Browser capture

"Browser capture" is the flagship workflow for the .NET Windows agent and the optional browser mode in the Linux agent. You drive the browser as a human; the platform actively tests every page you visit.

Why it exists

Traditional crawlers guess your app's attack surface — they fire JS, click buttons, and hope for the best. In reality, most modern apps have hidden routes that only appear after specific user flows: multi-step onboarding, feature-flagged pages, role-dependent dashboards, billing jumps. A human fires those flows in 30 seconds; a crawler spends an hour and still misses half.

Browser capture flips the script. You navigate the app like a user; Pentestas records everything and fires probes server-side. Coverage matches your intuition about which parts matter.

Capture architecture

.NET agent (WebView2 + CDP)

No proxy involved. The app embeds WebView2 (Chromium) and subscribes to the Chrome DevTools Protocol Network domain directly:

• Network.requestWillBeSent → we stash the request
• Network.responseReceived → we stash headers + status
• Network.loadingFinished → we call Network.getResponseBody for the body, then build a browser_request frame

Advantages:

• Zero certificate trust dance — no CA cert to install in a profile, no MITM.
• Full headers + request/response bodies, including AJAX and WebSocket upgrades.
• Works on strict CSP + HSTS sites.
• No risk of breaking a site's HTTPS — we're inside the browser process, not between it and the server.

Linux / Python agent (mitmproxy)

The Python agent can optionally start an in-process mitmproxy and launch the user's installed Chrome / Edge / Firefox with a temp profile that trusts a Pentestas-generated CA. This is the "ZAP-style" path. Works cross-browser but requires the profile-and-cert dance.

See Linux agent for install.

Scope filtering

Every captured request is compared against the session scope. In the .NET agent, the scope is the registrable domain of whatever page you're currently on (e.g. navigating to https://app.acme.com/admin sets scope to acme.com). Subdomains of that domain are captured; third-party stuff (Google Analytics, Cloudflare Turnstile, unrelated CDNs) is dropped before it leaves the machine.

This:

• Keeps the platform free of noise.
• Removes legal concerns about capturing third-party content.
• Reduces network traffic.

You can override scope in the agent settings.

Request frame shape

{
  "type": "browser_request",
  "session_id": "d41d8cd98f00b204e9800998ecf8427e",
  "scan_id": "<uuid>",
  "request": {
    "method": "POST",
    "url": "https://app.acme.com/api/users/42",
    "host": "app.acme.com",
    "headers": [["Authorization", "Bearer eyJ..."], …],
    "body_b64": "base64-encoded-body",
    "body_size": 142,
    "status_code": 200,
    "response_headers": [["Content-Type", "application/json"], …],
    "response_body_b64": "base64-encoded-response",
    "response_body_size": 812,
    "timestamp": 1713562934.221
  }
}

Bodies are capped at 256 KB per direction. Larger bodies are truncated (you can see the original body_size). The platform stores the captured requests and fires active probes against them.

Active testing from captures

The platform queues the following probes per captured endpoint:

• SQLi / NoSQL injection against every parameter.
• IDOR / BFLA by mutating {id}-shaped path segments.
• JWT weakness probes if an Authorization: Bearer header is present.
• Missing auth check: re-request without the Authorization header, compare responses.
• CSRF probes on state-changing verbs.

Findings stream back to the agent UI via finding_notify frames. You see them appear in the sidebar as you continue browsing.

Authentication pass-through

Because capture happens inside the browser, authenticated traffic works automatically — your session cookies, OAuth tokens, CSRF tokens all flow through. The platform reuses them when firing active probes, so tests land on logged-in endpoints rather than the public marketing site.

Privacy considerations

• Anything you type into password fields is captured in the initial login request. The platform doesn't re-send these; sensitive fields in the DB are encrypted at rest with your tenant's Fernet key.
• Credit card fields on payment pages — best practice is to use PCI-scoped test cards during capture sessions, not real cards.
• PII in captured bodies — Enterprise plans support per-tenant redaction rules that scrub known PII fields before persisting.

See also

• .NET Windows agent — the flagship implementation
• Agents overview — capability matrix