npgapjgfmmkkaefnbidihgheohllmjih
Capture, replay, and automate HTTP requests with real-time WebSocket, WebRTC monitoring and passive API leak detection. API Sniffer is a powerful, lightweight developer tool designed to simplify API debugging, monitoring, and documentation. Whether you are reverse-engineering an app, writing documentation, or debugging network calls, API Sniffer completely eliminates the need to manually dig through the browser's Network tab. 🔌 WebSocket Monitoring: • Real-time capture of all WebSocket connections and messages (sent & received). • Split-panel UI with connection sidebar and live message stream. • Pause/Resume listening to freeze capture without losing data. • Export captured WebSocket data as JSON or CSV with one click. 📡 WebRTC Monitoring: • Intercepts all RTCPeerConnection creation, ICE candidates, SDP offers/answers, data channels, and media tracks. • Full event stream with color-coded badges for each event type. • Export all WebRTC data as structured JSON. • Shared Pause/Resume control with WebSocket monitoring. 🔐 Passive API Leak Detection (Secrets Scanner): • Automatically scans all request URLs, request headers, response headers, and response bodies for leaked secrets. • Detects 38+ secret types: AWS keys, Google API keys, Stripe keys, JWTs, Bearer tokens, GitHub/GitLab tokens, Slack/Discord/Telegram tokens, OpenAI keys, SendGrid keys, Firebase keys, Shopify tokens, private keys, and more. • URL parameter scanning catches API keys leaked in query strings (?key=, ?api_key=, ?access_token=, ?token=, ?secret=). • Context-Aware Filtering: Smart false-positive reduction that examines JSON key names — drops normal IDs (request_id, client_id, etc.) and only reports values assigned to security-sensitive keys (password, secret, token, auth, etc.). • Click any detected leak to view full details with matched value and surrounding context. • Export all findings as CSV for reporting. • Advanced Dashboard: A full-page professional dashboard for in-depth API testing. • API Repeater: Send, modify, and replay captured HTTP requests manually. View raw requests and preview responses instantly with multi-tab support. • API Automator (Fuzzer): Automate API testing by injecting payloads into requests using the §target§ marker. Supports manual lists, .txt file uploads, numeric ranges, and incremental payloads. • Target Scope Management: Define specific domains in your scope and easily filter the popup to "Show Scope Only," keeping your workspace clutter-free. • 1-Click Integration: Instantly send any captured endpoint from the popup directly to the Repeater (RPT) or Automator (AUT) queues. • CSV Export for Automator: Export all your automated run results (including status codes, lengths, and response times) directly to a CSV file. 🚀 Real-time Monitoring — Automatically captures fetch/XHR requests, WebSocket messages, and WebRTC connections silently as you browse. 🧹 Smart Filtering — Built-in filters ignore static assets (.png, .css, .mp4, etc.), while the Custom Blacklist lets you hide specific noisy domains. Target Scope lets you strictly focus on testing domains. 🔐 Leak Detection — Passively scans all network traffic for accidentally exposed API keys, tokens, passwords, and secrets with context-aware false-positive filtering. 📂 One-Click Export — Instantly copy all endpoints to your clipboard, or download them as a clean .txt, structured .json for Postman/Insomnia, or CSV for spreadsheets. 🎯 Precision Control — Easily start, stop, pause, or reset the recording process at any time. Remove single endpoints from the list without clearing everything. 🔌 Protocol Coverage — Monitors HTTP (XHR/Fetch), WebSocket, and WebRTC traffic from a single extension. ⚡ Lightweight & Secure — Runs 100% locally in your browser. No external servers, no tracking, and it won't slow down your browsing speed. Perfect for Web Developers, Pentesters, Bug Bounty Hunters, and QA Engineers who need to analyze network traffic quickly and efficiently.
JSner - Endpoint Extractor
Advanced endpoint scanner with verification. Extract and test API endpoints, GraphQL queries, and more from any website. JSner – Directory & Endpoint Finder for Bug Hunters JSner is a lightweight browser extension built for bug bounty hunters and penetration testers. It automatically crawls JavaScript files and other resources on the target domain to uncover hidden directories, endpoints, APIs, and configuration paths — all from your browser. 🔍 Features Instantly extract endpoints and directories from loaded scripts and pages Supports JavaScript, JSON, HTML, and other static resources Auto-filters duplicates and noise for cleaner results One-click export of findings (TXT / JSON) 100% client-side — no data leaves your browser ⚡ Why JSner Perfect for quick reconnaissance during web application testing. It helps identify forgotten or hidden API endpoints that may expose sensitive functionality or lead to deeper vulnerabilities. 🛠️ Usage Load your target site. Open JSner and click “Scan”. Review and export discovered endpoints instantly. 🤝 Contribute Project repo: github.com/vegeta2op/JSner Pull requests, feature ideas, and improvements are welcome!
