19 October 2007 | 15,217 views

HttpBee – Web Application Hacking Toolkit

Check For Vulnerabilities with Acunetix

HttpBee is a swiss-army-knife tool for web application hacking. It is multi-threaded, embedded with scriptable engine and has both command-line and daemon mode (if executed in daemon mode, HttpBee can become an agent of a distributed framework).

This is a tool for more advanced users and there isn’t much documentation so if anyone feels like writing a more comprehensive guide or tutorial, please do so!

Installing

You will need lua 5.1.x. Grab it at http://www.lua.org/ftp/

You will also need pcre library.

There’s no ./configure script in HttpBee at the moment, so you will need to change Makefile directly before you build it. Look into CXXFLAGS and CFLAGS section. -DOS_X (or -DLINUX, or -DWINDOWS is basically a setting for your platform, plus, ajust the pathes).

Using

The folder ‘modules’ contains lua plugins that HttpBee uses to perform its assessment tasks. You can run HttpBee as ./httpbee -s path/to/modules/script.lua -t 255 -h localhost (specifying different number of parallel threads impacts performance)

Scripting

The way HttpBee’s scripting engine is implemented is relevant to HttpBee architecture itself. HttpBee maintains a pool of threads that it uses for parallel task execution. Therefore execution of HttpBee scripts is not linear. Instead, there are certain functions which are executed at certain steps of scanning process. The global scripting part is executed when the script is initially “scanned”, so HttpBee can pick up tags, description and other data from your script. init function will be executed only when your script is picked up and scheduled for execution (based on tags selection for example).

You can download HttpBee here:

httpbee-1.0rc1.tgz

Or read more here.



Recent in Hacking Tools:
- iSniff-GPS – Passive Wifi Sniffing Tool With Location Data
- masscan – The Fastest TCP Port Scanner
- drozer – The Leading Security Testing Framework For Android

Related Posts:
- OSWA Assistant – Wireless Hacking & Auditing LiveCD Toolkit
- Microsoft Enhanced Mitigation Evaluation Toolkit (EMET) 3rd Party GUI
- Acunetix Vulnerability Scanner 9.5 Released

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,870,666 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,061,646 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 625,337 views

Low-cost VPS Hosting

5 Responses to “HttpBee – Web Application Hacking Toolkit”

  1. dre 25 October 2007 at 1:04 am Permalink

    i wonder how this compares to w3af or wfuzz. with the release of technika 1.3, the portswigger book (and new burp features) – i am really going back to my roots with these types of webapp vulnerability assessment tools. now i can remove greasemonkey and start using technika for everything internal to the browser… and use burp for anything that should be external

    i also really like how cenzic hailstorm supports modification of its internals with javascript, as well as supporting xpath for configuration of custom crawls (like squish, selenium, and pmd do). combined with fortifysoftware tracer and immunitysec’s sql hooker (plus possibly jdbc spy, filemon, and similar tools) – you can really do web application full-knowledge assessments almost better than doing code review

  2. fazed 30 October 2007 at 5:37 pm Permalink

    I worked on a whole web attack kit
    for a while, then the police came and
    seized my computer and disks and are in
    the process of whiping the hard drive,
    lets hope they dont discover the disconnected
    mini-hard drive inside the computer I use to make
    backups onto.. I’ll release it soon if they don’t..

  3. Sandeep Nain 31 October 2007 at 1:36 am Permalink

    @fazed, its sad that police took away your machine.

    Also, if you don’t want your hidden HDD to be found out, i don’t think its a good idea to declare about your HDD on public forums.

  4. Kartoos 9 July 2008 at 9:28 am Permalink

    Sandeep, you are dumb. One can post anything in this profile with all fake details.