HttpBee – Web Application Hacking Toolkit


HttpBee is a swiss-army-knife tool for web application hacking. It is multi-threaded, embedded with scriptable engine and has both command-line and daemon mode (if executed in daemon mode, HttpBee can become an agent of a distributed framework).

This is a tool for more advanced users and there isn’t much documentation so if anyone feels like writing a more comprehensive guide or tutorial, please do so!

Installing

You will need lua 5.1.x. Grab it at http://www.lua.org/ftp/

You will also need pcre library.

There’s no ./configure script in HttpBee at the moment, so you will need to change Makefile directly before you build it. Look into CXXFLAGS and CFLAGS section. -DOS_X (or -DLINUX, or -DWINDOWS is basically a setting for your platform, plus, ajust the pathes).

Using

The folder ‘modules’ contains lua plugins that HttpBee uses to perform its assessment tasks. You can run HttpBee as ./httpbee -s path/to/modules/script.lua -t 255 -h localhost (specifying different number of parallel threads impacts performance)

Scripting

The way HttpBee’s scripting engine is implemented is relevant to HttpBee architecture itself. HttpBee maintains a pool of threads that it uses for parallel task execution. Therefore execution of HttpBee scripts is not linear. Instead, there are certain functions which are executed at certain steps of scanning process. The global scripting part is executed when the script is initially “scanned”, so HttpBee can pick up tags, description and other data from your script. init function will be executed only when your script is picked up and scheduled for execution (based on tags selection for example).

You can download HttpBee here:

httpbee-1.0rc1.tgz

Or read more here.

Posted in: Hacking Tools, Web Hacking

, , , ,


Latest Posts:


BloodHound - Hacking Active Directory Trust Relationships BloodHound – Hacking Active Directory Trust Relationships
BloodHound is for hacking active directory trust relationships and it uses graph theory to reveal the hidden and often unintended relationships within an AD environment.
SecLists - Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells SecLists – Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place.
DeepSound - Audio Steganography Tool DeepSound – Audio Steganography Tool
DeepSound is an audio steganography tool and audio converter that hides secret data into audio files, the application also enables you to extract from files.
2019 High Severity Vulnerabilities What are the MOST Critical Web Vulnerabilities in 2019?
So what is wild on the web this year? Need to know about the most critical web vulnerabilities in 2019 to protect your organization?
GoBuster - Directory/File & DNS Busting Tool in Go GoBuster – Directory/File & DNS Busting Tool in Go
GoBuster is a tool used to brute-force URIs (directories and files) in web sites and DNS subdomains (inc. wildcards) - a directory/file & DNS busting tool.
BDFProxy - Patch Binaries via MITM - BackdoorFactory + mitmProxy BDFProxy – Patch Binaries via MiTM – BackdoorFactory + mitmproxy
BDFProxy allows you to patch binaries via MiTM with The Backdoor Factory combined with mitmproxy enabling on the fly patching of binary downloads


4 Responses to HttpBee – Web Application Hacking Toolkit

  1. dre October 25, 2007 at 1:04 am #

    i wonder how this compares to w3af or wfuzz. with the release of technika 1.3, the portswigger book (and new burp features) – i am really going back to my roots with these types of webapp vulnerability assessment tools. now i can remove greasemonkey and start using technika for everything internal to the browser… and use burp for anything that should be external

    i also really like how cenzic hailstorm supports modification of its internals with javascript, as well as supporting xpath for configuration of custom crawls (like squish, selenium, and pmd do). combined with fortifysoftware tracer and immunitysec’s sql hooker (plus possibly jdbc spy, filemon, and similar tools) – you can really do web application full-knowledge assessments almost better than doing code review

  2. fazed October 30, 2007 at 5:37 pm #

    I worked on a whole web attack kit
    for a while, then the police came and
    seized my computer and disks and are in
    the process of whiping the hard drive,
    lets hope they dont discover the disconnected
    mini-hard drive inside the computer I use to make
    backups onto.. I’ll release it soon if they don’t..

  3. Sandeep Nain October 31, 2007 at 1:36 am #

    @fazed, its sad that police took away your machine.

    Also, if you don’t want your hidden HDD to be found out, i don’t think its a good idea to declare about your HDD on public forums.

  4. Kartoos July 9, 2008 at 9:28 am #

    Sandeep, you are dumb. One can post anything in this profile with all fake details.