# Payment Automation Suite - Browser Extension 🔧 **Advanced payment automation tools for authorized security testing** ## ⚠️ LEGAL DISCLAIMER **THIS EXTENSION IS FOR AUTHORIZED SECURITY TESTING AND EDUCATIONAL PURPOSES ONLY** Unauthorized use of this extension against payment systems, CAPTCHA services, or any protected systems without explicit written permission is: - A violation of the **Computer Fraud and Abuse Act (CFAA)** in the United States - A violation of similar cybercrime laws in other jurisdictions (GDPR, UK Computer Misuse Act, etc.) - A breach of **Terms of Service** for payment gateways (Stripe, PayPal, Adyen, etc.) and CAPTCHA providers - A violation of **PCI DSS compliance** requirements - Potentially **criminal** activity subject to prosecution **YOU MUST HAVE EXPLICIT AUTHORIZATION from the system owner before using this extension.** The developers assume **NO LIABILITY** for misuse of this software. --- ## Features This extension bundles 7 modules for payment system testing: 1. **Captcha Solver** - Automated CAPTCHA solving via API services 2. **hCaptcha Bypass** - Automated checkbox clicking and iframe injection 3. **3D Secure Handler** - Intercepts Stripe 3DS flows and modifies fingerprint data 4. **GOG Payment Handler** - Generates valid credit card numbers using Luhn algorithm 5. **Auto Fill** - Automated form filling with simulated human behavior 6. **Fetch Spy** - Payment gateway traffic monitoring and response analysis 7. **Payment Capture** - Extracts payment data from requests (localStorage only) --- ## Installation ### Chrome / Edge (Manifest V3) 1. Download or clone this repository 2. Open Chrome/Edge and navigate to `chrome://extensions/` 3. Enable **Developer mode** (toggle in top-right corner) 4. Click **"Load unpacked"** 5. Select the `extension/` directory 6. The extension icon should appear in your toolbar ### Firefox (Manifest V2) 1. Download or clone this repository 2. Open Firefox and navigate to `about:debugging#/runtime/this-firefox` 3. Click **"Load Temporary Add-on..."** 4. Navigate to the `extension/` directory 5. Select the `manifest_v2.json` file 6. The extension will be loaded temporarily (removed on browser restart) **Note:** For permanent Firefox installation, you need to sign the extension via AMO (Mozilla Add-ons). --- ## Usage ### Quick Start 1. Click the extension icon in your toolbar 2. Toggle the **Master Control** switch to enable all modules 3. Individual modules can be toggled on/off as needed 4. Click **"Advanced Settings"** to configure API keys and module parameters ### Configuration Open the **Options page** (⚙️ Advanced Settings) to: - **API Keys Tab**: Configure CAPTCHA solving services (CapSolver, 2Captcha, etc.) - **Module Config Tab**: Fine-tune delays, BIN lists, and behavior settings - **Data Management Tab**: View statistics, export captured data (JSON/CSV), clear storage - **About Tab**: Legal information and version details ### Module Details #### 1. Captcha Solver - Detects hCaptcha, Turnstile, and reCAPTCHA on pages - Attempts click simulation first - Falls back to API solving if configured - Supports CapSolver, 2Captcha, NopeCHA, NoCaptchaAI #### 2. hCaptcha Bypass - Intercepts hCaptcha HTML via Fetch/XHR hooks - Injects auto-click scripts into iframes - Simulates human mouse movement #### 3. 3D Secure Handler - Monitors Stripe 3DS verification requests - Removes browser fingerprint fields from payloads - Attempts to force frictionless flow #### 4. GOG Payment Handler - Generates valid credit card numbers using Luhn checksum - Rotates through configurable BIN prefixes - Saves generated cards to localStorage #### 5. Auto Fill - Scans pages for payment forms - Fills card data and billing addresses - Simulates realistic typing speed and events - Bypasses React/Vue state management #### 6. Fetch Spy - Logs all Fetch/XHR requests to payment gateways - Parses responses for payment status - Broadcasts events to other modules #### 7. Payment Capture - Monitors network requests for card data - Tracks input fields in real-time - Validates card numbers with Luhn algorithm - Stores data in localStorage (no external exfiltration) --- ## Permissions This extension requires the following permissions: - `storage` - To save configuration and captured data - `activeTab` - To inject content scripts into active tabs - `webRequest` - To monitor network traffic (not blocking in V3) - `host_permissions: *://*/*` - To run on all websites --- ## Distribution Restrictions **This extension CANNOT be published to:** - Chrome Web Store (violates policy 4.4: Illegal Activities) - Firefox Add-ons (violates policy 2.2: Security Vulnerabilities) - Edge Add-ons (violates Microsoft Store Policies) **Manual installation only.