DEV Community

Teycir Ben Soltane
Teycir Ben Soltane

Posted on

Excalibur: A Manual WAF Bypass & Cookie Extractor Tool for Security Researchers

#security #bugbounty #websecurity #waf

Modern web applications employ increasingly sophisticated security measures including Web Application Firewalls (WAFs), CAPTCHAs, and bot detection systems. These protections often block automated security scanners and make it difficult to test APIs behind authentication.

Introducing Excalibur — a dual-component security testing tool designed to bypass WAFs, CAPTCHAs, and other anti-bot protections through manual browser interaction.

What is Excalibur?

Excalibur consists of two integrated components:

  1. Chrome Extension — Intercepts and records HTTP traffic while you manually solve CAPTCHAs, complete authentication flows, and navigate through protected applications.

  2. Burp Suite Extension — Imports recorded HTTP Archive (HAR) files and extracted cookies into Burp Suite, enabling automated security testing on previously protected endpoints.

The bridge between manual browser interaction and automated security testing? That's exactly what Excalibur provides.

The Problem Excalibur Solves

As security researchers and bug hunters, we've all faced these challenges:

  • WAF blocks preventing automated scanning
  • CAPTCHAs requiring human interaction
  • Authentication walls blocking API exploration
  • Session management nightmare when working across tools

Traditional approaches involve:

  • Manually copying cookies (error-prone and tedious)
  • Disabling protections (not always possible or ethical)
  • Writing custom browser automation scripts (time-consuming)
  • Getting blocked by sophisticated bot detection

Excalibur offers a clean, efficient solution that maintains legitimate sessions through manual interaction while capturing everything needed for automated analysis.

How Excalibur Works 

┌──────────────┐     ┌──────────────┐     ┌──────────────┐
│   Manual     │ →   │   Excalibur  │ →   │   Burp Suite │
│   Browser    │     │   Record &   │     │   Security   │
│  Interaction │     │    Export    │     │    Testing   │
└──────────────┘     └──────────────┘     └──────────────┘
Enter fullscreen mode Exit fullscreen mode

1. Manual Browser Interaction

You browse the target application manually in Chrome, solving any CAPTCHAs or authentication challenges as a normal user would. This establishes a legitimate session that bypasses WAF protections.

2. Traffic Recording

Excalibur records all HTTP traffic during your session using Chrome's webRequest API. It captures:

  • Complete request/response data
  • All headers (including authentication tokens)
  • Cookies with domain and path information
  • Timing data for analysis

3. Export and Import

Export the recorded session as HAR and JSON files, then load them into Burp Suite for detailed security analysis, automated scanning, and manual testing.

Key Features

Chrome Extension Features

Feature Description
▶️ Start/Stop Recording Toggle session recording with visual feedback
📊 Real-time Counters Live display of captured requests and cookies
📦 HAR Export Export recorded traffic in standard HTTP Archive format
🍪 Cookie Extraction Automatic extraction of all cookies to JSON
🎨 Modern UI Clean, gradient-based user interface
🔄 Background Recording Continuous recording via Chrome service worker API
🔍 DevTools Panel Integrated panel for advanced monitoring

Burp Suite Extension Features

Feature Description
📥 HAR File Loading Import HAR files directly into Burp Site Map
🍪 Cookie Import Import JSON cookies into Burp Cookie Jar
📊 Request History Sortable table view of all imported requests
📈 Statistics Panel Summary of requests, hosts visited, and timestamps
📝 Activity Log Detailed timestamped log of all operations
🔄 Session Replay Replay imported requests with captured cookies

Quick Start Guide

Installing the Chrome Extension

  1. Open Chrome → chrome://extensions/
  2. Enable Developer mode (top right toggle)
  3. Click Load unpacked
  4. Select the chrome extension/ folder from Excalibur
  5. Pin the Excalibur icon to your toolbar

Installing the Burp Suite Extension

  1. Open Burp Suite (Professional or Community)
  2. Go to ExtensionsAddPython
  3. Select burp-extension/excalibur_loader.py
  4. Verify extension loads successfully
  5. Navigate to the new Excalibur tab

Prerequisites

  • Chrome/Chromium browser
  • Burp Suite (Professional or Community Edition)
  • Jython standalone JAR (for Burp Python support)

Usage Workflow: Simple 3-Step Process

Step 1: Record in Chrome

  1. Click the Excalibur icon in Chrome
  2. Click ▶️ Start Recording
  3. Navigate to your target site
  4. Solve CAPTCHAs, complete authentication flows, browse as normal
  5. Click ⏹️ Stop Recording

The extension displays real-time counters showing how many requests and cookies have been captured.

