Bookmarklets are little bits of JavaScript saved as browser bookmarks that you can run on any webpage. They used to be pretty popular for quick tricks and shortcuts, but these days they’ve been overshadowed by browser extensions and fancy developer tools. Even so, bookmarklets are still super handy for quick and easy client-side penetration testing or just poking around a webpage without needing any extra tools.
How it works is pretty simple: you store a JavaScript snippet inside a bookmark, navigate to the webpage you want to test, and then click the bookmark. The browser runs the provided JavaScript code directly on the page, letting you interact with or analyze the content dynamically. Whether it’s extracting hidden fields, scanning for mixed content, or testing for vulnerabilities, the script runs in the context of the page, giving you immediate results.
First example: insecure HTTP urls
Here’s an example script that scans the page and prints all the insecure HTTP URLs to the console:
javascript:(function(){
let mixedContent = [...document.querySelectorAll('[src],[href]')]
.map(el => el.getAttribute('src') || el.getAttribute('href'))
.filter(url => url && url.startsWith('http://'));
console.log('Mixed Content Detected:', mixedContent);
alert(`Found ${mixedContent.length} insecure resources. Check the console for details.`);
})();
As mentioned earlier, you can save this as a bookmark and run it on any page you’d like to test (just remember, always ensure you have permission and avoid causing any harm):

Which produces the following result when executed on the main page of this website:

And in the Console we see the full list of problematic URLs:
Mixed Content Detected:
(8) ['http://gmpg.org/xfn/11', 'http://nielsen.com', 'http://www.math.leidenuniv.nl/~desmit/', 'http://www.math.u-bordeaux1.fr/~kbelabas/', 'http://www.math.u-bordeaux1.fr/imb/spip.php', 'http://math.hse.ru/en/', 'http://gaati.org/zykin/', 'http://algant.eu']
0: "http://gmpg.org/xfn/11"
1: "http://nielsen.com"
2: "http://www.math.leidenuniv.nl/~desmit/"
3: "http://www.math.u-bordeaux1.fr/~kbelabas/"
4: "http://www.math.u-bordeaux1.fr/imb/spip.php"
5: "http://math.hse.ru/en/"
6: "http://gaati.org/zykin/"
7: "http://algant.eu"
length:
8
And indeed, all these links from the main page don’t have HTTPS explicitly set, which could leave them vulnerable to interception or tampering. This is especially risky if the page is served over HTTPS, as it creates mixed content issues, potentially undermining the security of the entire webpage.
Naturally, there’s no need to limit yourself to just HTTP — you can also check for FTP and other non-secure protocols like WS.
A Small Improvement: Displaying Results Directly on the Webpage
Of course, we can execute more JavaScript code and make scripts a bit nicer. Instead of printing information to the console and heading over to the DevTools, let’s make it more convenient and display the results directly on the webpage itself. This way, we don’t need to switch contexts, and everything is visible right there on the page:
javascript:(function(){let resultsDiv=document.createElement("div");resultsDiv.style.position="fixed";resultsDiv.style.bottom="0";resultsDiv.style.left="0";resultsDiv.style.width="100%";resultsDiv.style.maxHeight="50%";resultsDiv.style.overflowY="auto";resultsDiv.style.backgroundColor="white";resultsDiv.style.color="black";resultsDiv.style.padding="10px";resultsDiv.style.zIndex="9999";resultsDiv.style.borderTop="2px solid black";resultsDiv.innerHTML="<h4>Scanning for Mixed Content...</h4>";document.body.appendChild(resultsDiv);let mixedContent=[...document.querySelectorAll("[src],[href]")].map(el=>el.getAttribute("src")||el.getAttribute("href")).filter(url=>url&&url.startsWith("http://"));if(mixedContent.length>0){resultsDiv.innerHTML=`<h4>Mixed Content Detected (${mixedContent.length} items):</h4><ul>${mixedContent.map(url=>`<li>${url}</li>`).join("")}</ul>`;}else{resultsDiv.innerHTML="<h4>No Mixed Content Detected!</h4>";}})();
And this how it looks like in the browser:

You can now see how handy this technique is.
More Examples: HttpOnly and Secure Cookie Flags
Now you can add quite a bit of variation to the scripts, which are mostly bounded by your creativity (and JavaScript knowledge), for instance we could check: HTTP Security Headers, simple XSS, path scanning, Cookies flags, stored environment secrets on the client side and etc.
Let’s check if cookies have Secure
and HttpOnly
flags set. These flags are crucial for protecting them from being accessed by JavaScript or transmitted over an insecure HTTP connection so we can identify whether any cookies are vulnerable to being intercepted or tampered with, helping to ensure better security for the website:
javascript:(function(){let resultsDiv=document.createElement("div");resultsDiv.style.position="fixed";resultsDiv.style.bottom="0";resultsDiv.style.left="0";resultsDiv.style.width="100%";resultsDiv.style.maxHeight="50%";resultsDiv.style.overflowY="auto";resultsDiv.style.backgroundColor="white";resultsDiv.style.color="black";resultsDiv.style.padding="10px";resultsDiv.style.zIndex="9999";resultsDiv.style.borderTop="2px solid black";resultsDiv.innerHTML="<h4>Checking Cookie Security...</h4>";document.body.appendChild(resultsDiv);let insecureCookies=[];document.cookie.split(';').forEach(cookie=>{let cookieParts=cookie.split('=');let cookieName=cookieParts[0].trim();let cookieValue=cookieParts[1]?cookieParts[1].trim():' ';if(cookieName&&!cookieValue.includes("Secure")&&!cookieValue.includes("HttpOnly")){insecureCookies.push(cookieName);}});if(insecureCookies.length>0){resultsDiv.innerHTML=`<h4>Insecure Cookies Detected (${insecureCookies.length}):</h4><ul>${insecureCookies.map(cookie=>`<li>${cookie}</li>`).join('')}</ul>`;}else{resultsDiv.innerHTML="<h4>All Cookies Are Secure!</h4>";}})();
And remarkably the output on google.com is:

Which we can easily verify in the web-tools.
Final Thoughts
Bookmarklets might feel like an old-school technology, but they’re still surprisingly useful for quick, lightweight tasks. While modern dev tools and browser extensions have taken over many jobs, bookmarklets remain handy for day-to-day work—especially when you need to run a quick script for security checks, testing, or automating repetitive tasks. Simple, portable, and fast, they prove that sometimes, the simplest tools are still the best.