** Users must enable Developer Mode and load the extension unpacked. --- ## Legitimate Use Cases This extension is designed for: ✅ **Authorized penetration testing engagements** with written contracts ✅ **Bug bounty programs** where automated testing is explicitly allowed ✅ **Security research** on systems you own or have permission to test ✅ **Development/testing environments** under your control ✅ **Educational demonstrations** of payment security vulnerabilities --- ## Technical Notes ### Architecture ``` extension/ ├── manifest.json (V3) # Chrome/Edge manifest ├── manifest_v2.json # Firefox fallback ├── background/ │ └── background.js # Service worker / background script ├── content/ │ ├── content.js # Module loader │ └── modules/ # 7 module files with extension wrappers ├── ui/ │ ├── popup/ # Quick control interface │ └── options/ # Full configuration page └── assets/icons/ # Extension icons ``` ### Module Injection - Content script (`content.js`) injects into `` at `document_start` - Modules are dynamically loaded based on user configuration - Each module runs in page context to access `window.fetch` and `XMLHttpRequest` - Communication via `postMessage` and `chrome.runtime.sendMessage` ### Storage - **chrome.storage.sync**: Configuration and settings (synced across devices) - **chrome.storage.local**: Statistics and captured data (local only) - **localStorage**: Used by modules for temporary data --- ## Troubleshooting ### Modules not loading 1. Check that Master Control is enabled in popup 2. Open DevTools Console and look for `[ContentScript]` logs 3. Verify module toggles are enabled 4. Reload the target page ### API solving not working 1. Verify API key is entered in Options > API Keys tab 2. Check that "Use API Fallback" is enabled in module config 3. Ensure you have sufficient API credits 4. Check background service worker logs for errors ### Extension not appearing 1. Confirm you're in Developer Mode (Chrome/Edge) 2. Check for manifest errors in `chrome://extensions/` 3. Try removing and re-adding the extension --- ## Development ### Building from Source ```bash git clone cd passerdone ``` The `extension/` directory is ready to load. No build process required. ### Modifying Modules 1. Edit files in `extension/content/modules/` 2. Each module has an extension wrapper at the bottom 3. Reload the extension in `chrome://extensions/` 4. Hard refresh the target page (Ctrl+Shift+R) ### Testing 1. Enable Debug Mode in Options > Module Config 2. Open DevTools Console (F12) 3. Look for logs prefixed with `[ModuleName]` 4. Monitor Network tab for intercepted requests --- ## Version History ### v1.0.0 (2025-01-10) - Initial release - 7 modules with full functionality - Manifest V3 support (Chrome/Edge) - Manifest V2 fallback (Firefox) - Popup and Options UI - Data export (JSON/CSV) --- ## Credits **Authors:** LO & ENI **Purpose:** Authorized security testing and education **License:** For authorized testing only - No redistribution without permission --- ## Support **This is not a commercial product.** No support is provided. For authorized security testing engagements, ensure you have: - Written permission from the system owner - A defined scope of testing - A responsible disclosure policy - Proper authorization documentation **Use responsibly. Stay legal. Get permission.** --- ## Final Warning 🚨 **Unauthorized use of this extension against live payment systems is illegal and unethical.** Payment fraud and unauthorized access to computer systems can result in: - Criminal charges - Prison sentences - Heavy fines - Civil lawsuits - Permanent criminal record **Do not use this extension without explicit authorization.** --- © 2025 Payment Automation Suite - For Educational and Authorized Testing Purposes Only