Skip to content

Jhounx/recowl-me

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
background
background
 
 
content
content
 
 
dashboard
dashboard
 
 
icons
icons
 
 
popup
popup
 
 
shared
shared
 
 
storage
storage
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
manifest.json
manifest.json
 
 
package.json
package.json
 
 
schema
schema
 
 

Repository files navigation

RecOwl.me

RecOwl.me is a Chrome extension (Manifest V3) for passive HTTP reconnaissance. While you browse real web apps in your own browser, it quietly records how the frontend talks to backends: which hosts, paths, methods, and—when the browser allows it—structured hints about request and response bodies. Nothing is “scanned” from the outside; you are simply observing the traffic your tabs already generate.

What it is for

Primary goal: feed an LLM with real API surface, fast

Modern SPAs call dozens of endpoints across one or more domains. Manually copying requests from DevTools is slow, and screenshots lose structure. RecOwl.me is built around a simple workflow:

  1. Use the app normally (log in, click through flows, submit forms).
  2. Open the Dashboard and pick a domain (or review endpoints grouped by page).
  3. Click Copy (per domain) or Copy schemas (LLM) to put a single JSON document on the clipboard.

That export bundles, per host, every stored endpoint with:

  • Normalized paths (dynamic segments collapsed, e.g. UUIDs → templated segments).
  • Methods, hit counts, and timeline metadata.
  • Request body: inferred key/type schemas and truncated real examples when captured (JSON, forms, or what webRequest exposes).
  • Response: observed Content-Types and, for JSON, structural schema variants plus sample payloads when the page’s fetch/XHR could read the body (same-origin / CORS permitting).

You can paste that JSON straight into ChatGPT, Claude, Cursor, or any other LLM and ask for, for example:

  • A threat model or abuse cases for the API.
  • Test ideas, edge cases, or IDOR / authz angles.
  • A human-readable API map or OpenAPI-style outline.
  • Burp / Postman-friendly notes (the tool also has raw HTTP templates for Burp in the detail panel).

The LLM never needs your cookies or secrets—you share shapes and redacted samples, not live sessions.

Who it helps

  • Bug bounty / pentest: map unknown APIs after minimal browsing.
  • Engineers / QA: reverse-engineer a third-party or legacy frontend’s contract.
  • Anyone who wants a structured dump of “what this site calls” without running a separate proxy.

How capture works (two layers)

Layer What you get
chrome.webRequest Every request the browser makes: URL, method, status, headers, content-types. Request bodies appear when Chrome exposes them (e.g. some POST bodies). Good for breadth and routing noise.
Page fetch / XHR hook Runs in the page’s main world (via an injected script + isolated bridge) so it sees the same APIs the app uses. When the response is readable JSON (same-origin or CORS allows it), the extension stores schema + example for the Dashboard and for LLM export.

Limits (important for LLM prompts): Workers, opaque responses, or traffic that never passes through fetch/XHR in that frame may have empty body/schema fields. The export includes a short promptHint explaining that. Reloading the page and repeating the action often fills gaps.

GraphQL support

RecOwl.me automatically detects GraphQL endpoints (/graphql, /gql) and treats them completely differently from REST routes.

Detection works at two levels:

  • URL path: any request whose pathname ends in /graphql or /gql.
  • Body inspection: JSON bodies containing a query field that starts with query, mutation, subscription, or {.

What gets captured per operation:

  • Operation type (query / mutation / subscription) and name.
  • Variable definitions with GraphQL types ($id: ID!, $limit: Int).
  • Variable examples from real requests.
  • Top-level field selections (e.g. user, settings).
  • Full query text (capped at 8 000 chars).
  • Hit count and first/last seen timestamps per operation.

Since all requests to /graphql share a single pattern, RecOwl tracks each operation separately inside that pattern. The dashboard shows:

  • A GQL badge (pink) in the pattern table, with “Ops: N” instead of param count.
  • A dedicated detail panel with an operations table (sortable by count), expandable rows showing query text, variables, and fields.
  • Copy as cURL per operation (builds a proper POST with Content-Type: application/json body).

Batched GraphQL requests (array of operations in one HTTP call) are also handled. Existing patterns captured before GraphQL support was added are retroactively enriched when the extension loads.

The LLM export includes graphqlOperations for GraphQL endpoints with operation type, name, variable definitions, field selections, and query text.

Security alerts

Built-in regex patterns scan request URLs and bodies for potentially sensitive data (API keys, tokens, credentials, PII). Results appear in an Alerts modal with severity badges and match snippets.

  • Manage patterns: a dedicated tab lets you enable/disable built-in patterns and create custom ones (regex, category, severity).
  • Disabled patterns are excluded from alert results, stats, and the badge count.
  • Alerts are tracked per domain and endpoint for easy triage.

Dashboard features (beyond LLM export)

  • Browse by page (referrer context) or flat by domain.
  • Search / filter endpoints; optional “new in 24h” filter.
  • Detail panel: query params, headers seen, request/response sections, Burp raw request copy.
  • Copy formats: cURL (with body and query params), fetch snippet, raw HTTP request, URL.
  • Exports: CSV, JSON, URL templates, domain scope list.
  • Settings: host blocklist, out-of-scope rules (ads, pixels, etc.), ignore static asset URLs (.js, images, .svg, fonts, …) to reduce clutter—toggle off if you want those routes recorded.
  • Notifications when new patterns appear (optional).

Requirements

  • Google Chrome (or another Chromium browser) with Manifest V3 support and chrome.webRequest (and related APIs) available.

Install (unpacked)

  1. Clone this repository.
  2. Open chrome://extensions.
  3. Enable Developer modeLoad unpacked.
  4. Select the folder that contains manifest.json.

Tests

npm test

Uses Node’s built-in test runner (node --test). No runtime npm dependencies for the extension itself.

Project layout

Path Role
background/ Service worker: correlation, change detection, IndexedDB, settings
content/ Isolated bridge + main-world hook for fetch / XHR (includes inline GraphQL detection)
dashboard/ Options UI, pattern table, detail panels (REST + GraphQL), alerts, LLM export
popup/ Quick view for the current tab
shared/ URL/normalization, GraphQL parser, regex alert patterns, value heuristics, static-asset detection
storage/ IndexedDB access, alert hit storage, param pattern hits
icons/ Toolbar icons and brand SVG

Privacy

RecOwl.me requests host_permissions: <all_urls> and observes network activity according to your blocklist and out-of-scope rules. Data stays on your machine (extension storage / IndexedDB). Review manifest.json before installing. Do not paste sensitive production payloads into an LLM without redacting secrets.

Author

João Costa · Jhounx

License

No license file is provided in this repository; default copyright applies. Contact the author for commercial use or redistribution.

About

RecOwl.me — passive browser recon Chrome extension

Resources

Readme
Activity

Stars

4 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages