HttpBee – Web Application Hacking Toolkit


HttpBee is a swiss-army-knife tool for web application hacking. It is multi-threaded, embedded with scriptable engine and has both command-line and daemon mode (if executed in daemon mode, HttpBee can become an agent of a distributed framework).

This is a tool for more advanced users and there isn’t much documentation so if anyone feels like writing a more comprehensive guide or tutorial, please do so!

Installing

You will need lua 5.1.x. Grab it at http://www.lua.org/ftp/

You will also need pcre library.

There’s no ./configure script in HttpBee at the moment, so you will need to change Makefile directly before you build it. Look into CXXFLAGS and CFLAGS section. -DOS_X (or -DLINUX, or -DWINDOWS is basically a setting for your platform, plus, ajust the pathes).

Using

The folder ‘modules’ contains lua plugins that HttpBee uses to perform its assessment tasks. You can run HttpBee as ./httpbee -s path/to/modules/script.lua -t 255 -h localhost (specifying different number of parallel threads impacts performance)

Scripting

The way HttpBee’s scripting engine is implemented is relevant to HttpBee architecture itself. HttpBee maintains a pool of threads that it uses for parallel task execution. Therefore execution of HttpBee scripts is not linear. Instead, there are certain functions which are executed at certain steps of scanning process. The global scripting part is executed when the script is initially “scanned”, so HttpBee can pick up tags, description and other data from your script. init function will be executed only when your script is picked up and scheduled for execution (based on tags selection for example).

You can download HttpBee here:

httpbee-1.0rc1.tgz

Or read more here.

Posted in: Hacking Tools, Web Hacking

, , , ,


Latest Posts:


Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.
Vulhub - Pre-Built Vulnerable Docker Environments For Learning To Hack Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands.
LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.


4 Responses to HttpBee – Web Application Hacking Toolkit

  1. dre October 25, 2007 at 1:04 am #

    i wonder how this compares to w3af or wfuzz. with the release of technika 1.3, the portswigger book (and new burp features) – i am really going back to my roots with these types of webapp vulnerability assessment tools. now i can remove greasemonkey and start using technika for everything internal to the browser… and use burp for anything that should be external

    i also really like how cenzic hailstorm supports modification of its internals with javascript, as well as supporting xpath for configuration of custom crawls (like squish, selenium, and pmd do). combined with fortifysoftware tracer and immunitysec’s sql hooker (plus possibly jdbc spy, filemon, and similar tools) – you can really do web application full-knowledge assessments almost better than doing code review

  2. fazed October 30, 2007 at 5:37 pm #

    I worked on a whole web attack kit
    for a while, then the police came and
    seized my computer and disks and are in
    the process of whiping the hard drive,
    lets hope they dont discover the disconnected
    mini-hard drive inside the computer I use to make
    backups onto.. I’ll release it soon if they don’t..

  3. Sandeep Nain October 31, 2007 at 1:36 am #

    @fazed, its sad that police took away your machine.

    Also, if you don’t want your hidden HDD to be found out, i don’t think its a good idea to declare about your HDD on public forums.

  4. Kartoos July 9, 2008 at 9:28 am #

    Sandeep, you are dumb. One can post anything in this profile with all fake details.