All-in-One Web Scanner [BETA]

Combines scanners, persists state, stays on top, reliably appears in SPAs, with enhanced stream detection.

Author
DXRK1E
Daily installs
0
Total installs
9
Ratings
0 0 0
Version
1.7.1
Created
2025-04-13
Updated
2025-04-13
Size
76.4 KB
License
MIT
Applies to
All sites

All-in-One Web Scanner [BETA] - What's the Deal?

TL;DR: What is it?

Think of this script as a handy little multi-tool for peeking under the hood of websites you visit. It automatically scans the page (and keeps scanning as things change) to find specific types of links and resources, like video streams, images, or network requests, and displays them all in one convenient, stay-on-top panel.

It's designed to be persistent (remembers if you had it open), work well on modern single-page apps (SPAs), and give you quick access to stuff that might otherwise require digging through DevTools.

What does it actually DO?

It sets up shop on the webpage and starts looking for a few key things:

  1. Stream Files: Hunts for links ending in .m3u8, .mp4, .vtt, .srt, .mpd, or URLs that look like streaming manifests or segments (using patterns like /hls/, /dash/, playlist, etc.). It checks common places like <video>, <source>, <a> tags, and even searches inside inline <script> blocks.
  2. Iframe Sources: Lists all the <iframe> (and similar like <embed>, <object>) elements on the page and their source URLs. Handy for seeing what's embedded.
  3. Network Requests: This is like a mini "Network" tab from your browser's DevTools. It logs outgoing fetch and XMLHttpRequest calls made by the page, showing the URL, method (GET/POST), status code, duration, and sometimes the request payload (if it can grab it).
  4. Image Sources: Finds all <img> tags and even CSS background images, listing their URLs. It includes neat features like copy/view/download buttons and an image preview on hover.

How does it work (Under the Hood)?

It's pure JavaScript running directly in your browser on the page you're visiting. Here's the gist:

  1. Injects UI: Creates a toggle button ('🔍') and a popup panel using standard HTML and CSS, injecting them directly into the page's DOM. It uses high z-index values to try and stay on top of other elements.
  2. DOM Scanning: When you open the panel (or it loads open), it actively scans the current HTML (document) for relevant tags (video, img, iframe, script, etc.) and attributes (src, href, data-src, style).
  3. Regex Magic: It uses Regular Expressions (_RGX_STRM) to search the text content of inline <script> tags for patterns matching potential stream URLs.
  4. Network Interception: It wraps (or "patches") the browser's built-in window.fetch and XMLHttpRequest.prototype.send/open functions. This means before the page makes a network request using these methods, the script gets a look-in, and after the request finishes, it logs the result.
  5. MutationObserver: It sets up a MutationObserver to watch for changes to the webpage after it initially loads. If new elements are added or attributes change (like a video player loading dynamically), it triggers a rescan to find new stuff. This is key for SPAs.
  6. Attribute Monitoring: It also wraps Element.prototype.setAttribute to catch changes made via JavaScript that might reveal new source URLs.
  7. State Persistence: It uses sessionStorage (which clears when you close the tab/browser) to remember whether you left the panel open or closed, so it reappears that way if you navigate within the same site/tab.
  8. SPA Savvy: It listens for browser navigation events (popstate, hashchange) and even custom events triggered by its history patching, ensuring the UI stays put and rescans happen when you navigate within a single-page application.
  9. Blob Monitoring: It lightly wraps URL.createObjectURL to be aware when Blobs (often used for local media playback) are created, though it primarily relies on finding the src attribute where the Blob URL is used.

Why would I use this?

  • Find Hidden Streams: Easily grab .m3u8 or .mp4 links that websites might try to obscure, useful for external players or download tools.
  • Quick Debugging: Get a glance at network activity without needing the full DevTools open, helpful for spotting API calls or tracking down resources.
  • Grab Assets: Quickly copy image URLs, view them directly, or even download them.
  • See Embeds: Instantly list all iframe sources on a complex page.
  • Convenience: It combines several functions, stays visible, and works better than simple scanners on dynamic sites.

Is it Safe? 🛡️

This is important! Here's the breakdown:

  • Permissions (@grant none): This is a big plus! @grant none means the script runs in the standard web page sandbox. It cannot make cross-domain requests on its own, access browser tabs, read/write files directly, or use special Tampermonkey/Greasemonkey APIs. It has the same limitations as the JavaScript already running on the page.
  • Network Monitoring: This is the most "sensitive" part.
    • What it does: It logs URLs, methods, status codes, and potentially request payloads (data sent to the server, like form data) and response headers initiated by the page itself.
    • What it DOESN'T do: It does not send this logged data anywhere. It only displays it locally within the popup panel on your machine. It's like looking over the page's shoulder as it makes requests.
    • The Catch: If you are on a site where you are entering sensitive information (passwords, credit cards) that gets sent via fetch or XHR (common practice), the script could potentially log that data locally within its panel if it manages to capture the payload. The payload capture is limited (e.g., it tries to read text, might truncate long data) but it's something to be aware of.
  • DOM Access: It reads the page's HTML structure and content, which is standard for almost any JavaScript running on a page.
  • No External Communication: The script itself doesn't "phone home" or send your data anywhere.
  • Code Transparency: You have the source code! You (or someone you trust) can review it to see exactly what it's doing.

Verdict: For most uses (finding streams on media sites, grabbing images, general debugging), it's generally safe. The primary consideration is the network logging – be mindful if you're using it on highly sensitive pages where you input critical personal data. Think of it like a localized, simplified DevTools Network tab integrated into the page.

TL;DR Safety: It runs with standard page permissions (@grant none), doesn't send data out, but does locally log network requests made by the page, potentially including data you send in forms if sent via fetch/XHR. Use common sense on sensitive sites.

Quick Start / How to Use

  1. Install a UserScript manager extension (like Tampermonkey, Violentmonkey, Greasemonkey).
  2. Install this script.
  3. Visit a website (that isn't excluded, like YouTube).
  4. Look for the '🔍' button (usually top-right).
  5. Click the button or press Ctrl+Shift+A to toggle the panel.
  6. Browse the different sections (Streams, Iframes, Network, Images).
  7. Click on links/buttons to copy URLs, view images, download, etc.
  8. Use the filter inputs in the Network and Image sections to narrow down results.
  9. Click 'Refresh' to manually trigger a full rescan.
  10. Click 'Clear' to empty the lists.

Note: It's marked as BETA, so expect potential quirks or bugs! Enjoy scanning!