API Security Researcher

API discovery, protocol reverse-engineering, JavaScript security code review, and request export.

API Security Researcher passively monitors web traffic to map APIs, decode protocols, and surface security issues — all from your browser. What it does: - Captures fetch, XHR, WebSocket, and EventSource traffic without requiring debugger or webRequest permissions - Automatically decodes Protobuf, JSPB, gRPC-Web, GraphQL, Server-Sent Events, NDJSON, Google batchexecute, and async chunked responses - Learns API schemas from observed traffic — request/response structures, URL parameters, field types, and enums - Probes for official API documentation on discovered interfaces - Performs static analysis of JavaScript bundles using Babel AST to extract API call sites, proto - field maps, and enums before requests even happen - Detects DOM XSS sinks, open redirects, prototype pollution, unsafe postMessage listeners, and other security patterns with taint tracking from user-controlled sources - Exports requests as curl, fetch, or Python snippets - Exports and imports OpenAPI 3.0.3 specs with protobuf field number round-tripping - Cross-tab request log filtering and collaborative field/parameter renaming Who it's for: Security researchers, penetration testers, bug bounty hunters, and developers who want to understand the APIs behind any website. Code can be viewed at https://github.com/NDevTK/APIClient under the GNU GPL v3 license.