pahogphomhkblammgnlnlgpiifkbfldi
Discover APIs from browser traffic and auto-generate OpenAPI specs. APIsec BOLT automatically discovers and security-tests APIs by capturing real application traffic directly from your browser—without proxies, agents, or configuration. As you interact with an application, BOLT identifies API endpoints, detects security vulnerabilities in real time, and provides a streamlined path to analyze and test those APIs using APIsec.ai. BOLT converts real runtime behavior into accurate API definitions and actionable security findings, eliminating guesswork and accelerating documentation, onboarding, and security workflows. 1. Automatic capture of application traffic BOLT captures API calls directly from your active browser tab. No proxies or traffic redirection required. Start capture and browse normally; BOLT records API interactions on the fly. 2. Real-time threat detection As traffic is captured, BOLT automatically surfaces BOLA, RBAC misconfiguration, and Mass Assignment findings — no manual trigger needed. A live findings banner alerts you to issues as they appear, with grade badges and expandable threat details in the APIs tab. 3. Automatic identification of API endpoints Captured traffic is analyzed to identify API methods, paths, parameters, hostnames, and request/response metadata — producing a reliable API inventory based on how your application actually behaves. 4. Auth token harvesting BOLT automatically detects and catalogs auth tokens from captured traffic — JWT, API keys, Basic auth, and cookies — in a dedicated Auth tab. Your token inventory builds itself as you browse. 5. Request editing and replay The Manipulator tab lets you edit and resend any captured request. A smart param picker surfaces suggestions from all captured traffic, with editable path parameters for IDOR and BOLA testing. 6. Automatic generation of OpenAPI (Swagger) specifications BOLT converts captured API calls into structured OpenAPI definitions. Use the OAS picker to select exactly which APIs to export for documentation, modeling, or integration with APIsec.ai's testing workflows. 7. APIsec.ai–powered API security analysis API definitions discovered by BOLT can be analyzed using APIsec.ai's automated security engine, covering authentication and authorization issues, BOLA/IDOR, logic flaws, injection risks, misconfigurations, and complex multi-step attack paths. 1. Open a web application and launch APIsec BOLT from the Chrome or Firefox toolbar. 2. Start capture to automatically collect API traffic from your active browser tab. 3. Review discovered endpoints, real-time threat findings, and captured auth tokens. 4. Use the Manipulator to edit and replay requests, or export auto-generated OpenAPI specs. 5. Send APIs to APIsec.ai to onboard or run automated security analysis. Non-intrusive and privacy-respecting by design APIsec BOLT operates completely on the user's local machine. All traffic capture, API identification, threat detection, and OpenAPI generation occur locally within the browser extension. BOLT does not intercept, modify, or block network traffic. It passively observes requests from the active browser tab solely for the purpose of API discovery, documentation, and security analysis. Transmission of API data to APIsec.ai occurs only when the user explicitly initiates it. No data is sent externally without user action.
