HttpBee – Web Application Hacking Toolkit

Outsmart Malicious Hackers


HttpBee is a swiss-army-knife tool for web application hacking. It is multi-threaded, embedded with scriptable engine and has both command-line and daemon mode (if executed in daemon mode, HttpBee can become an agent of a distributed framework).

This is a tool for more advanced users and there isn’t much documentation so if anyone feels like writing a more comprehensive guide or tutorial, please do so!

Installing

You will need lua 5.1.x. Grab it at http://www.lua.org/ftp/

You will also need pcre library.

There’s no ./configure script in HttpBee at the moment, so you will need to change Makefile directly before you build it. Look into CXXFLAGS and CFLAGS section. -DOS_X (or -DLINUX, or -DWINDOWS is basically a setting for your platform, plus, ajust the pathes).

Using

The folder ‘modules’ contains lua plugins that HttpBee uses to perform its assessment tasks. You can run HttpBee as ./httpbee -s path/to/modules/script.lua -t 255 -h localhost (specifying different number of parallel threads impacts performance)

Scripting

The way HttpBee’s scripting engine is implemented is relevant to HttpBee architecture itself. HttpBee maintains a pool of threads that it uses for parallel task execution. Therefore execution of HttpBee scripts is not linear. Instead, there are certain functions which are executed at certain steps of scanning process. The global scripting part is executed when the script is initially “scanned”, so HttpBee can pick up tags, description and other data from your script. init function will be executed only when your script is picked up and scheduled for execution (based on tags selection for example).

You can download HttpBee here:

httpbee-1.0rc1.tgz

Or read more here.

Posted in: Hacking Tools, Web Hacking

, , , ,


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.


4 Responses to HttpBee – Web Application Hacking Toolkit

  1. dre October 25, 2007 at 1:04 am #

    i wonder how this compares to w3af or wfuzz. with the release of technika 1.3, the portswigger book (and new burp features) – i am really going back to my roots with these types of webapp vulnerability assessment tools. now i can remove greasemonkey and start using technika for everything internal to the browser… and use burp for anything that should be external

    i also really like how cenzic hailstorm supports modification of its internals with javascript, as well as supporting xpath for configuration of custom crawls (like squish, selenium, and pmd do). combined with fortifysoftware tracer and immunitysec’s sql hooker (plus possibly jdbc spy, filemon, and similar tools) – you can really do web application full-knowledge assessments almost better than doing code review

  2. fazed October 30, 2007 at 5:37 pm #

    I worked on a whole web attack kit
    for a while, then the police came and
    seized my computer and disks and are in
    the process of whiping the hard drive,
    lets hope they dont discover the disconnected
    mini-hard drive inside the computer I use to make
    backups onto.. I’ll release it soon if they don’t..

  3. Sandeep Nain October 31, 2007 at 1:36 am #

    @fazed, its sad that police took away your machine.

    Also, if you don’t want your hidden HDD to be found out, i don’t think its a good idea to declare about your HDD on public forums.

  4. Kartoos July 9, 2008 at 9:28 am #

    Sandeep, you are dumb. One can post anything in this profile with all fake details.