mirror of
https://github.com/moonD4rk/HackBrowserData.git
synced 2026-05-19 18:58:03 +02:00
Roger
7a5db25b4f
* feat(safari): localstorage extraction Extracts Safari 17+ localStorage from WebKit's nested layout — WebsiteDataStore/<uuid>/Origins/<top-hash>/<frame-hash>/LocalStorage/ localstorage.sqlite3 for named profiles, WebsiteData/Default for the default profile. Parses the binary SecurityOrigin serialization (length-prefixed scheme+host plus 0x00 default-port or 0x01 <uint16_le> explicit-port section) and decodes UTF-16 LE ItemTable value BLOBs, capping oversized values at 2048 bytes to match the Chromium extractor. Reports the frame origin URL so partitioned third-party storage is attributed to the iframe origin JavaScript actually sees. Closes the remaining LocalStorage checkbox in #565. * docs(safari): add RFC-011 data storage Documents Safari's profile structure, per-category file layouts, and storage formats including the Safari 17+ nested WebKit Origins localStorage layout and binary SecurityOrigin serialization. Defers Keychain credential extraction to RFC-006 §7 and notes the cross-browser differences (plaintext cookies, plist bookmarks/downloads, Core Data epoch timestamps, partitioned storage). * fix(safari): latin-1 origin decoding, NULL key skip, count fast-path - Decode originEncASCII via decodeLatin1 so high-byte records preserve their ISO-8859-1 meaning instead of being interpreted as UTF-8. Matches the pattern in chromium/extract_storage.go. - Skip ItemTable rows where key is NULL — SQLite's UNIQUE constraint permits multiple NULLs, and silently lowering them to empty strings would collide with legitimate empty-string keys. - countLocalStorage now walks origin dirs and runs SELECT COUNT(key) per localstorage.sqlite3 instead of fully decoding every value. COUNT(key) naturally excludes NULLs, keeping count and extract symmetric. Addresses Copilot review feedback on #582. * fix(safari): round-2 review — WAL replay, stable ordering, error context - Drop immutable=1 on temp-copy SQLite opens in readLocalStorageFile / countLocalStorageFile. Session.Acquire copies the -wal / -shm sidecars, so mode=ro alone lets SQLite replay WAL on the ephemeral copy and surface entries Safari committed to WAL but hasn't checkpointed yet. Live-file reads in profiles.go keep immutable=1 as before. - Order ItemTable query by (key, rowid) for deterministic exports across runs and SQLite versions. - Wrap os.ReadFile / os.ReadDir errors with the offending path so multi-origin debug logs stay scannable. - RFC-011 §7 rewritten to explain the live-vs-temp split. - New regression test asserts ORDER BY surfaces rows in key order. Addresses round-2 Copilot review on #582.
HackBrowserData
HackBrowserData is a command-line tool for decrypting and exporting browser data (passwords, history, cookies, bookmarks, credit cards, download history, localStorage, sessionStorage and extensions) from the browser. It supports the most popular browsers on the market and runs on Windows, macOS and Linux.
Disclaimer: This tool is only intended for security research. Users are responsible for all legal and related liabilities resulting from the use of this tool. The original author does not assume any legal responsibility.
Supported Data Categories
| Category | Chromium-based | Firefox |
|---|---|---|
| Password | ✅ | ✅ |
| Cookie | ✅ | ✅ |
| Bookmark | ✅ | ✅ |
| History | ✅ | ✅ |
| Download | ✅ | ✅ |
| Credit Card | ✅ | - |
| Extension | ✅ | ✅ |
| LocalStorage | ✅ | ✅ |
| SessionStorage | ✅ | - |
Supported Browsers
On macOS, some Chromium-based browsers require a current user password to decrypt.
| Browser | Windows | macOS | Linux |
|---|---|---|---|
| Chrome | ✅ | ✅ | ✅ |
| Chrome Beta | ✅ | ✅ | ✅ |
| Chromium | ✅ | ✅ | ✅ |
| Edge | ✅ | ✅ | ✅ |
| Brave | ✅ | ✅ | ✅ |
| Opera | ✅ | ✅ | ✅ |
| OperaGX | ✅ | ✅ | - |
| Vivaldi | ✅ | ✅ | ✅ |
| Yandex | ✅ | ✅ | - |
| CocCoc | ✅ | ✅ | - |
| Arc | - | ✅ | - |
| ✅ | - | - | |
| 360 ChromeX | ✅ | - | - |
| 360 Chrome | ✅ | - | - |
| DC Browser | ✅ | - | - |
| Sogou Explorer | ✅ | - | - |
| Firefox | ✅ | ✅ | ✅ |
Getting Started
Install
Installation of HackBrowserData is dead-simple, just download the release for your system and run the binary.
