HttpBee is a swiss-army-knife tool for web application hacking. It is multi-threaded, embedded with scriptable engine and has both command-line and daemon mode (if executed in daemon mode, HttpBee can become an agent of a distributed framework).
This is a tool for more advanced users and there isn’t much documentation so if anyone feels like writing a more comprehensive guide or tutorial, please do so!
Installing
You will need lua 5.1.x. Grab it at http://www.lua.org/ftp/
You will also need pcre library.
There’s no ./configure script in HttpBee at the moment, so you will need to change Makefile directly before you build it. Look into CXXFLAGS and CFLAGS section. -DOS_X (or -DLINUX, or -DWINDOWS is basically a setting for your platform, plus, ajust the pathes).
Using
The folder ‘modules’ contains lua plugins that HttpBee uses to perform its assessment tasks. You can run HttpBee as ./httpbee -s path/to/modules/script.lua -t 255 -h localhost (specifying different number of parallel threads impacts performance)
Scripting
The way HttpBee’s scripting engine is implemented is relevant to HttpBee architecture itself. HttpBee maintains a pool of threads that it uses for parallel task execution. Therefore execution of HttpBee scripts is not linear. Instead, there are certain functions which are executed at certain steps of scanning process. The global scripting part is executed when the script is initially “scanned”, so HttpBee can pick up tags, description and other data from your script. init function will be executed only when your script is picked up and scheduled for execution (based on tags selection for example).
You can download HttpBee here:
Or read more here.
dre says
i wonder how this compares to w3af or wfuzz. with the release of technika 1.3, the portswigger book (and new burp features) – i am really going back to my roots with these types of webapp vulnerability assessment tools. now i can remove greasemonkey and start using technika for everything internal to the browser… and use burp for anything that should be external
i also really like how cenzic hailstorm supports modification of its internals with javascript, as well as supporting xpath for configuration of custom crawls (like squish, selenium, and pmd do). combined with fortifysoftware tracer and immunitysec’s sql hooker (plus possibly jdbc spy, filemon, and similar tools) – you can really do web application full-knowledge assessments almost better than doing code review
fazed says
I worked on a whole web attack kit
for a while, then the police came and
seized my computer and disks and are in
the process of whiping the hard drive,
lets hope they dont discover the disconnected
mini-hard drive inside the computer I use to make
backups onto.. I’ll release it soon if they don’t..
Sandeep Nain says
@fazed, its sad that police took away your machine.
Also, if you don’t want your hidden HDD to be found out, i don’t think its a good idea to declare about your HDD on public forums.
Kartoos says
Sandeep, you are dumb. One can post anything in this profile with all fake details.