I Couldn't Find the Tool I Needed for Web Security Testing — So I Built It

What if the most useful parts of Burp lived alongside Chrome — fast, focused, and always available?

Alareqi

~3 min read · December 30, 2025 (Updated: December 30, 2025) · Free: Yes

I kept switching between Chrome DevTools, Burp, and Postman just to:

Modify a single request
Replay it realistically
Compare responses meaningfully

Nothing was wrong with the tools. They just didn't fit together the way my workflow needed.

I looked for something that lived inside the browser, respected context, and stayed out of my way.

I couldn't find it.

So I built Requestal.

The Missing Middle Ground

Most web security tools sit at two extremes:

DevTools → realistic, but limited
Automation & proxies → powerful, but often detached from real browser behavior

What I needed lived in the middle:

Stay inside the browser
Preserve authentication and session state
Modify requests without breaking formats
See only meaningful response differences

This gap is where many real-world bugs are found — especially logic and auth issues.

What Requestal Actually Does

Requestal is a Chrome DevTools side-panel extension designed to support human-driven, exploratory security testing.

It allows you to:

Capture live requests directly from the browser
Modify headers and bodies with format awareness
Replay requests realistically
Pin a baseline request and compare responses semantically

It's not an automated fuzzer. It's a precision workflow tool for manual testing.

One Design Rule I Didn't Want to Break

The tool should never lie to the tester.

Requestal enforces this in small but important ways:

Keeping Content-Type and request body in sync
Preventing invalid request states
Warning before copying broken payloads

These details don't look impressive on a feature list — but they remove a lot of false signals during testing.

Comparing Responses Without the Noise

When manually testing, most responses differ in trivial ways:

Timestamps
Nonces
Dynamic IDs

Requestal lets you pin a baseline request and compare future responses against it — while ignoring the noise.

What remains are the differences that actually matter.

A Small Validation Moment

I recently solved a Burp Web Security Academy lab using Requestal.

Not because it replaced Burp — but because it supported the exact moment where manual reasoning mattered more than automation.

That was enough validation for me to open-source it.

Project Status

Requestal is released as an early public version.

It's intended for:

Bug hunters
AppSec learners
Anyone doing careful, manual API testing

The project is open-source here: 👉 https://github.com/mohmmedalariki/Requestal.git

Feedback is welcome.

Closing

Most tools don't start as products. They start as solutions to personal frustration.

Requestal is one of those tools.

#chrome-extension #bug-bounty #http-request #web-security #penetration-testing