API Sniffer - Endpoint Detector

Capture, replay, and automate HTTP requests with real-time WebSocket, WebRTC monitoring and passive API leak detection.

API Sniffer is a powerful, lightweight developer tool designed to simplify API debugging, monitoring, and documentation. Whether you are reverse-engineering an app, writing documentation, or debugging network calls, API Sniffer completely eliminates the need to manually dig through the browser's Network tab. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 🆕 What's New in Version 2.2: ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 🔌 WebSocket Monitoring: • Real-time capture of all WebSocket connections and messages (sent & received). • Split-panel UI with connection sidebar and live message stream. • Pause/Resume listening to freeze capture without losing data. • Export captured WebSocket data as JSON or CSV with one click. 📡 WebRTC Monitoring: • Intercepts all RTCPeerConnection creation, ICE candidates, SDP offers/answers, data channels, and media tracks. • Full event stream with color-coded badges for each event type. • Export all WebRTC data as structured JSON. • Shared Pause/Resume control with WebSocket monitoring. 🔐 Passive API Leak Detection (Secrets Scanner): • Automatically scans all request URLs, request headers, response headers, and response bodies for leaked secrets. • Detects 38+ secret types: AWS keys, Google API keys, Stripe keys, JWTs, Bearer tokens, GitHub/GitLab tokens, Slack/Discord/Telegram tokens, OpenAI keys, SendGrid keys, Firebase keys, Shopify tokens, private keys, and more. • URL parameter scanning catches API keys leaked in query strings (?key=, ?api_key=, ?access_token=, ?token=, ?secret=). • Context-Aware Filtering: Smart false-positive reduction that examines JSON key names — drops normal IDs (request_id, client_id, etc.) and only reports values assigned to security-sensitive keys (password, secret, token, auth, etc.). • Click any detected leak to view full details with matched value and surrounding context. • Export all findings as CSV for reporting. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ ✨ Features from Version 2.1: ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ • Advanced Dashboard: A full-page professional dashboard for in-depth API testing. • API Repeater: Send, modify, and replay captured HTTP requests manually. View raw requests and preview responses instantly with multi-tab support. • API Automator (Fuzzer): Automate API testing by injecting payloads into requests using the §target§ marker. Supports manual lists, .txt file uploads, numeric ranges, and incremental payloads. • Target Scope Management: Define specific domains in your scope and easily filter the popup to "Show Scope Only," keeping your workspace clutter-free. • 1-Click Integration: Instantly send any captured endpoint from the popup directly to the Repeater (RPT) or Automator (AUT) queues. • CSV Export for Automator: Export all your automated run results (including status codes, lengths, and response times) directly to a CSV file. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 🔥 Key Features: ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 🚀 Real-time Monitoring — Automatically captures fetch/XHR requests, WebSocket messages, and WebRTC connections silently as you browse. 🧹 Smart Filtering — Built-in filters ignore static assets (.png, .css, .mp4, etc.), while the Custom Blacklist lets you hide specific noisy domains. Target Scope lets you strictly focus on testing domains. 🔐 Leak Detection — Passively scans all network traffic for accidentally exposed API keys, tokens, passwords, and secrets with context-aware false-positive filtering. 📂 One-Click Export — Instantly copy all endpoints to your clipboard, or download them as a clean .txt, structured .json for Postman/Insomnia, or CSV for spreadsheets. 🎯 Precision Control — Easily start, stop, pause, or reset the recording process at any time. Remove single endpoints from the list without clearing everything. 🔌 Protocol Coverage — Monitors HTTP (XHR/Fetch), WebSocket, and WebRTC traffic from a single extension. ⚡ Lightweight & Secure — Runs 100% locally in your browser. No external servers, no tracking, and it won't slow down your browsing speed. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Perfect for Web Developers, Pentesters, Bug Bounty Hunters, and QA Engineers who need to analyze network traffic quickly and efficiently.