/http-hacker

Primary LanguageJavaMIT LicenseMIT

Introducing HTTP Hacker: Total control over HTTP connections

HTTP Hacker is a powerful Burp extension for advanced interaction with HTTP servers and proxies over persistent TCP/TLS connections. It gives you:

  • Full control over HTTP connections.
  • Complete visibility of HTTP messages, with no automatic parsing.
  • Direct access to request and response queues.

HTTP Hacker also features a visual drag and drop interface and built-in testing framework, making it easier to model complex proxy behavior and explore network interactions.

Sessions

HTTP Hacker organizes your work into sessions. Each session represents a network target, and is used to model and test its behavior over persistent HTTP connections (also known as streams).

Each session includes the following tabs:

  • Stream tabs - Each stream tab represents an independent TCP/TLS connection. Use these to interact with your target domains, such as servers or proxies.

  • Network - Represents the network. Use this to visually model the network structure.


Image 1: Top view of the extensionSession tabs are displayed on the top bar. The lower bar displays the stream tabs and the Network tab.

Stream tabs

Stream tabs enable you to create persistent connections to a domain or IP address. This enables you to interact with HTTP servers or proxies through TCP or TLS sockets.

To send requests from Burp to a stream tab, right-click a request, then select Extensions > HTTP Hacker. You can choose to send the requests to a new session or select an existing session.

Configuring connections

The connection bar shows the connection status, which can be one of the following: Disconnected, Connected, Connecting, or Connection error.

You can configure the following aspects of the connection:

  • Host - The target domain or IP address.
  • Port - The port to connect to on the target server.
  • TLS - Enable this option to use a TLS connection.

You can use the following controls to manage the connection:

  • Connect & Send - If disconnected, start a new connection and send data from the Client request editor.
  • Send - If already connected, send data from the Client request editor.
  • Disconnect - If already connected, end the current connection.
  • Reset connection - Enable this option to reset the connection every time you send data. The reset occurs when new data is sent, not immediately after the previous request. This allows the socket to stay open, so you can continue to receive data from the server.

Viewing and editing HTTP traffic

Each stream tab has multiple HTTP editors for viewing and managing traffic at different stages of the connection.

Client Request

In the Client Request panel, you can add the bytes that will be sent through the socket. It is similar to Burp Repeater's request editor.

It includes features such as:

  • Show non-printable characters
  • Hide headers
  • Pretty / Raw / Hex views

For more information on how to quickly make changes to the request, see Editing HTTP requests using the stream tools.

Request Queue

In the Request Queue panel, you can view all requests sent through the current connection. It functions like an HTTP request queue on a server or proxy, enabling you to review the full byte sequence of all sent requests in this stream.

To hide the Request Queue panel, click the minus button -. To show the panel again, click the add button +.

Response Queue

In the Response Queue panel, you can view all response bytes received over the current connection. It gives you an unprocessed, continuous view of server responses as they are received by the socket. Importantly:

  • No parsing or decoding is applied to responses.
  • Every byte received is appended to the end of the editor.

This behavior distinguishes this editor from the Repeater response view. It enables you to send multiple pipelined HTTP requests and receive multiple responses, without adding extra bytes.

Proxy editors

Proxy editors are only shown when you send proxies from the Network tab to the stream. They enable you to test how the proxy parses request data when connected to your target domain.

Editing HTTP requests using the stream tools

You can quickly view and edit features of the request using the interactive features in the Stream tools side panel. To open the side panel, click Stream tools.

You can use the following controls to quickly view and edit HTTP requests in the Client Request editor:

  • Select data in the Client Request editor to view integer and hexadecimal representations of the number of selected characters. If you only select a single character, the character and hexadecimal value are also shown.
  • Insert Character - Add a sequence of ASCII or hex characters a specified number of times into the request.
  • Insert Header line - Add a control HTTP header into the request.
  • Enable Tags - Enabled by default, this option allows you to use a predefined set of tags. These will be parsed and processed by a template engine before any bytes are sent. You have the following additional options:
    • To add a tag, click Add Custom Tag.
    • To remove tags, click the minus button -.

Tags

You can use tags to dynamically insert custom data into the request. They generally work in combination with data segments, which you define in the request. Once you've defined a segment, you can reference it using tags to insert values such as its length, a repeated string, or the result of a custom function.

Tags can be nested, and are always processed from the innermost to the outermost tag. Note that tags don't modify the actual content of the defined data segment, they only generate values based on it.

Defining data segments

To use tags, you generally need to first define a segment of the request that they can refer to. You do this by marking its start and end using the following syntax:

  • <start_N> - Marks the start of segment N.
  • <end_N> - Marks the end of segment N.

N is an integer ID for the segment. You can use multiple start/end pairs with different IDs in a single request.

Predefined tags

Once you've defined a segment, you can use following predefined tags to generate data based on its content:

  • <int_N> - Insert the number of characters between <start_N> and <end_N> as an integer. This can be useful for setting a Content-Length header automatically.
  • <hex_n> - Insert the number of characters between <start_N> and <end_N> as a hexadecimal string. This can be useful for automatically setting chunk sizes when using chunked transfer encoding.
  • <repeat_N(“string”)> - Insert the specified string a number of times equal to the number of characters between <start_N> and <end_N>. This can be useful for repeating a pattern based on the current parameters.

