INTRODUCING PHANTOMPROXY: A BROWSER-NATIVE HTTP PROXY & REPEATER FOR SECURITY RESEARCHERS
HTTP Proxy, Web Application Security

⬡ PhantomProxy

HTTP PROXY // WEB SECURITY

researcher
Naveen Jagadeesan
published
2026-06-28
platform
Tools

A cyberpunk-themed HTTP traffic inspector and request repeater — browser DevTools extension for Microsoft Edge and Chrome. Built for developers, security researchers, and bug bounty hunters.

What is PhantomProxy?

PhantomProxy is a lightweight in-browser security testing tool inspired by Burp Suite's proxy and repeater workflow. It captures all HTTP/HTTPS traffic from your browser tab in real time, lets you inspect every request and response in detail, replay and modify requests, decode tokens, manage your test scope, and bookmark interesting findings — all without setting up a system proxy, installing Java, or leaving your browser.

Installation

Microsoft Edge Add-ons Store

Search for PhantomProxy on the Microsoft Edge Add-ons store and click Install.

Manual Installation from GitHub

Clone the repository from GitHub and follow the installation instructions.

Load Unpacked (Developer Mode)

  1. Download and extract the phantom-proxy.zip
  2. Open edge://extensions/ (or chrome://extensions/)
  3. Enable Developer Mode (top-right toggle)
  4. Click Load unpacked and select the phantom-proxy folder
  5. Open any page → press F12 → click the PhantomProxy tab in DevTools

Standalone Window

Click the PhantomProxy icon in your toolbar → click ◈ EXECUTE to open PhantomProxy as a full dedicated window. Ideal for a second monitor or a focused testing session.

Features

◎ Scope Tab

Define exactly which targets you care about before you start testing.

◈ History Tab

Passive, real-time capture of all HTTP/HTTPS traffic — no proxy configuration required.

Capture

Filter Bar — Row 1

Filter Bar — Row 2

Request List

Auto-highlight FLAGS PhantomProxy automatically detects and badges interesting requests:

BadgeWhat it detects
JWTJWT token in any request header
API KEYx-api-key, api_key= parameter
AUTHBearer / Basic auth headers
ADMIN/admin, /dashboard, /console, /manage paths
SENSITIVE/password, /reset, /token, /config, /.env
UPLOADFile upload endpoints, multipart/form-data
403Forbidden responses — worth testing for bypasses
5xxServer errors
SQL?SQL patterns in request bodies
GraphQL/graphql endpoint or mutation/query body
WSWebSocket connections

Request Detail Pane Click any row to open the full detail view:

Bookmark / Highlight System Right-click any request row to open the highlight menu:

Export / Import

⟳ Repeater Tab

Edit and replay any captured request, or build one from scratch.

Sessions

Request Editor

cURL Import Click ⬆ IMPORT CURL to paste a cURL command directly into the Repeater. Supports:

Response Viewer

- PRETTY renders JSON with full syntax highlighting and XML with indentation - PRETTY button is disabled and dimmed when the response is not a prettifiable format

⌥ Decoder Tab

Built-in encoder/decoder for common security research transforms.

OperationDescription
Base64 Decode / EncodeStandard Base64
URL Decode / Encode%xx percent encoding
HTML Decode / EncodeHTML entity encoding
Hex Encode / DecodeHexadecimal byte encoding
JSON FormatPretty-print and validate JSON
JWT DecodeSplits header, payload, signature — flags alg: none and HS256 with a warning banner
SHA-256 HashVia Web Crypto API

Chain mode — ⇄ button pipes the output back into the input for multi-step transforms (e.g. Base64 decode → URL decode in two clicks).

Keyboard Shortcuts

ShortcutAction
Ctrl + EnterSend request (when focused in Repeater URL/body/raw)
Ctrl + LClear history
Ctrl + FFocus the URL filter input

Architecture

phantom-proxy/
├── manifest.json            # Manifest V3 — no "type: module" (required for webRequest)
├── background/
│   └── worker.js            # Classic service worker: traffic capture, repeater fetch, keepalive
├── devtools/
│   ├── devtools.html        # Registers the DevTools panel
│   └── devtools.js          # chrome.devtools.panels.create()
├── panel/
│   ├── panel.html           # Full UI shell
│   ├── panel.css            # Cyberpunk dark theme
│   ├── panel.js             # Core UI logic, state management, message handling
│   └── features.js          # v2 feature module: scope engine, highlight rules, HAR export/import, cURL parser
├── popup/
│   ├── popup.html           # Toolbar popup with Execute button
│   └── popup.js             # Opens standalone window via chrome.windows.create()
└── icons/
    ├── icon16.png
    ├── icon48.png
    └── icon128.png

How traffic capture works

PhantomProxy uses the browser's webRequest API — a passive observation API that fires events for every HTTP request without intercepting or blocking traffic.

Page makes request
      ↓
onBeforeRequest  → captures URL, method, request body
onSendHeaders    → captures request headers
onHeadersReceived → captures response status + headers
onCompleted      → finalizes timing, pushes to requestStore
      ↓
broadcastToDevtools() → postMessage to panel port
      ↓
Panel renders row in History tab

The background service worker stores up to 500 requests in memory and broadcasts each completed request to all connected panels (both DevTools and standalone) via chrome.runtime.connect ports.

Repeater requests are fired from the background worker using fetch() — this bypasses CORS restrictions that would block requests from the panel page context.

Security design

Permissions

PermissionWhy it's needed
webRequestTo observe HTTP traffic — the core function of the tool
tabsTo associate requests with the correct tab and populate the standalone tab selector
storageTo persist scope definitions and bookmarks across sessions
scriptingFor DevTools panel integration
webNavigationTo detect page navigation and handle request lifecycle correctly
windowsTo open PhantomProxy as a standalone window via the Execute button
<all_urls>To observe requests to any domain — required since security testing targets vary

Notes

Privacy

PhantomProxy collects no data. All captured traffic is processed entirely within your local browser and is never transmitted to any server. No analytics, no telemetry, no tracking.

Full privacy policy: thevillagehacker.com/projects/Phantom-Proxy_privacy-policy.html

Screenshots

Scope Tab

PhantomProxy Scope Tab

History Tab

PhantomProxy History Tab

Repeater Tab

PhantomProxy Repeater Tab

Decoder Tab — JWT Decode

PhantomProxy Decoder - JWT Decode

Thank you for reading! If you give PhantomProxy a try, I'd greatly appreciate your feedback, suggestions, or feature requests. Every bit of input helps improve the tool and shape future releases. Happy hacking!