API Call Detector

Security tool to actively detect external API calls made from displayed web page

API Call Detector - Cybersecurity Analysis Tool Identify potential security risks by mapping all external API calls made through JavaScript. This professional-grade extension provides real-time monitoring of web page communications, helping security teams uncover hidden data flows, unauthorized third-party integrations, and potential attack vectors. Key Features: Real-time detection of XMLHttpRequest, Fetch API, and WebSocket connections Automatic filtering of static resources (images/CSS/fonts) Security-focused reporting with domain frequency analysis Exportable audit trails in markdown format Cross-origin call tracking with full URL capture Manifest V3 compliant with strict CSP policies Ideal For: Identifying shadow APIs in enterprise web applications Auditing data flows for GDPR/HIPAA compliance Detecting unauthorized third-party trackers Educational white-hat hacking exercises Penetration testing reconnaissance phases Monitoring client-side supply chain risks Technical Specifications: Operates at document_start phase to capture initializations Content script injection via Chrome extension APIs Background service worker maintains isolated call registry Secure message passing between components Zero data collection/telemetry Use Cases: Vulnerability Assessment: Map all external endpoints contacted during user sessions Incident Response: Quickly identify compromised APIs during breach investigations Third-Party Audit: Document data leakage points to external services Developer Education: Visualize runtime network behavior of SPAs Compliance Reporting: Generate evidence of endpoint security checks Advanced Capabilities: Path-based sorting and domain clustering Automatic deduplication of repeated calls Query parameter stripping for clean analysis Multi-frame tracking (iframes/web workers) Detection bypass prevention through prototype hooks For Security Teams: Prioritize endpoints by call frequency Spot anomalous domains in real-time Export findings to standard threat intelligence formats Integrate with SIEM systems via manual export Development Philosophy: Minimal permissions required (storage, downloads, webNavigation) No background page persistence Strict content security policy enforcement Regular updates to match evolving web standards Open Source Ready: Clean codebase for organizational customization MIT License (contact developer for enterprise terms) Built for extensibility (add custom filters/hooks) Install to gain immediate visibility into client-side network activity and strengthen your organization's web application security posture. Essential for modern cybersecurity defense-in-depth strategies.