LPR - Ultimate Recon & Bug Hunting Tool
LPR (Live Params & Redirects) is an all-in-one reconnaissance and… LPR (Live Params & Redirects) is an all-in-one reconnaissance and vulnerability scanning assistant designed for Bug Bounty Hunters, Penetration Testers, and Web Developers. Instead of wasting time inspecting elements and grepping through minified JavaScript files, LPR automatically extracts and categorizes every potential injection point and hidden asset on the page. 🕵️♂️ Deep Parameter Extraction: Automatically scrapes parameters from HTML forms, DOM inputs, and JavaScript variables (var, let, const). 🔗 Advanced Asset Discovery: Digs into external .js files to find full URLs (S3 buckets, API endpoints) and hidden Routes (e.g., /api/v1/admin) that are invisible in the UI. ⚔️ XSS & Security Scanner: proactively hunts for Dangerous Sinks (innerHTML, eval), React/Vue bypass patterns, and javascript: URIs to speed up your XSS discovery. 🆔 IDOR Hunting: Instantly lists all ID-related patterns (e.g., user_id, order_uuid, account_id) found in the source code with line numbers. 🔀 Redirect Analysis: Detects potential Open Redirect vulnerabilities by scanning for window.location, meta refresh, and navigation sinks. 💾 Accumulative Scanning: Data is saved as you browse. The extension prevents accidental tab closing to ensure you never lose your reconnaissance data during a session. Why LPR? Whether you are looking for hidden API endpoints, testing for IDORs, or hunting for DOM-based XSS, LPR gives you a bird's-eye view of the target's attack surface in seconds.
API Request Logger
Developer tool that logs all API calls made by websites. Shows method, headers, payload, and response in a clean dev-friendly UI. Debug and monitor API requests easily with API Request Logger, the essential developer tool for tracking network calls, analyzing request/response data, and troubleshooting API integrations. API Request Logger is a powerful Chrome extension designed for developers, frontend engineers, QA testers, and API developers who need to inspect, debug, and monitor HTTP requests made by websites. Whether you're debugging API integrations, analyzing network traffic, reverse-engineering API endpoints, or monitoring application behavior, this extension provides comprehensive request logging with a clean, developer-friendly interface. API Request Logger automatically captures all fetch() and XMLHttpRequest calls made by websites you visit. No configuration needed - simply install the extension and start browsing. The extension intercepts requests in real-time, capturing every detail you need for debugging and analysis. View comprehensive details for every API call: HTTP Methods: GET, POST, PUT, DELETE, PATCH, and more Request URLs: Full endpoint addresses with query parameters Request Headers: All headers including authentication tokens, content types, and custom headers Request Bodies: Complete payload data in JSON, form data, or raw format Response Status Codes: HTTP status codes (200, 404, 500, etc.) Response Headers: All response headers including CORS, caching, and content type Response Bodies: Full response data in readable format Response Times: Performance metrics showing how long each request took Error Information: Detailed error messages for failed requests Experience a clean, intuitive Material Design 3 interface optimized for developers: Color-Coded Status Indicators: Instantly identify successful (green), redirect (yellow), client error (orange), and server error (red) responses Method Badges: Visual indicators for HTTP methods with distinct colors Dark Mode Support: Comfortable viewing in any lighting condition Responsive Layout: Optimized 800x600px popup window for maximum visibility Smooth Animations: Polished transitions and interactions for a professional feel Quickly find the requests you need with advanced filtering capabilities: Search by URL: Find requests by endpoint, domain, or path Filter by Method: Show only GET, POST, PUT, DELETE, or other HTTP methods Filter by Status: Filter by response status codes (2xx success, 3xx redirect, 4xx client error, 5xx server error, or errors) Real-time Filtering: Filters apply instantly as you type Clear All: Remove all logged requests with one click Watch API calls happen in real-time as you interact with websites: Automatic Updates: New requests appear automatically without manual refresh Live Statistics: See total requests, successful calls, errors, and more Request Counter: Track how many requests have been logged Performance Metrics: Monitor response times and identify slow endpoints 💾 Local Storage & Privacy Your data stays on your device - always: 100% Local Storage: All logged requests stored locally using Chrome's secure storage API No External Transmission: Zero data sent to external servers or third parties No Cloud