rep+ is a powerful Chrome DevTools extension designed for developers, security researchers, and bug bounty hunters, bringing Burp Suite Repeater functionality directly into the browser with integrated AI-powered security analysis. This tool enables users to test and analyze HTTP requests smarter and faster without the need for complex proxy setups, operating natively inside Chrome for immediate accessibility. Its core value lies in merging traditional request manipulation with modern artificial intelligence to uncover security issues and understand application behavior more efficiently, making it an essential utility for real pentesting workflows. The extension is specifically crafted for speed, clarity, and practical security testing, positioning itself as a bridge between developer tools and professional security auditing suites within a familiar browser environment.
Traditional web security testing and debugging often involve cumbersome setups, switching between multiple tools, and manual analysis of HTTP traffic, which slows down discovery and increases the chance of missing vulnerabilities. Developers and security professionals need to capture, modify, and replay requests to test endpoints, but doing so typically requires external proxies or standalone applications that disrupt the natural browsing workflow. rep+ directly addresses this pain point by integrating these capabilities directly into Chrome DevTools, eliminating the proxy setup requirement and allowing instant capture from any tab. This seamless integration matters because it reduces context switching, accelerates the testing cycle, and lowers the barrier to entry for conducting security assessments, enabling users to focus on analysis rather than tool configuration.
One major feature group is comprehensive HTTP request capture and management, which includes the ability to capture and replay HTTP requests from any tab without proxy setup. The tool automatically removes duplicate requests during capture to eliminate noise and keep only unique traffic, while also providing robust organization through grouping, filtering, blocking, and searching requests using text or regular expressions. This functionality is useful because it creates a clean, manageable dataset of network activity, allowing users to quickly isolate specific requests of interest for further testing. By operating directly within the browser, it captures live traffic as it happens, providing an accurate and immediate view of all HTTP interactions, which is foundational for any security analysis or debugging session.
admin
A second major feature group is intelligent data extraction and analysis, which passively extracts hidden endpoints from JavaScript and discovers query, body, header, and path parameters with risk classification and confidence scoring. It also detects secrets in JavaScript using high-coverage Kingfisher rules, providing automated insight into potential security weaknesses. This feature set is valuable because it automates the tedious process of manually scouring source code and network traffic for attack surfaces, surfacing parameters and endpoints that might be overlooked. The risk classification helps prioritize investigation, guiding users toward the most likely vulnerabilities first, thereby increasing the efficiency and effectiveness of security audits and bug bounty hunting activities.
Additional capabilities include extensive data manipulation and export functions, such as inline data conversion for Base64, URL encode/decode, JWT decode, and Hex/UTF-8 transformations. Users can inspect responses in multiple formats with syntax highlighting and line numbers for better readability, and deeply search inside responses and JavaScript. Furthermore, the tool allows exporting of endpoints, parameters, and secrets to CSV or Postman format, facilitating integration with other testing workflows and tools. These capabilities are crucial for hands-on testing, as they enable rapid modification of request data to probe for injection flaws or encoding issues and allow findings to be easily shared or imported into broader security testing pipelines, enhancing collaborative and methodological work.
The overall workflow of rep+ is centered on a seamless, browser-native interception and modification loop. Users browse normally while the extension captures all HTTP requests in the background, automatically deduplicating them. They can then inspect, filter, and search this captured traffic within the DevTools panel. For any request, they can modify headers, parameters, or body content using the built-in converters, then replay it to see the server's response. The integrated AI components can suggest modifications or explain request structures, while the automated attack modules allow for systematic payload testing. This methodology combines passive reconnaissance (endpoint extraction, secret detection) with active testing (request replay, automated attacks), all within a single, cohesive interface that mirrors professional security testing stages.
Concrete use cases include a bug bounty hunter analyzing a web application who uses rep+ to capture all API calls during a reconnaissance phase, then employs the endpoint extractor to find hidden API routes not linked in the UI. They might use the parameter discovery with risk scoring to identify a high-confidence query parameter, then utilize the built-in Cluster Bomb attack to fuzz it with payloads, quickly identifying a SQL injection vulnerability. A developer debugging a faulty API integration could capture the failing request, use the JWT decoder to inspect a token, modify a value using the AI-suggested edit, and replay it to confirm the fix. In both scenarios, the outcome is a faster, more informed testing process that leads to the discovery of security issues or the resolution of functional problems without leaving the browser.
The primary target users are bug bounty hunters, red teamers, AppSec professionals, and curious developers who require in-browser HTTP manipulation and security analysis. It is a Chrome extension, requiring the Chrome browser and its DevTools, and supports integration with local LLMs like Ollama or external AI APIs for its intelligent features. The tool is offered for free, with the developer declaring no data collection, and is available in English. In summary, rep+ delivers a powerful, integrated testing environment that brings professional-grade request repeater and security analysis capabilities directly into the developer's everyday browser, significantly streamlining the process of web security assessment and API debugging.
rep+ is designed for bug bounty hunters, red teamers, application security (AppSec) professionals, penetration testers, and developers who need to test, debug, or analyze HTTP requests and web application security directly within their browser. It specifically targets individuals engaged in web security assessments, vulnerability discovery, and API testing who prefer a lightweight, integrated tool over standalone proxy applications. The extension is also suitable for curious developers interested in understanding application behavior and security posture.