You can also install via Homebrew:
brew install moonD4rk/tap/hack-browser-data
In some situations, this security tool will be treated as a virus by Windows Defender or other antivirus software and can not be executed. The code is all open source, you can modify and compile by yourself.
Building from source
Requires Go 1.20+.
git clone https://github.com/moonD4rk/HackBrowserData
cd HackBrowserData
go build ./cmd/hack-browser-data/
Cross-platform build
# For Windows
GOOS=windows GOARCH=amd64 go build ./cmd/hack-browser-data/
# For Linux
GOOS=linux GOARCH=amd64 go build ./cmd/hack-browser-data/
Usage
$ hack-browser-data -h
hack-browser-data decrypts and exports browser data from Chromium-based
browsers and Firefox on Windows, macOS, and Linux.
GitHub: https://github.com/moonD4rk/HackBrowserData
Usage:
hack-browser-data [flags]
hack-browser-data [command]
Available Commands:
dump Extract and decrypt browser data (default command)
help Help about any command
list List detected browsers and profiles
version Print version information
Flags:
-b, --browser string target browser: all|chrome|firefox|edge|... (default "all")
-c, --category string data categories (comma-separated): all|password,cookie,... (default "all")
-d, --dir string output directory (default "results")
-f, --format string output format: csv|json|cookie-editor (default "csv")
-h, --help help for hack-browser-data
--keychain-pw string macOS keychain password
-p, --profile-path string custom profile dir path, get with chrome://version
-v, --verbose enable debug logging
--zip compress output to zip
Use "hack-browser-data [command] --help" for more information about a command.
dump - Extract and decrypt browser data (default)
Running hack-browser-data without a subcommand defaults to dump.
| Flag | Short | Default | Description |
|---|---|---|---|
--browser |
-b |
all |
Target browser (all|chrome|firefox|edge|...) |
--category |
-c |
all |
Data categories, comma-separated (all|password|cookie|bookmark|history|download|creditcard|extension|localstorage|sessionstorage) |
--format |
-f |
csv |
Output format (csv|json|cookie-editor) |
--dir |
-d |
results |
Output directory |
--profile-path |
-p |
Custom profile dir path, get with chrome://version | |
--keychain-pw |
macOS keychain password | ||
--zip |
false |
Compress output to zip |
list - List detected browsers and profiles
| Flag | Default | Description |
|---|---|---|
--detail |
false |
Show per-category entry counts |
version - Print version information
hack-browser-data version
Global flags
| Flag | Short | Description |
|---|---|---|
--verbose |
-v |
Enable debug logging |
Examples
# Extract all data from all browsers (default)
hack-browser-data
# Extract specific browser and categories
hack-browser-data dump -b chrome -c password,cookie
# Export in JSON format to a custom directory
hack-browser-data dump -b chrome -f json -d output
# Export cookies in CookieEditor format
hack-browser-data dump -f cookie-editor
# Compress output to zip
hack-browser-data dump --zip
# List detected browsers and profiles
hack-browser-data list
# List with per-category entry counts
hack-browser-data list --detail
# Use custom profile path
hack-browser-data dump -b chrome -p "/path/to/User Data/Default"
Contributing
We welcome and appreciate any contributions made by the community (GitHub issues/pull requests, email feedback, etc.).
Please see the Contribution Guide before contributing.
Contributors
Roger |
Aquilao Official |
uinfziuna8n |
Cyrus |
stevenlele |
Carlo Mandelli |
slimwang |
Amir. |
a-urth |
Ciprian Conache |
Santiago Ramirez |
beichen |
guoguangwu |
zhe6652 |
LC |
mirefly |
YuXJ |
zznQ |
Stargazers over time
404StarLink 2.0 - Galaxy
HackBrowserData is a part of 404Team StarLink-Galaxy, if you have any questions about HackBrowserData or want to find a partner to communicate with, please refer to the Starlink group.
JetBrains OS licenses
HackBrowserData had been being developed with GoLand IDE under the free JetBrains Open Source license(s) granted by JetBrains s.r.o., hence I would like to express my thanks here.
