /opt/webtrufflehog/results.json
- If you want to remove the tool, you can disable the extension in chrome://extensions and remove the native messaging host in your chrome directory.
While I do this, I don't advise using this tool on your main browser. It probably takes quite a bit of performance overhead and could lag your browser, specially in high-traffic environments.
- TruffleHog and Dylan from TruffleSec