HExHTTP is a tool designed to perform tests on HTTP headers and analyze the results to identify vulnerabilities and interesting behaviors.
Project description
HExHTTP
HExHTTP is a tool designed to perform tests on HTTP headers and analyze the results to identify vulnerabilities and interesting behaviors.
Installation
Follow these steps to install HExHTTP:
- Clone the repository to your local machine:
git clone https://github.com/c0dejump/HExHTTP.git
- Change Directory
cd HExHTTP
- Install the required dependencies:
pip install -r requirements.txt
- Ensure HExHTTP is running correctly:
./hexhttp.py -u 'https://target.tld/' # OR python3 hexhttp.py -u 'https://target.tld/'
Or you can do pip install hexhttp
For More Advanced use, Check Usage section below.
Docker
docker build -t hexhttp:latest .
docker run --rm -it --net=host -v "$PWD:/hexhttp/" hexhttp:latest -u 'https://target.tld/'
Usage
Usage: hexhttp.py [-h] [-u URL] [-f URL_FILE] [-H CUSTOM_HEADER] [-A USER_AGENT] [-F] [-a AUTH] [-b] [-hu HUMANS] [-t THREADS] [-l LOG] [-L LOG_FILE] [-v] [-p CUSTOM_PROXY]
HExHTTP is a tool designed to perform tests on HTTP headers.
options:
-h, --help show this help message and exit
-u, --url URL URL to test [required]
-f, --file URL_FILE File of URLs
-H, --header CUSTOM_HEADER
Add a custom HTTP Header
-A, --user-agent USER_AGENT
Add a custom User Agent
-F, --full Display the full HTTP Header
-a, --auth AUTH Add an HTTP authentication. Ex: --auth admin:admin
-b, --behavior Activates a simplified version of verbose, highlighting interesting cache behaviors
-hu, --humans HUMANS Performs a timesleep to reproduce human behavior (Default: 0s) value: 'r' or 'random'
-t, --threads THREADS
Threads numbers for multiple URLs. Default: 10
-l, --log LOG Set the logging level (DEBUG, INFO, WARNING, ERROR, CRITICAL)
-L, --log-file LOG_FILE
The file path pattern for the log file. Default: logs/
-v, --verbose Increase verbosity (can be used multiple times)
-p, --proxy CUSTOM_PROXY
Add a custom proxy. Ex: http://127.0.0.1:8080
Arguments
# Scan only one domain
» ./hexhttp.py -u 'https://target.tld/'
# Scan a list of domains with behavior feature
» ./hexhttp.py -b -f domains.lst
# if the application is very sensitive (waf or not)
» ./hexhttp.py -u 'https://target.tld/' -hu r
# Add custom User-Agent
» ./hexhttp.py -u 'https://target.tld/' --user-agent "User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/123.0-BugBounty"
# Use a custom Header and authentication
» ./hexhttp.py --header 'Foo: bar' --auth 'user:passwd' -u 'https://target.tld/'
# Loop on domains, grep for vulnerabilities only and send result with notify (from projectdiscovery)
» for domain in $(cat domains.lst); do ./hexhttp.py -u "$domain" | grep -Eio "(INTERESTING|CONFIRMED)(.*)PAYLOAD.?:(.*){5,20}$" | notify -silent; done
Examples
Example on a public target
Example with a confirmed Cache Poisoning vulnerability
You can test this tool on the Web Security Academy's vulnerable labs, like Web cache poisoning with an unkeyed header. The expected result should be the same as below.
Features
- Server Error response checking
- Localhost header response analysis
- Vhosts checking
- Methods response analysis
- HTTP Version analysis [Experimental]
- Cache Poisoning DoS (CPDoS) techniques
- Web cache poisoning
- HTTP type CVE checking
- Cookie Reflection
- CDN/proxies Analysis (Envoy/Apache/Akamai/Nginx) [WIP]
TODO
- Filter False Positive on WAF blocking [WIP]
- Code Linting & Optimization [WIP]
- Parameter Cloacking
- Human scan (rate limiting + timeout randomization ) [WIP] -- works but cleaning, linting etc...
- Try with mobile user-agent
- Tests Bed for regression testing
- Different Output formats (eg, JSON, JSONL, TXT)
Based on
- YWH HTTP Header Exploitation
- Cache Poisoning at Scale
- abusing http hop-by-hop request headers
- Web Cache Entanglement: Novel Pathways to Poisoning
- Practical Web Cache Poisoning
- Exploiting cache design flaws
- Responsible denial of service with web cache poisoning
- CPDoS.org
- Autopoisoner
- Rachid.A research
Contributing
Pull requests are welcome. Feel free to contribute to this tool and make improvements!
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
hexhttp-1.8.1.tar.gz
(4.8 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file hexhttp-1.8.1.tar.gz.
File metadata
- Download URL: hexhttp-1.8.1.tar.gz
- Upload date:
- Size: 4.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
30f0cbc178fe309adf3b9bf05e93e3a3b286e932501c68f00565d33b9dee9821
|
|
| MD5 |
5345aaab14ac642e6d1116f6d74ad35b
|
|
| BLAKE2b-256 |
0c4c508727f8bc38c8bebff7f32b1dcaaf34dbdffe5b5b037cd00269f06975a8
|
File details
Details for the file hexhttp-1.8.1-py3-none-any.whl.
File metadata
- Download URL: hexhttp-1.8.1-py3-none-any.whl
- Upload date:
- Size: 4.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
071f9c319b247ed2433605750d42dae9f38deaaa7becbcb560012cce47f83c14
|
|
| MD5 |
84b722a81267269dc1bbc4a9627c01b9
|
|
| BLAKE2b-256 |
0a4e35d0893f7d7ee14bf9a9f95274a7ba6bcc6762f9e7bca8f4b788cf2fcaa7
|
