API Security Researcher
API discovery, protocol reverse-engineering, JavaScript security code review, and request export.
As of June 2026, API Security Researcher has 15 users in the Privacy & Security category.
Usersno change0%
15
15
Ratingno change0%
—
— reviews
Reviewsno change0%
—
Version
1.0.0
Manifest V3
History
9 snapshotsTracking since Apr 5, 2026.
View as table
| Date | Users | Rating | Reviews | Version |
|---|---|---|---|---|
| Apr 5, 2026 | — | — | — | 1.0.0 |
| Apr 18, 2026 | — | — | — | 1.0.0 |
| Apr 23, 2026 | 6 | — | — | 1.0.0 |
| Apr 30, 2026 | 9 | — | — | 1.0.0 |
| May 7, 2026 | 11 | — | — | 1.0.0 |
| May 12, 2026 | 12 | — | — | 1.0.0 |
| May 24, 2026 | 13 | — | — | 1.0.0 |
| May 30, 2026 | 12 | — | — | 1.0.0 |
| Jun 14, 2026 | 14 | — | — | 1.0.0 |
| Now | 15 | — | — | 1.0.0 |
Permissions & access
- Permissions
- storageoffscreenwebNavigation
- Host access
- <all_urls>
Screenshots
About
API Security Researcher passively monitors web traffic to map APIs, decode protocols, and surface security issues — all from your browser. What it does: - Captures fetch, XHR, WebSocket, and EventSource traffic without requiring debugger or webRequest permissions - Automatically decodes Protobuf, JSPB, gRPC-Web, GraphQL, Server-Sent Events, NDJSON, Google batchexecute, and async chunked responses - Learns API schemas from observed traffic — request/response structures, URL parameters, field types, and enums - Probes for official API documentation on discovered interfaces - Performs static analysis of JavaScript bundles using Babel AST to extract API call sites, proto - field maps, and enums before requests even happen - Detects DOM XSS sinks, open redirects, prototype pollution, unsafe postMessage listeners, and other security patterns with taint tracking from user-controlled sources - Exports requests as curl, fetch, or Python snippets - Exports and imports OpenAPI 3.0.3 specs with protobuf field number round-tripping - Cross-tab request log filtering and collaborative field/parameter renaming Who it's for: Security researchers, penetration testers, bug bounty hunters, and developers who want to understand the APIs behind any website. Code can be viewed at https://github.com/NDevTK/APIClient under the GNU GPL v3 license.
Technical
- Version
- 1.0.0
- Manifest
- V3
- Size
- 489KiB
- Min Chrome
- 88
- Languages
- 1
- Featured
- No
Metadata
- ID
- ahbikcjdhmpbgolbheekhkdfgfodfaoa
- Developer ID
- u2677414efe33a6516cacbfc583e3b572
- Developer Email
- [email protected]
- Created
- Apr 5, 2026
- Last Updated (Store)
- Apr 5, 2026
- Last Scraped
- Jun 14, 2026
- Support URL
- —
- Privacy Policy
- https://ndevtk.github.io/writeups/privacy/
Data sourced from the Chrome Web Store · last verified Jun 14, 2026.