After months of pentesting bug bounty targets and wading through messy network traffic in Chrome DevTools, I got tired of losing track of in-scope endpoints, manually copying URLs, and scrolling through hundreds of requests to find what matters. So I built HARScope — a free, open-source HAR file viewer designed specifically for pentesters and security researchers.
Today, I'm excited to share it with the world.
Try it now: harscope.vercel.app
GitHub: github.com/neoparker10/harscope
What is HARScope?
HARScope is a web-based HAR file analyzer that runs entirely in your browser. It lets you upload .har files (HTTP Archive logs exported from browser DevTools) and instantly:
- Filter by scope — Separate in-scope requests (your target + subdomains) from external third-party noise
- Search everything — URLs, headers, query params — all searchable in real-time
- Copy URLs with one click — Single-click any row to auto-copy the full URL
- Export filtered results — Get a clean
.txtfile of all visible URLs based on your active filters - Inspect requests in detail — View request/response headers, body (JSON pretty-printed), timings, and params
Built for Bug Bounty Hunters
When testing a target like example.com, you want to focus only on requests going to example.com, api.example.com, admin.example.com, etc. — not Google Analytics, CDN scripts, or ad trackers.
HARScope's In-Scope filter does exactly that. Enter your target domain, click "In-Scope", and you instantly see only the requests that matter. Everything else is one click away under "External" if you need it.
Why I Built This
The Problem
Every pentester knows the workflow:
- Open DevTools Network tab
- Browse the target (logged in, logged out, profile page, checkout flow, etc.)
- Export as HAR
- Now what?
Most HAR viewers either:
- Upload your file to their servers (unacceptable for sensitive bug bounty targets)
- Show everything with no scope filtering (you drown in noise)
- Cost money or require sign-ups
I needed something privacy-first, scope-aware, and free.
The Solution
HARScope runs 100% in your browser. When you drop a HAR file, it's read using the browser's native FileReader API and parsed entirely in local memory. Nothing is uploaded. There's no backend, no database, no server logs. You can use it completely offline after the page loads.
This makes it safe for:
- Private bug bounty programs
- Internal pentests
- Client engagements with strict NDAs
- Any sensitive target where you can't risk leaking network traffic
Key Features
In-Scope / External Filtering
Type your target domain (e.g., theperfumeshop.com) and use the scope chips to instantly filter:
- In-Scope (green) — Requests to
theperfumeshop.comand all subdomains likeapi.theperfumeshop.com - External (amber) — Third-party requests like Google, Cloudflare, analytics, etc.
This is a game-changer when you're hunting for hidden API endpoints or trying to map out a target's attack surface.
One-Click URL Copy
Click any row in the table and the full URL is instantly copied to your clipboard. No need to open the detail panel, highlight text, or right-click. One click, copied.
Deep Search
Search across:
- Full URLs
- Request headers (find all requests with
Authorization: Bearer ...) - Response headers
- Query parameters
All filters stack — combine type filters (XHR, JS, CSS) + scope filters + search to drill down to exactly what you need.
⬇ Smart URL Export
Click "Export URLs" and get a plain-text list of only the currently visible URLs based on your active filters. For example:
- Filter:
XHR / Fetch+In-Scope+ Search:"api" - Export → Get a clean
.txtfile with only in-scope XHR requests containing "api"
Perfect for:
- Feeding URLs into fuzzing tools
- Building wordlists
- Documenting endpoints for reports
Type Filters
Filter by request type:
- XHR / Fetch — API calls
- JS — JavaScript files
- CSS — Stylesheets
- Img — Images
- Media — Video/audio
- Font — Web fonts
- Doc — HTML documents
- Other — Everything else
- Errors — Failed requests (4xx, 5xx)
Full URL Display
The main table shows the complete URL — not just the path. The domain is color-coded (green for in-scope, amber for external, cyan if no target is set), and the path is visible at a glance. No more hovering to see what domain a request went to.
Request Inspector
Click any row to open the detail panel with tabs for:
- Overview — Status, method, size, time, domain, protocol
- Request Headers — All request headers
- Response Headers — All response headers
- Body — Request/response body (JSON is pretty-printed automatically)
- Params — Query parameters and POST data
How to Use HARScope
Step 1: Capture a HAR File
- Open Chrome/Firefox DevTools (
F12) - Go to the Network tab
- Browse the target site (log in, navigate pages, trigger actions)
- Right-click any request → Save all as HAR with content
Step 2: Drop it into HARScope
Go to harscope.vercel.app and drag-drop your .har file. It parses instantly.
Step 3: Set Your Target
Type your target domain (e.g., bugcrowd.com) in the "Target" input field.
Step 4: Filter & Explore
- Click In-Scope to see only requests to your target
- Use Type filters to narrow by XHR, JS, etc.
- Search for specific endpoints, headers, or params
- Click any row to copy its URL
- Open the detail panel to inspect headers and body
Step 5: Export URLs
Click Export URLs to get a .txt file of all visible URLs based on your current filters. Copy to clipboard or download.
Tech Stack
HARScope is built with:
- React — Component-based UI
- React Router — Client-side routing
- CSS Modules — Scoped styling
- Vercel — Free hosting with global CDN
Zero dependencies beyond React and Router. No tracking, no analytics, no third-party scripts that can see your data.
Fonts:
- JetBrains Mono — Code and data
- Syne — Headings
Privacy & Security
Your Files Never Leave Your Browser
HARScope has no backend server. When you drop a HAR file:
- Your browser reads it using the
FileReaderAPI - The JSON is parsed in local memory
- All filtering, searching, and rendering happens client-side
Nothing is uploaded. Nothing is stored. Nothing is logged.
You can verify this yourself:
- Open DevTools → Network tab while using HARScope
- Drop a HAR file
- Watch the Network tab — you'll see zero outgoing requests related to your file
This makes HARScope safe for:
- Bug bounty programs with strict rules about data sharing
- Pentests on internal applications
- Client work under NDAs
- Any sensitive target where privacy is critical
Open Source
The entire codebase is on GitHub: github.com/neoparker10/harscope
If you're paranoid (and you should be), you can:
- Clone the repo
- Run
npm install && npm start - Use it locally at
localhost:3000— completely offline
FAQ
Q: Are my HAR files uploaded to a server?
A: No. HARScope is 100% client-side. Your HAR file is read by your browser and never leaves your device.
Q: Can I use this offline?
A: Yes. After the page loads once, you can use it completely offline (or run it locally with npm start).
Q: What browsers are supported?
A: Chrome, Firefox, Edge, Safari, and any modern browser with JavaScript enabled.
Q: Is this free?
A: Yes, completely free forever. No account, no sign-up, no rate limits.
Q: Can I self-host it?
A: Absolutely. Clone the repo, run npm run build, and serve the /build folder anywhere — GitHub Pages, Netlify, your own server, etc.
Q: What's the difference between this and Chrome DevTools?
A: DevTools is great for live debugging, but HARScope is built for post-capture analysis. You can filter by scope, export URLs, search across all requests at once, and work with multiple HAR files side-by-side. It's designed for pentesting workflows, not debugging JavaScript.
Try It Now
Live app: harscope.codewithneo.com
Leave a Reply