Api Security Researcher

API Security Researcher passively monitors web traffic to map APIs, decode protocols, and surface security issues — all from your browser.

What it does:
- Captures fetch, XHR, WebSocket, and EventSource traffic without requiring debugger or webRequest permissions
- Automatically decodes Protobuf, JSPB, gRPC-Web, GraphQL, Server-Sent Events, NDJSON, Google batchexecute, and async chunked responses
- Learns API schemas from observed traffic — request/response structures, URL parameters, field types, and enums
- Probes for official API documentation on discovered interfaces
- Performs static analysis of JavaScript bundles using Babel AST to extract API call sites, proto - field maps, and enums before requests even happen
- Detects DOM XSS sinks, open redirects, prototype pollution, unsafe postMessage listeners, and other security patterns with taint tracking from user-controlled sources
- Exports requests as curl, fetch, or Python snippets
- Exports and imports OpenAPI 3.0.3 specs with protobuf field number round-tripping
- Cross-tab request log filtering and collaborative field/parameter renaming

Who it's for:
Security researchers, penetration testers, bug bounty hunters, and developers who want to understand the APIs behind any website.

Code can be viewed at https://github.com/NDevTK/APIClient under the GNU GPL v3 license.