[boarnoah]

This extension is still very cool.

+1 to Cyberchef, its awesome. If you really have qualms about the URL its trivial to re-host / serve it to yourself offline.

My favorite part is whole recipe feature (Cyberchef builds a URL with the configured processors you use to process data).

I find myself using that a ton to share XPath / JPAth expressions type work with sample data to others by sharing that URL.

[lxgr]

I've been curious about this: Is there a way to exfiltrate data from a locally downloaded single page application?

Due to the same-origin principle, plain XHR and similar should be out, but what about CORS or script/image embedding with query parameters?

[justin_oaks]

Data exfiltration works just fine with a locally downloaded SPA. There's Script/image embedding as you mention. There's also iframes and form submissions.

As for XHR, the same-origin principle doesn't prevent the request from going out; it prevents the response from being readable by the page. Even so, a remote site can add the right CORS headers to allow access from anywhere, and your browser will happily send the data out AND allow the page to read the response.

You could probably mitigate most, if not all, exfiltration using a CSP [1] that you manually add to the HTML meta tag.

The reason for using a local copy is so once I verify that the copy I have is "clean" (either built myself or reviewed, and confirmed to not send data out) then I can trust that version until I replace it.

If I load data from a website, there are no guarantees that I don't get a different version every time.

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

[wazzaps]

It's possible if the destination allows it, like Google Analytics