ReqEye is a CLI assistant for HTTP request analysis, designed to help security researchers, bug bounty hunters, and pentesters identify high‑value entry points worth manual testing.
It does not scan targets, send traffic, or claim vulnerabilities. ReqEye focuses on where to look, not on making assumptions.
ReqEye does not find bugs. It finds places where bugs are likely to exist.
Modern web vulnerabilities — especially IDOR, auth bypasses, and logic flaws — are highly context‑dependent. Fully automated scanners fail at this.
ReqEye acts as a thinking assistant:
- It analyzes raw HTTP requests
- Detects security‑relevant patterns
- Highlights attack surfaces and entry points
- Suggests manual tests a human should try
No noise. No blind scanning. No false authority.
- Parse raw HTTP requests (Burp / DevTools style)
- Classify endpoints by risk and purpose
- Identify high‑value entry points (IDOR, auth, roles, state changes)
- Detect security‑relevant indicators without overclaiming
- Generate offline mutated requests for manual testing
- Compare HTTP responses to spot behavioral changes
- Produce clean, terminal‑friendly reports
- ❌ Not an automated vulnerability scanner
- ❌ Not a fuzzer that sends traffic
- ❌ Not a replacement for Burp, manual analysis, or brain usage
ReqEye is meant to be used before or during manual testing to prioritize effort.
ReqEye is written in pure Python.
git clone https://github.com/urdev4ever/reqeye.git
cd reqeye
python reqeye.pyOn Windows systems, ReqEye will optionally use colorama for proper ANSI color support.
If colorama is not installed, colors are automatically disabled.
pip install coloramaThis dependency is optional.
python reqeye.py --help
python reqeye.py parse request.txtParses and displays:
- Method
- Path
- Headers
- Query parameters
- Body parameters
python reqeye.py analyze request.txtOutputs:
-
Endpoint classification
-
Risk score
-
Identified entry points
-
Security indicators
-
Manual testing recommendations
The follow results are from an authorized request (thx Mercado Libre)
python reqeye.py mutate request.txtCreates modified versions of the request for:
- IDOR testing
- Auth bypass attempts
- Role / privilege manipulation
- State and logic testing
These requests are not sent — they are meant to be copied into Burp or similar tools.
python reqeye.py diff response1.txt response2.txtHighlights:
- Status code changes
- Significant length differences
- Structural changes
Useful for detecting behavior changes after manual tampering.
python reqeye.py report request.txtProduces a concise report including:
- Endpoint summary
- Entry points found
- Risk evaluation
- Testing checklist
ReqEye assigns a heuristic risk score (0–100) based on:
- Endpoint sensitivity
- Presence of entry points
- Authorization context
- Parameter control indicators
The score is meant for prioritization, not proof.
ReqEye intentionally avoids statements like:
- "This endpoint is vulnerable"
- "Critical security flaw found"
Instead, it uses wording such as:
- "High‑risk entry point"
- "Manual verification recommended"
- "Security‑relevant indicator"
This makes it safe and appropriate for bug bounty workflows. (No fluff, no BS)
- Capture a request (Burp / DevTools)
- Run
reqeye analyze - Review entry points and recommendations
- Use
reqeye mutatefor test variants - Manually test using Burp or similar tools
- Compare responses if needed
- Bug bounty hunting
- Manual web pentesting
- API security reviews
- Learning web vulnerability logic
ReqEye is a research assistance tool.
You are responsible for:
- Staying within scope
- Following program rules
- Validating all findings manually
This tool exists to help humans focus where it matters most.
ReqEye is built around a simple idea:
Good bugs are found by humans — not scanners.
Made with <3 by URDev