JSONPeek Firefox

JSONPeek

Passively identify JSONP endpoints as you browse with the ability to send suspected endpoints to an exploit server for validation.
JSONPeekJSONPeekJSONPeek
Download Install

Features & Capabilities

Code This addon is free and open-source software (FOSS) all code can be found here: https://github.com/ACK-J/JSONPeek/ Please report your bugs or feature requests in a GitHub issue instead of in a review.

Test if it works! https://www.w3schools.com/js/tryit.asp?filename=tryjson_jsonp_callback

This addon passively listens for network requests which include GET parameters commonly used by JSONP endpoints. The extension popup will show you any of these detected requests. Clicking on a request in the popup will open the JSONP endpoint in a new tab for you to play around with. Additionally, there is an "exploit" button that sends the suspected JSONP url to my webserver to check if it is exploitable. The source code for the webserver can be found HERE. Multiple proof of concepts are attempted with check marks indicating success and an X indicating failure.

Why do I want to find JSONP endpoints? The most common way to bypass a content security policy (CSP) is by finding a JSONP endpoint on a trusted domain within the CSP. JSONP takes advantage of the fact that the same-origin policy does not prevent execution of external <script> tags. Usually, a <script src="some/js/file.js"> tag represents a static script file. But you can just as well create a dynamic API endpoint, say /userdata, and have it accept a query parameter (such as ?callback=CALLBACK) which dynamically specifies a JavaScript function.

When would I need a CSP Bypass? A Content Security Policy (CSP) bypass may be necessary in specific scenarios, typically related to web security testing or development. CSP is a security feature that helps prevent a range of attacks like Cross-Site Scripting (XSS), data injection attacks, and clickjacking by controlling which resources the browser is allowed to load and execute.

Donations

  • Monero Address: 89jYJvX3CaFNv1T6mhg69wK5dMQJSF3aG2AYRNU1ZSo6WbccGtJN7TNMAf39vrmKNR6zXUKxJVABggR4a8cZDGST11Q4yS8

User Growth & Download Statistics

Manifest V2 Add-on
By:
Hacks and Hops
Daily users:
22 -1
Version:
1.3 Last updated: 2025-07-28
Version code:
6000121
Creation date:
2024-12-18
Risk:
High risk impact Moderate risk likelihood
Permissions:
Size:
78.46KB
URLs:
Website
Full description:
See detailed description
Source:
Firefox Add-ons Store
Data ingested on:
2026-06-17
Compare stats and ranking:

Ranking

# 22,689 ▼ 548
Other rankings
#78 in json keyword 60 ▼ 5#122 in week keyword 10 ▼ 2#175 in identify keyword 38 ▼ 4

For Developers

Monetize with App Pass Boost with Extension Booster

Contact the developer

Chrome-Stats does not own this Firefox add-on. Please use these information below to contact the Firefox add-on developer.
Developed by:
Hacks and Hops
Firefox Add-ons Store
https://addons.mozilla.org/firefox/addon/jsonpeek/
Website:
https://github.com/ACK-J/JSONPeek

Permission Change History

2025-03-27: Version 1.1 → 1.2
Add Permissions: <all_urls>

Is JSONPeek Safe?

Risk impact
Risk impact measures the level of extra permissions an extension has access to. A low risk impact extension cannot do much harms, whereas a high risk impact extension can do a lot of damage like stealing your password, bypassing your security settings, and accessing your personal data. High risk impact extensions are not necessarily malicious. However, if they do turn malicious, they can be very harmful.

JSONPeek requires some sensitive permissions that could impact your browser and data security. Exercise caution before installing.

Risk impact analysis details
  • Critical Grants access to browser tabs, which can be used to track user browsing habits and history, presenting a privacy concern.
  • Critical ****** ****** ** *** ********* ****** * *********** ******** **** ** ** *** ******* *** ****** **** **** *** ******* *****
  • High ****** *** ********* ** ******* *** ******* ******* ** ****** *** *** ******** ******
Risk likelihood
Risk likelihood measures the probability that a Firefox add-on may turn malicious. This is determined by the publisher and the Firefox add-on reputation on Firefox Add-ons Store, the amount of time the Firefox add-on has been around, and other signals about the Firefox add-on. Our algorithms are not perfect, and are subject to change as we discover new ways to detect malicious extensions. We recommend that you always exercise caution when installing a Firefox add-on.

JSONPeek is probably trust-worthy. Prefer other publishers if available. Exercise caution when installing this add-on.

Risk likelihood analysis details
  • High This extension has low user count. Unpopular extensions may not be stable or safe.
  • Low **** ********* *** ******* **** **** * ****** **** ***** ******** *** **** ****** ** ** ****** *** *****
  • Low **** ********* *** ***** **** **** * ****** **** ***** ********** *** **** ****** ** ** ****** *** *****
Extension Guard
Extension Guard

Discover every extension in use, analyze risks, and enforce blocking policies with Extension Guard

Secure Your Browser
Upgrade to see full risk analysis details

Best JSONPeek Alternatives

Here are some Firefox add-ons that are similar to JSONPeek:

JSON Viewer+
rxliuli
1 0.00 (0)
JsonPeek
Florence
- 0.00 (0)
Endpoint Hunter
DrPeCe
7 0.00 (0)
JMP web helper
Django
3 5.00 (1)
JsonDiscovery
exdis
171 5.00 (11)
Port Authority
Hacks and Hops
24K 4.64 (74)
NOAuth
Hacks and Hops
17 0.00 (0)
JSON Viewer Pro By PatilWeb
PatilWeb
12 2.00 (2)
EndPointHunterV2
Mickhat
11 0.00 (0)
Endpoint Security Checker
Dave Rodriguez
2 0.00 (0)
JSON Beautifier & Editor
Joe Ertaba
695 3.71 (14)
WebPage Same Origin APIs
Libor Benes (Dr. B)
- 0.00 (0)