Cross-browser extension Penetration Testing Kit
Joined May 2021
- Tweets 65
- Following 7
- Followers 77
- Likes 11
14 Photos and videos
Jun 10
Great for anyone interested in browser-side security testing, SAST, and modern web application security.
youtu.be/uUUAm4U9tA8
1
1
176
Jun 9
If you use @browserling for cross-browser testing, you can also add a lightweight security testing layer with OWASP PTK. Watch the demo.
2
2
210
pentestkit retweeted
Jun 5
ZAP now has a dedicated OWASP PTK active scan rule, so you can run the PTK rules in the ZAP active scanner.
Check out the dramatic improvement in the scores vs Google Firing Range!
zaproxy.org/blog/2026-06-05-โฆ
#zaproxy #owaspptk #appsec
7
6
1,930
May 28
๐ข๐ช๐๐ฆ๐ฃ ๐ฃ๐ง๐ ๐ถ๐ ๐ป๐ผ๐ ๐ฎ๐๐ฎ๐ถ๐น๐ฎ๐ฏ๐น๐ฒ ๐ฎ๐ ๐ฎ๐ป ๐ป๐ฝ๐บ ๐ฝ๐ฎ๐ฐ๐ธ๐ฎ๐ด๐ฒ
Instead of treating browser security testing as a separate manual activity, teams can now run PTK-backed scans as part of automation.
npmjs.com/package/pentestkit
21
pentestkit retweeted
May 6
Blog: Automating OWASP PTK with ZAP (Phase 1)
You can now automate @OWASP @pentestkit using ZAP
zaproxy.org/blog/2026-05-06-โฆ
#zaproxy #owasp #appsec
9
20
3,448
Apr 28
I wrote a scenario like a prompt, hit runโฆ and Codex just did the job.
Playwright is driving the browser.
OWASP PTK is turning it into real DAST/IAST findings.
It even solved a math captcha on its own.
This is what crawling should look like.
youtu.be/UjjrxENjyEg
85
pentestkit retweeted
Apr 3
Blog: ZAP Updates for March:
zaproxy.org/blog/2026-04-03-โฆ
ZAP was started 9.5 MILLION times .. and we announced significant collaborations with other open source projects
Cc @javamuffinztx @seqradev @pentestkit
#zaproxy #appsec
1
9
23
1,376
pentestkit retweeted
Apr 3
Like half a million of those runs were me ๐
1
2
139
pentestkit retweeted
Apr 1
This is huge!
zaproxy.org/blog/2026-04-01-โฆ
OWASP PTK massively increases ZAPโs browser side testing capabilities .. and automation is up next!
Many thanks to @pentestkit for this great integration.
#zaproxy #owasp #appsec
1
12
25
1,521
Apr 1
With OWASP PTK 9.8.0 and the ZAP PTK add-on 0.3.0, findings from PTK can now show up in ZAP as native Alerts.
zaproxy.org/blog/2026-04-01-โฆ
4
5
2,025
Mar 31
PTK 9.8.0 with auto-discovery is out and I tested it on burpbountylab.com/
10 XSS first.
Same workflow auto-discovery.
32 high-severity findings across XSS SQLi.
Video: youtu.be/bdC-hZ79kDk
#AppSec #BugBounty #XSS #SQLi #DAST
2
101
Mar 17
๐ข๐ช๐๐ฆ๐ฃ ๐ฃ๐ง๐ ๐ต.๐ณ.๐ฌ is out for Chromium and Firefox
This release is all about improving the ๐ฏ๐๐ด ๐ฏ๐ผ๐๐ป๐๐ ๐๐๐ฒ๐ฟ ๐ฒ๐
๐ฝ๐ฒ๐ฟ๐ถ๐ฒ๐ป๐ฐ๐ฒ.
See how SAST can find hidden routes!
2
29
Feb 5
๐ข๐ช๐๐ฆ๐ฃ ๐ฃ๐ง๐ ๐ต.๐ฒ.๐ฌ ๐ถ๐ ๐ผ๐๐ - a reporting correlation focused release.
This version is all about turning scan output into something you can actually share, triage, and act on.
pentestkit.co.uk/release_notโฆ
12
Jan 23
Reposting this write-up - if you try the add-on, break it (politely) and tell me what youโd like to see next. Bugs, issues, and reviews genuinely help.
cybersecuritynews.com/zap-owโฆ
3
10
718
Jan 20
๐ญ๐๐ฃ ๐ข๐ช๐๐ฆ๐ฃ ๐ฃ๐ง๐ as a browser-based AppSec tool is a pretty powerful combo.
Iโm really excited to share a major milestone for OWASP PTK: the ๐ข๐ช๐๐ฆ๐ฃ ๐ฃ๐ง๐ ๐ฎ๐ฑ๐ฑ-๐ผ๐ป ๐ณ๐ผ๐ฟ ๐ญ๐๐ฃ is now released.
zaproxy.org/blog/2026-01-19-โฆ
3
5
496
Jan 19
PWASP PTK 9.5.0 has been released:
JWT attacks improved: fixed false positives for alg=none checks and better handling of public/unauthenticated endpoints.
SPA attacks support: improved attack flow for modern single-page applications.
UI performance and bug fixes.
34
26 May 2025
OWASP PTK v.9.1.0/1 has just been released with a full house appsec tools:
- DAST (Dynamic Application Security Testing)
- IAST (Interactive Application Security Testing)
- SAST (Static Application Security Testing)
- SCA (Software Composition Analysis)
38
14 May 2025
Meet first in class in-browser IAST agent for JavaScript!
In OWASP PTK v9, weโve introduced an integrated IAST capability to help surface client-side issues immediately:
*Taint-Flow Visibility
*Contextual Findings
*Zero-Configuration Deployment
28