A powerful Chrome extension for performing reconnaissance on Flutter Web applications.
Flutter Recon automatically detects Flutter-powered websites, scans publicly accessible resources, analyzes source maps, fingerprints third-party packages, and provides a detailed breakdown of the technologies used within a Flutter Web application.
Designed for developers, security researchers, bug bounty hunters, and learners who want deeper visibility into Flutter Web deployments.
Detect Flutter applications using multiple indicators:
main.dart.jsflutter.jsflutter_bootstrap.jsflutter_service_worker.js- CanvasKit artifacts
- Flutter DOM elements
- Flutter runtime signatures
The extension continuously monitors pages and confirms Flutter presence using multiple detection signals.
Automatically identifies Flutter and Dart packages from publicly exposed assets.
Current fingerprint database includes detection for:
- Firebase
- Riverpod
- GetX
- Dio
- Hive
- Supabase
- Sentry
- OneSignal
- Bloc
- Provider
- Go Router
- Shared Preferences
- HTTP
- Cached Network Image
- Image Picker
- Google Fonts
- URL Launcher
- Intl
- Path Provider
- Lottie
- Animations
- Sqflite
- Connectivity Plus
- Permission Handler
- Flutter SVG
- Freezed
- Json Serializable
- RxDart
- Drift
Each package includes:
- Confidence score
- Detection signatures
- Source location
- Direct Pub.dev package link
Automatically discovers and analyzes:
*.map
sourceMappingURL
main.dart.js.map
Capabilities:
- Extract Dart package references
- Identify Flutter dependencies
- Detect framework usage
- Recover publicly exposed metadata
Scans Flutter resources including:
AssetManifest.json
flutter_service_worker.js
main.dart.js
Extracts useful information from publicly accessible assets and build artifacts.
Collects and categorizes:
- JavaScript resources
- Source maps
- Flutter assets
- Service worker files
- Runtime resources
Useful for understanding Flutter application structure.
To improve accuracy, Flutter Recon automatically ignores:
- Google Analytics
- Google Tag Manager
- DoubleClick
- Facebook tracking
- Twitter tracking
- Hotjar
- Segment
- Cookie consent frameworks
- Other unrelated third-party scripts
Only Flutter-relevant resources are scanned.
Built-in debugging interface with categorized events:
| Event | Description |
|---|---|
| INIT | Initialization |
| FLUTTER | Flutter detection |
| SCAN | Resource scanning |
| MAP | Source map processing |
| ASSET | Asset discovery |
| PKG | Package detection |
| HOOK | Runtime hooks |
| SKIP | Ignored resources |
| ERR | Errors |
| INFO | General information |
Provides real-time visibility into extension activity.
Each detected package receives a confidence score based on:
- Number of matches
- Signature quality
- Detection source
- Multiple verification signals
This reduces false positives and improves accuracy.
The extension badge updates automatically:
| Badge | Meaning |
|---|---|
| … | Scanning in progress |
| Number | Packages detected |
| ✓ | Flutter detected with no additional packages |
| Empty | Not a Flutter application |
Receive notifications when:
- Flutter Web is detected
- Package scanning begins
- Recon results become available
git clone https://github.com/Sheth007/Flutter-Recon.git- Open Chrome
- Navigate to:
chrome://extensions
- Enable Developer Mode
- Click Load Unpacked
- Select the repository folder
The extension is now installed.
-
Open any website.
-
Click the Flutter Recon icon.
-
Wait for scanning to complete.
-
Review:
- Flutter status
- Detected packages
- Confidence scores
- Asset information
- Source map discoveries
- Debug logs
Flutter Recon
│
├── manifest.json
├── background.js
├── content.js
├── inject.js
│
├── popup/
│ ├── popup.html
│ ├── popup.css
│ └── popup.js
│
├── assets/
│ └── AssetManifest.json
│
└── icons/
Primary reconnaissance engine.
Responsible for:
- Flutter detection
- Resource collection
- Package fingerprinting
- Source map analysis
- Asset scanning
Bridge between webpage and extension.
Responsible for:
- Receiving scan results
- Storing data
- Updating popup state
Background service worker.
Responsible for:
- Notifications
- Badge management
- Tab handling
- Extension lifecycle events
User interface logic.
Responsible for:
- Displaying results
- Rendering package cards
- Debug console
- Theme management
- Understand Flutter deployments
- Verify production builds
- Inspect package usage
- Analyze exposed resources
- Discover source maps
- Enumerate Flutter dependencies
- Identify technology stack
- Discover information leakage
- Analyze client-side exposure
- Learn Flutter Web internals
- Explore build structures
- Study package ecosystems
Flutter Recon can only analyze resources that are publicly accessible from the browser.
It cannot:
- Access server-side code
- Bypass authentication
- Retrieve hidden resources
- Decompile protected backends
Planned improvements:
- Flutter version detection
- State-management identification improvements
- Export results as JSON
- Scan history
- Package statistics
- Dark/Light theme enhancements
- Additional Flutter package fingerprints
- Advanced source map analysis
This project is intended for:
- Education
- Research
- Development
- Authorized security testing
Always obtain proper authorization before analyzing applications you do not own.
If you find Flutter Recon useful, consider giving the repository a ⭐.