rep+ is a lightweight Chrome DevTools extension inspired by Burp Suite's Repeater, now supercharged with AI. I often need to poke at a few requests without spinning up the full Burp stack, so I built this extension to keep my workflow fast, focused, and intelligent with integrated LLM support.
- Features
- Quick Start
- Installation
- Permissions & Privacy
- Limitations
- Star History
- Found a Bug or Issue?
- ❤️ Support the Project
- No proxy setup; works directly in Chrome (no CA certs needed).
- Capture every HTTP request and replay with modified method, headers, or body.
- Multi-tab capture (optional permission) with visual indicators 🌍 and deduplication.
- Clear workspace quickly; export/import requests as JSON for sharing or later reuse.
- Hierarchical grouping by page and domain (first-party prioritized).
- Third-party detection and collapsible groups; domain badges for quick context.
- Starring for requests, pages, and domains (auto-star for new matches).
- Timeline view (flat, chronological) to see what loaded before a request.
- Filters: method, domain, color tags, text search, regex mode.
- Pretty / Raw / Hex views; layout toggle (horizontal/vertical).
- Converters: Base64, URL encode/decode, JWT decode, Hex/UTF-8.
- History, undo/redo, and syntax highlighting for requests/responses.
- Screenshots for request/response pairs; copy helpers for req/resp.
- Bulk replay with 4 attack modes: Sniper, Battering Ram, Pitchfork, Cluster Bomb.
- Mark positions with
§, configure payloads, pause/resume long runs. - Response diff view to spot changes between baseline and attempts.
- Unified Extractor: secrets and endpoints from captured JS.
- Secret Scanner: entropy + patterns with confidence scores; pagination and domain filter.
- Endpoint Extractor: full URLs, relative paths, GraphQL; method detection; one-click copy (rebuilds base URL).
- Response Search: regex support, match preview, pagination, domain filter.
- Explain Request (Claude/Gemini) with streaming responses.
- Suggest Attack Vectors: request + response analysis; auto-send if no response; payload suggestions; reflections/errors/multi-step chains; fallback to request-only with warning.
- Context menu “Explain with AI” for selected text.
- Attack Surface Analysis per domain: categorization (Auth/Payments/Admin/etc.), color-coded icons, toggle between list and attack-surface view.
- Multi-provider support (Claude/Gemini).
- Export AI outputs as Markdown or PDF to save RPD/TPM.
- Light/dark theme with smooth transitions.
- Request color tags and filters.
- Syntax highlighting for JSON/XML/HTML.
- Open Chrome DevTools → “rep+” tab.
- Browse: requests auto-capture.
- Click a request: see raw request/response immediately.
- Edit and “Send” to replay; use AI buttons for explain/attack suggestions.
- Use timeline, filters, and bulk replay for deeper testing.
- Clone the repository:
git clone https://github.com/bscript/rep.git
- Open Chrome Extensions:
- Navigate to
chrome://extensions/in your browser. - Enable Developer mode (toggle in the top right corner).
- Navigate to
- Load the Extension:
- Click Load unpacked.
- Select the
repfolder you just cloned.
- Open DevTools:
- Press
F12or right-click -> Inspect. - Look for the rep+ tab (you might need to click the
>>overflow menu).
- Press
This combo makes rep+ handy for bug bounty hunters and vulnerability researchers who want Burp-like iteration without the heavyweight UI. Install the extension, open DevTools, head to the rep+ panel, and start hacking. 😎
- Optional:
webRequest+<all_urls>only when you enable multi-tab capture. - Data: Stored locally; no tracking/analytics.
- AI: Your API keys stay local; request/response content is sent only to the provider you choose (Claude/Gemini) when you invoke AI features.
rep+ runs inside Chrome DevTools, so:
- No raw HTTP/1 or malformed requests (fetch() limitation)
- Some headers can’t be overridden (browser sandbox)
- No raw TCP sockets (no smuggling/pipelining tests)
- DevTools panel constraints limit certain UI setups
rep+ is best for quick testing, replaying, and experimenting — not full low-level HTTP work.
If you encounter any bugs, unexpected behavior, or have feature requests, please help me improve rep+ by opening an issue here.
I’ll do my best to address it as quickly as possible! 🙏
I maintain rep+ alone, in my free time.
Sponsorship helps me keep improving the extension, adding new features, and responding to issues quickly.
If rep+ saved you time during testing, development, or bug bounty work, please consider supporting the project.
Every dollar helps. ❤️
