HExHTTP is a tool designed to perform tests on HTTP headers and analyze the results to identify vulnerabilities and interesting behaviors.
Follow these steps to install HExHTTP:
- Clone the repository to your local machine:
git clone https://github.com/c0dejump/HExHTTP.git
- Change Directory
cd HExHTTP - Install the required dependencies:
pip install -r requirements.txt
- Ensure HExHTTP is running correctly:
./hexhttp.py -u 'https://target.tld/' # OR python3 hexhttp.py -u 'https://target.tld/'
For More Advanced use, Check Usage section below.
docker build -t hexhttp:latest .
docker run --rm -it --net=host -v "$PWD:/hexhttp/" hexhttp:latest -u 'https://target.tld/'Usage: hexhttp.py [-h] [-u URL] [-f URL_FILE] [-H CUSTOM_HEADER] [-A USER_AGENT] [-F] [-a AUTH] [-b] [-hu HUMANS] [-t THREADS] [-l LOG] [-L LOG_FILE] [-v] [-p CUSTOM_PROXY]
HExHTTP is a tool designed to perform tests on HTTP headers.
options:
-h, --help show this help message and exit
-u, --url URL URL to test [required]
-f, --file URL_FILE File of URLs
-H, --header CUSTOM_HEADER
Add a custom HTTP Header
-A, --user-agent USER_AGENT
Add a custom User Agent
-F, --full Display the full HTTP Header
-a, --auth AUTH Add an HTTP authentication. Ex: --auth admin:admin
-b, --behavior Activates a simplified version of verbose, highlighting interesting cache behaviors
-hu, --humans HUMANS Performs a timesleep to reproduce human behavior (Default: 0s) value: 'r' or 'random'
-t, --threads THREADS
Threads numbers for multiple URLs. Default: 10
-l, --log LOG Set the logging level (DEBUG, INFO, WARNING, ERROR, CRITICAL)
-L, --log-file LOG_FILE
The file path pattern for the log file. Default: logs/
-v, --verbose Increase verbosity (can be used multiple times)
-p, --proxy CUSTOM_PROXY
Add a custom proxy. Ex: http://127.0.0.1:8080 [In Progress]
# Scan only one domain
» ./hexhttp.py -u 'https://target.tld/'
# Scan a list of domains with behavior feature
» ./hexhttp.py -b -f domains.lst
# if the application is very sensitive (waf or not)
» ./hexhttp.py -u 'https://target.tld/' -hu r
# Add custom User-Agent
» ./hexhttp.py -u 'https://target.tld/' --user-agent "User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/123.0-BugBounty"
# Use a custom Header and authentication
» ./hexhttp.py --header 'Foo: bar' --auth 'user:passwd' -u 'https://target.tld/'
# Loop on domains, grep for vulnerabilities only and send result with notify (from projectdiscovery)
» for domain in $(cat domains.lst); do ./hexhttp.py -u "$domain" | grep -Eio "(INTERESTING|CONFIRMED)(.*)PAYLOAD.?:(.*){5,20}$" | notify -silent; done
You can test this tool on the Web Security Academy's vulnerable labs, like Web cache poisoning with an unkeyed header. The expected result should be the same as below.
- Server Error response checking
- Localhost header response analysis
- Vhosts checking
- Methods response analysis
- HTTP Version analysis [Experimental]
- Cache Poisoning DoS (CPDoS) techniques
- Web cache poisoning
- Range poisoning/error (416 response error) [Experimental]
- Cookie Reflection
- CDN/proxies Analysis (Envoy/Apache/Akamai/Nginx) [IP]
- Add proxy feature [WIP]
- Filter False Positive on WAF blocking [WIP]
- Code Linting & Optimization [WIP]
- Human scan (rate limiting + timeout randomization ) [WIP] -- works but cleaning, linting etc...
- Parameter Cloacking
- Try with mobile user-agent
- Tests Bed for regression testing
- Pypi package (src/ layout + tests/ + tox)
- Different Output formats (eg, JSON, JSONL, TXT)
- YWH HTTP Header Exploitation
- Cache Poisoning at Scale
- abusing http hop-by-hop request headers
- Web Cache Entanglement: Novel Pathways to Poisoning
- Practical Web Cache Poisoning
- Exploiting cache design flaws
- Responsible denial of service with web cache poisoning
- CPDoS.org
- Autopoisoner
- Rachid.A research
Pull requests are welcome. Feel free to contribute to this tool and make improvements!