I’ve had the idea for some time. Since I started working as a pentester last year, there’s been numerous occasions where I’ve wanted to quickly check how browsers react to different responses. E.g. for testing a CSP bypass, Set-Cookie behaviour, or Content-Disposition header (since it often includes user input - a filename).
Yes, you can get similar results with Burp or a custom script, but that is more hassle and doesn’t cover all the use cases (publicly accessible, linkable open redirector, …).
The last drop(s) in the bucket were
1) seeing a WebKit patch about Content-Type sniffing (XSS with SVG & text-plain) and wanting to test out a potential bypass on my phone
2) seeing a tool online that allowed you to test out your responses (I wondered what happened if the HTTP standards were violated or if I inserted null-bytes or sth like that)
Yes, you can get similar results with Burp or a custom script, but that is more hassle and doesn’t cover all the use cases (publicly accessible, linkable open redirector, …).
The last drop(s) in the bucket were 1) seeing a WebKit patch about Content-Type sniffing (XSS with SVG & text-plain) and wanting to test out a potential bypass on my phone 2) seeing a tool online that allowed you to test out your responses (I wondered what happened if the HTTP standards were violated or if I inserted null-bytes or sth like that)