Step 2: Export HAR Files

  1. Click 📦 Export HAR
  2. Two files download automatically:
    • excalibur-session-YYYYMMDD-HHMMSS.har — Complete HTTP traffic
    • excalibur-session-YYYYMMDD-HHMMSS-cookies.json — All cookies

Step 3: Load in Burp Suite

  1. Open Burp Suite → Excalibur tab
  2. Click Load HAR File → Select your exported HAR
  3. Click Load Cookies JSON → Select your exported cookies
  4. View requests in Target → Site Map and History tabs

Now you have complete access to the protected application through Burp Suite!

Understanding the Output Files

HAR File (excalibur-session-YYYYMMDD-HHMMSS.har)

The HTTP Archive format contains:

  • All recorded requests and responses
  • Request/response headers including authentication tokens
  • Request and response bodies (if captured)
  • Timing data for performance analysis
  • Can be imported into Burp, OWASP ZAP, or other security tools

Cookies JSON (excalibur-session-YYYYMMDD-HHMMSS-cookies.json)

Contains all cookies with:

  • Domain and path information
  • Expiration dates
  • Secure and HttpOnly flags
  • Perfect for importing into Burp's Cookie Jar or other tools

Use Cases

Bug Bounty Hunting

  • Capture authenticated sessions to test protected endpoints
  • Bypass WAFs to explore hidden functionality
  • Export session tokens for API testing
  • Document complete request flows for vulnerability reports

Penetration Testing

  • Maintain legitimate sessions during assessments
  • Test APIs behind authentication without credential sharing
  • Document complete attack paths with full request/response data
  • Generate consistent test cases from recorded sessions

Security Research

  • Analyze WAF behavior through legitimate traffic patterns
  • Study CAPTCHA implementations and bypass techniques
  • Document security controls and testing methodologies
  • Create reproducible test scenarios

Technical Architecture

Excalibur leverages modern browser and security tool APIs:

┌─────────────────┐
│  Chrome Browser │
│   (User solves  │
│    CAPTCHAs)    │
└────────┬────────┘
           │ webRequest API
           ↓
┌─────────────────┐
│    Excalibur    │
│    Extension    │
│  (background.js)│
└────────┬────────┘
           │ Export HAR + JSON
           ↓
┌─────────────────┐
│   Downloads     │
│  .har + .json   │
└────────┬────────┘
           │ Manual Import
           ↓
┌─────────────────┐
│  Burp Suite     │
│  Excalibur Tab  │
│  (Python Ext.)  │
└─────────────────┘
Enter fullscreen mode Exit fullscreen mode

Chrome Extension

  • Uses webRequest API for traffic interception
  • Service worker for background recording
  • Chrome Storage API for state management
  • Popup and DevTools panel for user interaction

Burp Suite Extension

  • IBurpExtender interface for Burp integration
  • Swing-based UI matching Chrome extension design
  • Jython support for compatibility
  • Message registration for request interception

Security & Ethical Considerations

⚠️ Important: Excalibur is designed for legitimate security testing only:

  • Only test applications you have permission to test
  • Use for bug bounty programs, penetration testing engagements, or your own applications
  • Respect rate limits and avoid excessive traffic
  • Document findings responsibly and disclose issues through proper channels
  • Follow ethical guidelines and legal requirements

Excalibur helps security professionals do their jobs more efficiently — it doesn't replace proper authorization and responsible disclosure.

What's New in v2.0?

  • Modernized UI with gradient-based design
  • Enhanced DevTools integration for better monitoring
  • Improved HAR export with better compatibility
  • Expanded Burp Suite features including session replay
  • Better statistics and logging for comprehensive analysis
  • Cross-platform support for Windows, macOS, and Linux

Getting Started

The project is open source and available on GitHub. Clone the repository, install both components, and start bypassing WAFs and capturing sessions for your security testing workflows.

Resources

Conclusion

Excalibur fills a critical gap in the security researcher's toolkit by bridging manual browser interaction with automated security testing. Whether you're hunting bugs on HackerOne, conducting penetration tests, or researching WAF bypass techniques, Excalibur streamlines the workflow and lets you focus on what matters — finding vulnerabilities.

Stop spending hours manually copying cookies and constructing requests. Install Excalibur, record your session, and import it into your favorite security testing tools.

Happy hunting! 🎯

Excalibur is released under the MIT License. Built by security professionals for security professionals.

Top comments (0)