HExHTTP is a tool designed to perform tests on HTTP headers and analyze the results to identify vulnerabilities and interesting behaviors.
Follow these steps to install HExHTTP:
- Clone the repository to your local machine:
git clone https://github.com/c0dejump/HExHTTP.git
- Change Directory
cd HExHTTP - Install the required dependencies:
pip install .
- dev mod
pip install -e ".{dev]"- Ensure HExHTTP is running correctly:
./hexhttp.py -u 'https://target.tld/' # OR python3 hexhttp.py -u 'https://target.tld/'
Or you can do pip install hexhttp
For More Advanced use, Check Usage section below.
docker build -t hexhttp:latest .
docker run --rm -it --net=host -v "$PWD:/hexhttp/" hexhttp:latest -u 'https://target.tld/'Prerequisites:
- Burp Suite Community or Professional
- Python 3.x
- Jython (for Burp extensions)
Download the Extension ./utils/burp_extension_issue.py
In Burp Suite, go to Extensions > Add
Select Python as the extension type
> Click Select file and choose burp_extension_issue.py
> Click Next and then Close
Verify the extension is loaded in the Extensions tab
HExHTTP now supports flexible proxy configuration:
# Send behavior and confirmed findings to Burp (default: 127.0.0.1:8080)
» ./hexhttp.py -u 'https://target.tld/' --burp
# Use custom Burp proxy address
» ./hexhttp.py -u 'https://target.tld/' --burp 192.168.1.100:8080
When using --burp, HExHTTP will automatically create issues in Burp Suite for:
- Behavior findings: Medium severity issues
- Confirmed vulnerabilities: High severity issues
HExHTTP supports flexible proxy configuration for different use cases:
Routes all HTTP requests through the specified proxy server:
# Custom proxy server
» ./hexhttp.py -u 'https://target.tld/' --proxy 10.0.0.1:3128
# Default proxy (127.0.0.1:8080)
» ./hexhttp.py -u 'https://target.tld/' --proxyUse both options for maximum flexibility:
# Route all traffic through a corporate proxy, but send findings to Burp
» ./hexhttp.py -u 'https://target.tld/' --proxy corporate.proxy:3128 --burp 127.0.0.1:8080host:port- e.g.,127.0.0.1:8080host- uses default port 8080, e.g.,localhosthttp://host:port- full URL formathttps://host:port- HTTPS proxy support
Usage: hexhttp.py [-h] [-u URL] [-f URL_FILE] [-H CUSTOM_HEADER] [-A USER_AGENT] [-a AUTH] [-b] [-hu HUMANS] [-t THREADS] [-l LOG] [-L LOG_FILE] [-v] [-p PROXY] [--burp BURP] [--ocp]
HExHTTP is a tool designed to perform tests on HTTP headers.
options:
-h, --help show this help message and exit
> General:
-u URL, --url URL URL to test [required] if no -f/--file provided
-f URL_FILE, --file URL_FILE
File of URLs
-b, --behavior Activates a simplified version of verbose, highlighting interesting cache behaviors
> Request Settings:
-H CUSTOM_HEADER, --header CUSTOM_HEADER
Add a custom HTTP Header
-A USER_AGENT, --user-agent USER_AGENT
Add a custom User Agent
-a AUTH, --auth AUTH Add an HTTP authentication. Ex: --auth admin:admin
-hu HUMANS, --humans HUMANS
Performs a timesleep to reproduce human behavior (Default: 0s) value: 'r' or 'random'
-t THREADS, --threads THREADS
Threads numbers for multiple URLs. Default: 10
> Log settings:
-l LOG, --log LOG Set the logging level (DEBUG, INFO, WARNING, ERROR, CRITICAL)
-L LOG_FILE, --log-file LOG_FILE
The file path pattern for the log file. Default: logs/
-v, --verbose Increase verbosity (can be used multiple times)
> Proxy Settings:
-p [PROXY], --proxy [PROXY]
Proxy all requests through this proxy (format: host:port, default: 127.0.0.1:8080)
--burp [BURP] Send behavior and confirmed requests to Burp proxy (format: host:port, default:
127.0.0.1:8080)
> Tips:
--ocp, --only-cp Only cache poisoning modules
# Scan only one domain
» ./hexhttp.py -u 'https://target.tld/'
# Scan a list of domains with behavior feature
» ./hexhttp.py -b -f domains.lst
# if the application is very sensitive (waf or not)
» ./hexhttp.py -u 'https://target.tld/' -hu r
# Add custom User-Agent
» ./hexhttp.py -u 'https://target.tld/' --user-agent "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/123.0-BugBounty"
# Use a custom Header and authentication
» ./hexhttp.py --header 'Foo: bar' -H 'plip: plop' --auth 'user:passwd' -u 'https://target.tld/'
# Proxy all requests through a custom proxy
» ./hexhttp.py -u 'https://target.tld/' --proxy 127.0.0.1:8080
# Send interesting findings to Burp Suite for analysis
» ./hexhttp.py -u 'https://target.tld/' --burp 127.0.0.1:8080
# Use both general proxy and Burp (general traffic through proxy, findings to Burp)
» ./hexhttp.py -u 'https://target.tld/' --proxy 10.0.0.1:3128 --burp 127.0.0.1:8080
# Use default Burp proxy (127.0.0.1:8080)
» ./hexhttp.py -u 'https://target.tld/' --burp
You can test this tool on the Web Security Academy's vulnerable labs, like Web cache poisoning with an unkeyed header. The expected result should be the same as below.
- If the base URL responds with a 403, try removing the comments in hexhttp.py (search DECOMMENTHIS) and restarting.
- Server Error response checking
- Localhost header response analysis
- Vhosts checking
- Methods response analysis
- HTTP Version & protocol analysis [Experimental]
- Cache Poisoning DoS (CPDoS) techniques
- Web cache poisoning
- HTTP type CVE checking
- Flexible Proxy Support (General proxy + Burp Suite integration)
- CDN/proxies Analysis (Envoy/Apache/Akamai/Nginx) [WIP]
- Human scan (rate limiting + timeout randomization ) [WIP] -- works but cleaning, linting etc...
- Cache poisoning module (autopoisoner) remake
- Filter False Positive on WAF blocking [WIP]
- Parameter Cloacking
- Try with mobile user-agent
- Tests Bed for regression testing
- Different Output formats (eg, JSON, JSONL, TXT)
- YWH HTTP Header Exploitation
- Cache Poisoning at Scale
- abusing http hop-by-hop request headers
- Web Cache Entanglement: Novel Pathways to Poisoning
- Practical Web Cache Poisoning
- Exploiting cache design flaws
- Responsible denial of service with web cache poisoning
- CPDoS.org
- Autopoisoner
- Rachid.A research
Pull requests are welcome. Feel free to contribute to this tool and make improvements!