As a bug bounty hunter and occasional CTF player, I often need to simulate HTTP requests quickly, safely, and without exposing data to third-party servers. Most people use tools like Postman, Insomnia, or curl. They’re great — but sometimes they’re overkill, or just not usable in highly restricted environments. The Problem The Problem As a security researcher and bug bounty hunter, I often needed a single, lightweight tool that would allow me to simulate raw HTTP requests directly in the browser — with no backend, no logs, and no internet connection. no backend no logs no internet connection I wanted something that works 100% offline, requires zero dependencies, and gives me full control over crafting requests. 100% offline zero dependencies Manually copying and pasting curl commands or switching between multiple tools just to test a webhook or endpoint felt inefficient and tedious. More importantly, I needed to be able to: Modify request headers freely without limitations. Switch between methods (GET, POST, etc.) instantly. Quickly decode or encode payloads on the fly. Modify request headers freely without limitations. Modify request headers freely Switch between methods (GET, POST, etc.) instantly. GET POST Quickly decode or encode payloads on the fly. So I decided to build something that includes everything I personally needed, all in one interface. Built-In Tools That Help in Real-World Pentesting Built-In Tools That Help in Real-World Pentesting To streamline security testing, I added a dedicated Tools section that includes: Tools Encoding and Decoding Tools Encoding and Decoding Tools Quick, browser-native conversions for common data formats: ✅ Base64 encode/decode ✅ URL encode/decode ✅ HTML entity encode/decode ✅ JWT decoder with structured output ✅ Base64 encode/decode ✅ URL encode/decode ✅ HTML entity encode/decode ✅ JWT decoder with structured output Payload Generator Payload Generator A curated set of ready-to-use payloads to test various security flaws within seconds: ready-to-use payloads XSS (Cross-Site Scripting) SQL Injection Command Injection LFI (Local File Inclusion) SSRF (Server-Side Request Forgery) RCE (Remote Code Execution) SSTI (Server-Side Template Injection) XXE (XML External Entity) CRLF Injection JSON Injection Host Header Injection Windows-specific LFI payloads XSS (Cross-Site Scripting) SQL Injection Command Injection LFI (Local File Inclusion) SSRF (Server-Side Request Forgery) RCE (Remote Code Execution) SSTI (Server-Side Template Injection) XXE (XML External Entity) CRLF Injection JSON Injection Host Header Injection Windows-specific LFI payloads These payloads are immediately accessible and can be dropped into your request body or parameters, saving time during recon and testing. The Solution: CyberPost The Solution: CyberPost To solve these limitations, I created CyberPost — a lightweight, browser-based HTTP testing tool designed specifically for security researchers, bug bounty hunters, and developers who need full control in isolated environments. CyberPost Here’s what makes CyberPost stand out: CyberPost 🌐 No backend required: All operations happen locally in your browser. No data is sent externally. No telemetry. No tracking. 📴 Works fully offline: You can simply open the HTML file — even in an air-gapped or restricted environment — and send raw HTTP requests to local services or targets. 🧰 Fully customizable: Modify request method, headers, and body as needed. Add tokens, tweak content types, simulate custom clients — it’s all in your hands. 🧪 Made for security testing: Whether you’re testing webhooks, fuzzing an API endpoint, or mimicking mobile app behavior, CyberPost gives you the flexibility and privacy to do it fast and locally. 🧠 Built-in Tools section: Encode/decode Base64, URL strings, JWTs, HTML entities — right in the same interface. 💣 One-click payload injection: Access a curated list of preloaded security payloads (XSS, SQLi, RCE, SSRF, etc.) for instant vulnerability testing. 🌐 No backend required: All operations happen locally in your browser. No data is sent externally. No telemetry. No tracking. No backend required 📴 Works fully offline: You can simply open the HTML file — even in an air-gapped or restricted environment — and send raw HTTP requests to local services or targets. Works fully offline 🧰 Fully customizable: Modify request method, headers, and body as needed. Add tokens, tweak content types, simulate custom clients — it’s all in your hands. Fully customizable 🧪 Made for security testing: Whether you’re testing webhooks, fuzzing an API endpoint, or mimicking mobile app behavior, CyberPost gives you the flexibility and privacy to do it fast and locally. Made for security testing 🧠 Built-in Tools section: Encode/decode Base64, URL strings, JWTs, HTML entities — right in the same interface. Built-in Tools section 💣 One-click payload injection: Access a curated list of preloaded security payloads (XSS, SQLi, RCE, SSRF, etc.) for instant vulnerability testing. One-click payload injection CyberPost was built out of necessity — now it’s open source and ready for the community. Here’s what it looks like: Final Thoughts Final Thoughts CyberPost was born out of necessity — not as a replacement for full-featured tools like Postman, but as a focused alternative for environments where simplicity, privacy, and full offline control are essential. If you often work in isolated labs, air-gapped systems, or just need a lightweight utility that gets out of your way and lets you test raw HTTP requests fast, I invite you to give CyberPost a try. isolated labs air-gapped systems lightweight utility It’s open source, self-contained, and built with the needs of real-world security researchers in mind. 🔗 GitHub: https://github.com/lfillaz/CyberPost https://github.com/lfillaz/CyberPost https://github.com/lfillaz/CyberPost 🔗 CyberPost available on Firefox Add-ons Store! https://addons.mozilla.org/en-US/firefox/addon/cyberpost-lab/🔗CyberPost available on the Chrome Web Store!https://chromewebstore.google.com/detail/cyberpost-lab/kdogkalclfcnhknehcpghfkjjlcfnhle https://addons.mozilla.org/en-US/firefox/addon/cyberpost-lab/ https://addons.mozilla.org/en-US/firefox/addon/cyberpost-lab/ https://chromewebstore.google.com/detail/cyberpost-lab/kdogkalclfcnhknehcpghfkjjlcfnhle https://chromewebstore.google.com/detail/cyberpost-lab/kdogkalclfcnhknehcpghfkjjlcfnhle