Sync: Everything remains on your device for maximum privacy Automatic Cleanup: Automatically manages storage by limiting to 1000 most recent requests Full Control: Clear all data anytime with the Clear button Built with security and privacy as top priorities: Manifest V3 Compliant: Uses the latest Chrome extension architecture Strict Content Security Policy: Prevents XSS attacks and malicious code execution No Tracking: Zero analytics, telemetry, or user tracking No External Dependencies: Self-contained with no third-party services Open Source Ready: Code available for security review 🚀 Perfect For Install the Extension: Add API Request Logger to Chrome with one click Browse Websites: Navigate to any website that makes API calls View Requests: Click the extension icon to see all intercepted API requests Inspect Details: Click any request to view complete request/response information Search & Filter: Use search and filters to find specific requests quickly Clear When Done: Remove all logged data with the Clear button. Manifest V3: Built with the latest Chrome extension standard Browser Compatibility: Chrome 88+, Edge 88+, and other Chromium-based browsers Storage Limit: Maximum 1000 requests stored (oldest removed automatically) Supported Protocols: HTTP and HTTPS requests via fetch() and XMLHttpRequest Performance: Lightweight and efficient, minimal impact on page load times. Developer Tool: This extension is designed for development and debugging purposes Sensitive Data: Be aware that logged requests may contain authentication tokens, passwords, or personal information Responsible Use: Use in accordance with website terms of service and applicable laws Limitations: Only captures fetch() and XMLHttpRequest calls (not WebSocket or other protocols) Debug API authentication issues by inspecting request headers Monitor API rate limiting and quota usage Analyze API response times and performance bottlenecks Reverse-engineer undocumented API endpoints Verify API request payloads match expected format Troubleshoot CORS and network errors Learn how modern web applications communicate with backends Document API behavior for team members Test API integrations during development Monitor third-party API calls made by websites We continuously improve API Request Logger based on developer feedback. Expect regular updates with new features, performance improvements, and bug fixes. Have questions, suggestions, or found a bug? We'd love to hear from you! Open an issue on our repository or contact us directly.
API Call Detector
Security tool to actively detect external API calls made from displayed web page Identify potential security risks by mapping all external API calls made through JavaScript. This professional-grade extension provides real-time monitoring of web page communications, helping security teams uncover hidden data flows, unauthorized third-party integrations, and potential attack vectors. Key Features: Real-time detection of XMLHttpRequest, Fetch API, and WebSocket connections Automatic filtering of static resources (images/CSS/fonts) Security-focused reporting with domain frequency analysis Exportable audit trails in markdown format Cross-origin call tracking with full URL capture Manifest V3 compliant with strict CSP policies Ideal For: Identifying shadow APIs in enterprise web applications Auditing data flows for GDPR/HIPAA compliance Detecting unauthorized third-party trackers Educational white-hat hacking exercises Penetration testing reconnaissance phases Monitoring client-side supply chain risks Technical Specifications: Operates at document_start phase to capture initializations Content script injection via Chrome extension APIs Background service worker maintains isolated call registry Secure message passing between components Zero data collection/telemetry Advanced Capabilities: Path-based sorting and domain clustering Automatic deduplication of repeated calls Query parameter stripping for clean analysis Multi-frame tracking (iframes/web workers) Detection bypass prevention through prototype hooks For Security Teams: Prioritize endpoints by call frequency Spot anomalous domains in real-time Export findings to standard threat intelligence formats Integrate with SIEM systems via manual export Development Philosophy: Minimal permissions required (storage, downloads, webNavigation) No background page persistence Strict content security policy enforcement Regular updates to match evolving web standards Open Source Ready: Clean codebase for organizational customization MIT License (contact developer for enterprise terms) Built for extensibility (add custom filters/hooks) Install to gain immediate visibility into client-side network activity and strengthen your organization's web application security posture. Essential for modern cybersecurity defense-in-depth strategies.
