⚠️ Warning: This tool is currently unstable and under active development. Features may change without notice, and unexpected behavior may occur. Use at your own risk in production environments.
Repl makes it easy to customize and replay API collections from Postman to BurpSuite, ZAP, and any other proxy tool during API security assessments.
curl -fsSL https://raw.githubusercontent.com/darmado/repl/refs/heads/main/install.sh | sh-
Launch your proxy tool (Burp Suite, ZAP, etc.)
-
Export your Postman collection (Use Collection Format v2.1)
# Save your collection from Postman as a JSON file -
Run repl with your collection
# Extract variables from the collection to a template file python repl.py --collection your_collection.json --extract-keys variables.json # Edit the variables.json file to add your values # Execute the collection through your proxy python repl.py --collection your_collection.json --insertion-point variables.json --proxy 127.0.0.1 8080
-
Analyze the results in your proxy tool
| Category | Argument | Description |
|---|---|---|
| Collection Management | --collection [FILE] |
Specify Postman collection file. If no file provided, shows a selection menu. |
--import |
Import collection and create directory structure in 'collections' folder. | |
--extract-structure |
Extract collection to a directory structure. | |
| Variables & Configuration | --extract-keys [FILE] |
Extract variables from collection. If no file provided, prints to console. |
--insertion-point FILE |
Insert values into API request variables from specified file. | |
| Encoding | --encode-base64 [VALUE] |
Encode input as base64. If no value provided, prompts for input. |
--encode-url [VALUE] |
URL-encode input. If no value provided, prompts for input. | |
--encode-hex [VALUE] |
Encode input as hex. If no value provided, prompts for input. | |
--encode-payloads |
Encode variables in an insertion point file using methods specified in the file. | |
| Request Execution | --request-id ID |
Replay a specific request by its ID. Use with --collection. |
--proxy HOST PORT |
Specify proxy server for requests (e.g., 127.0.0.1 8080). | |
--header, -H HEADER |
Add custom header to requests. Format: 'Name: Value'. Can be used multiple times. | |
| Authentication | --auth [PROFILE] |
Load saved authentication profile. If no profile provided, shows a selection menu. |
--auth-basic USERNAME PASSWORD |
Use HTTP Basic Authentication. | |
--auth-bearer TOKEN |
Use Bearer Token Authentication. | |
--auth-apikey KEY VALUE IN |
Use API Key Authentication. IN must be 'header' or 'query'. | |
| Analysis | --list [TYPE] |
List available configurations. Types: collections, variables, insertion-points, results, auth. |
--show TYPE NAME |
Show details of a specific configuration. Example: --show auth basic/myauth | |
--search [QUERY] |
Search logs for requests and responses. Example: --search "status:200" | |
--collection-filter COLLECTION |
Filter search results to a specific collection. | |
--folder-filter FOLDER |
Filter search results to a specific folder within a collection. | |
| General | --banner |
Display the tool banner. |
--verbose, -v |
Enable verbose output for debugging. | |
--version |
Show program version and exit. |
For detailed usage instructions, see the Wiki.
| Limitation | Description | Workaround |
|---|---|---|
| File Uploads | Limited support for multipart/form-data file uploads | Use base64-encoded content for simple file uploads |
| WebSocket | No support for WebSocket connections | Use dedicated WebSocket testing tools |
| GraphQL | Basic support for GraphQL queries | Structure GraphQL queries as regular POST requests |
| OAuth Flows | Limited support for complex OAuth flows | Use pre-generated tokens when possible |
| Dynamic Scripts | No support for Postman pre-request and test scripts | Prepare requests with necessary values beforehand |
Documentation is available in the Wiki:
| Documentation | Description |
|---|---|
| Overview | High-level understanding of Repl |
| Installation | How to install and set up the tool |
| Usage | Basic operations and commands |
| Use Cases | Detailed examples for specific scenarios |
| Additional Features | Extended features and techniques |
| Configuration | Configuration options and settings |
| Troubleshooting | Solutions for common issues |
| Function Map | Overview of all functions and their roles |
| Variable Encoding | Guide to encoding variables for security testing |
Contributions are welcome! Here's how you can contribute:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add some amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
| Contribution Area | Guidelines |
|---|---|
| Bug Reports | • Clear description of the bug • Steps to reproduce • Expected behavior • Screenshots (if applicable) • Environment details |
| Feature Requests | • The problem your feature would solve • How your solution would work • Any alternatives you've considered |
For detailed usage instructions, see the Wiki.
- API Security Testing - Burp Suite
- Burp Suite Postman Integration
- Postman CLI Collection Runner
- Python Request Authentication Guide
- Awesome API Clients Directory
This project is licensed under the Apache License 2.0.