What it does

rep+ lives inside Chrome DevTools and does what Burp Suite’s Repeater does: capture HTTP traffic, let you edit and resend requests, and compare responses. No proxy configuration, no certificate installation. It adds bulk replay modes (Sniper, Battering Ram, Pitchfork, Cluster Bomb), a screenshot editor for redacting request/response pairs, and exports to curl/Python/Postman.

The interesting bit

The AI integration is unusually practical. It streams explanations and attack suggestions from Claude, Gemini, or local Ollama models, can modify requests directly in the editor, and maintains per-request chat history with cross-referencing between requests. Token budgets are managed explicitly: responses truncate at ~1,500 tokens, history compresses older messages, and the system conditionally includes response history only when relevant.

Key highlights

• Passive reconnaissance from JavaScript: secret scanner (Kingfisher rules, offline), endpoint extractor, and parameter discovery with risk classification
• Four bulk attack modes with position marking via § and response diffing
• Seven themes including a terminal-green aesthetic for those who miss CRT glow
• Multi-provider LLM support with local model option (requires CORS workaround for Ollama)

Caveats

• Secret scanning only analyzes JavaScript from the currently inspected tab, not all captured traffic
• Local model setup requires manually allowing Chrome extensions to bypass CORS, or you hit 403 errors
• The README notes “Limitations” as a section but truncates before detailing them

Verdict

Bug bounty hunters and web app testers who find Burp’s startup time annoying should try this. If you need full proxy interception, active scanning, or collaborative workspace features, stay with the heavy tools.