FoxyProxy
Easy to use advanced Proxy Management tool for everyone FoxyProxy is an open-source, advanced proxy management tool that completely replaces Chrome's limited proxying capabilities. No paid accounts are necessary; bring your own proxies or buy from any vendor. The original proxy tool, since 2006. WHAT IS IT? FoxyProxy is a Chrome and Firefox extension which switches an internet connection across one or more proxy servers: 1. by point-and-click of colored icons 2. by URL (define URL patterns with wildcards or regular expressions) 3. by browser tab - set individual proxies per tab: assign up to 4 proxy servers for use on 4 different tabs. FoxyProxy automates the manual process of editing your browser's proxy settings. * Customize colors and country flags to make it easy to see which proxy is in use * Proxy per tab, by URL, or by point-and-click of colored icons * Import/Export all of your settings, or just URL patterns, to share with others (fixed in 8.0 and above) * Select a proxy specifically to use in Incognito Mode * Keyboard shortcuts * Globally exclude any domain from proxying * Create patterns with wildcards or regular expressions. A pattern tester is included. * (optional) Automatically synchronize all of your proxy settings with your other Chrome instances when you use Sync. * Turn WebRTC on/off to further limit discovery of your IP address * Built-in predefined selections for tor, privoxy, and psiphon * Extensive built-in help Source code is at https://github.com/foxyproxy/browser-extension FoxyProxy has been owned and developed consistently by the same team since 2006. It has never been sold and never will. * downloads: Required to export the extension settings to a file. Users can import that file to other Chrome/Firefox instances, or share it with colleagues, in order to keep the same settings. It can also be backed up and used later. * proxy: The core function of the extension is to allow users to set the proxy server used by the browser. * storage: Required to store proxy server settings (hostname, port, username, and which proxy server is enabled by the user). * tabs: Required so that users can set separate proxies to use per tab. It is also needed for "QuickAdd" to quickly add a URL pattern that applies to the current/active tab. It is also used to open a URL to getfoxyproxy.org where there is online help. webRequest: Required to authenticate with proxy servers via webRequest.onAuthRequired webRequestAuthProvider: Required to authenticate with proxies servers via webRequest.onAuthRequired * browsingData: Required so the extension can delete cookies, indexedDB, and localStorage when requested by the user on the Options page (Delete Browsing Data button) privacy: Required so the extension can call browser.privacy.network.webRTCIPHandlingPolicy to turn on/off webRTC in Chrome (Limit WebRTC checkbox in Options page) * host permission: Required to proxy all webRequests and provide proxy server authentication. is used because users may choose to load any/all URLs through proxy servers (chrome.webRequest.onAuthRequired and chrome.webRequest.onAuthRequired.addListener) . Required to proxy all webRequests and provide proxy server authentication. Also needed to get accounts details from FoxyProxy servers, if requested by the user with the Import FoxyProxy Account on the Import tab. ** No remote code is used in this extension. **
FindSomething
Find interesting things in the webpage's source code or JavaScript This tool is used to quickly extract some interesting information from the HTML source code or JS code of the web page, including possible requested resources, interface URLs, possible requested IPs and domain names, leaked ID numbers, mobile phone numbers, email addresses, etc. Welcome to communicate with us, WeChat canxiao_xiao
Shodan
The Shodan plugin tells you where the website is hosted (country, city), who owns the IP and what other services/ ports are open. The Shodan plugin for Chrome automatically checks whether Shodan has any information for the current website. Is the website also running FTP, DNS, SSH or some unusual service? With this plugin you can see all the info that Shodan has collected on a given website/ domain.
rep+
rep+ - Capture, modify, and replay HTTP requests in Chrome DevTools with AI-powered security analysis. rep+ is a powerful Chrome DevTools extension that brings Burp Suite Repeater functionality directly into your browser. Now enhanced with AI, it helps developers, security researchers, and bug bounty hunters test and analyze HTTP requests smarter and faster—no proxy setup required. With rep+ you can: - Capture and replay HTTP requests from any tab, without proxy setup - Group, filter, block, and search requests using text or regex - Convert data inline (Base64, URL encode/decode, JWT decode, Hex/UTF‑8) - Inspect responses in multiple formats with syntax highlighting and line numbers - Passively extract hidden endpoints from JavaScript - Discover query, body, header, and path parameters with risk classification and confidence scoring - Suppress false positives by ignoring common frameworks, libraries, telemetry, and generic fields - Detect secrets in JavaScript using high‑coverage Kingfisher rules - Export endpoints, parameters, and secrets to CSV or Postman - Search deeply inside responses and JavaScript - Run built‑in automated attacks (Sniper, Battering Ram, Pitchfork, Cluster Bomb) - Use AI for request explanations and attack suggestions via API or local LLM (Ollama) - AI‑powered request analysis, modification, and attack suggestions - Per‑request isolated chat with cross‑request references - One‑click AI‑driven request edits with visual feedback - Local or API‑based LLM support with aggressive token optimization - Automatically remove duplicate requests during capture to eliminate noise and keep only unique traffic Why install it? - Works natively inside your browser - Designed for speed, clarity, and real pentesting workflows - Helps you uncover security issues and understand application behaviour faster - Ideal for bug bounty hunters, red teamers, AppSec, and curious devs