You can also use the following predefined tag, independent of any start / end tags:

  • <repeat(“string”, amount)> - Insert the specified string a specified number of times. This can be useful for inserting padding for readability.
    • “string” - The string to repeat (enclosed in quotes).
    • amount - The number of repetitions.

Custom tags

You can define custom tags to generate dynamic values based on the segment content. To create a custom tag:

  1. In the Stream tools side panel, click Add custom tag.
  2. Enter a name for your tag.
  3. Click Code. A code editor opens.
  4. Write a JavaScript function that defines the tag's functionality. The function should:
    1. Receive the content between <start_N> and <end_N> as an input.
    2. Return the transformed string as an output.
    3. Replace the <name_N> tag in the request with the output string.

The function output is inserted wherever the custom tag <name_N> appears in the request.

Network

You can use the Network tab to visually model the components of the network structure, including the client and HTTP proxies. You can also model connections between the client and proxies. This enables you to build proxy chains that simulate how HTTP messages pass through real-world systems.

Once you've configured a network, you can export it for future use:

  1. Click on a network component to open the configuration side panel.
  2. Click Export.

To import configurations, open the side panel and click Import.

Client component

The client component represents the connection starting point. It's used to connect proxies and give a logical order to the network.

Proxy components

Proxy components represent HTTP proxies or servers in the network. To create a proxy component, right-click and select Add Proxy.
Alternatively, to load an existing proxy from a file, select Import Proxy.

You can perform the following actions on a proxy component:

  • Delete - Right-click and select Delete to remove the proxy component.
  • Connect - Right-click and select Connect, then click on another proxy or the client. A TCP connection is added.

To delete a connection, right-click the connecting line and select Delete.

Configuring proxy components

To configure a proxy, click the proxy component. A configuration side panel opens. In the side panel, you can customize the following:

  • Domain Name - Enter a name for the proxy.
  • Description - Enter details about the proxy's purpose or usage.
  • HTTP Parser - The HTTP Parser Configuration dialog opens. Use this to specify how HTTP messages are parsed and forwarded by the proxy.
  • Show in streams - View the Parser Simulator in the stream tabs, to test how the proxy parsers behave when connected to your target domain. For more information, see Testing parser configurations.
  • Export Proxy - Save the proxy configuration and details (except forwarding rules) into a JSON file that can be imported in other projects or sessions.

Configuring the HTTP Parser

The HTTP Parser Configuration dialog includes the following tabs that enable you to customize different aspects of the parser behavior:

  • Headers
  • Request Line
  • Message-Length
  • Forwarding Rules
  • Firewall Rules

Each tab includes a JavScript panel that enables you to apply custom transformations after the parsing settings are applied.

To persist changes in any tab, click Save.

Headers

The Headers tab defines how header lines are identified, interpreted, and modified. You can configure the following options:

  • Header Line Endings - Configure patterns to split each header line and detect the end of the header section. Click add button +. to add and the minus button - to remove custom values as needed.

  • Header Folding - Enable or disable folded headers.

  • Delete Header - Specify headers to be removed from the request.

  • Add Header - Specify complete name: value pairs to be added to the request.

Request Line

The Request Line tab defines how the request line (method, URL, and version) is split and optionally rewritten. You can configure the following options:

  • Request Line Delimiters - Define how to split the request line. The default is a space character.
  • Rewriting rules - Rewrite rules to modify the HTTP method, decode or rewrite the URL, or change the HTTP version.

Message-Length
The Message-Length tab controls how the message body length is determined. You can configure the following options:

  • Message-Length Headers - Define which headers determine the message body length. The list order determines which header takes precedence. You can specify the following:

    • Pattern - Content-Length patterns to extract the exact integer payload size, or Transfer-Encoding patterns to trigger chunked encoding.
    • Chunked - Specify whether the presence of the header indicates that the chunked encoding is used.
    • If Duplicate - Specify which header is used if multiple headers are found that match the pattern.

  • Chunk-Line Endings - Define the line delimiters used between chunks when a chunked header is detected.

  • Forwarded Encoding - Specify how to forward the parsed message.

Forwarding Rules

Configure load balancing rules, which determine how to route requests when multiple destinations are available.

Firewall rules

Configure WAF rules, which indicates when to stop a request to emulate firewall detection. A detected request is informed and not forwarded. If the connection is closed when a WAF rule is triggered, the rest of the requests in a pipeline will be dropped.

Testing parser configurations

You can use the parser simulator testing panel to test how a proxy interprets and processes HTTP requests based on the current parser configuration. It helps identify how the proxy splits and parses messages, and flags any parsing errors.

You can view the testing panel and run simulations in three locations, depending on what you want to test:

  • HTTP Parser Configuration dialog - Test the configuration for an individual proxy.
  • Network tab - Test how a proxy behaves when a request is sent through its connection chain.
  • Stream tabs - Test how a proxy behaves when a request is sent through its connection chain in the stream context. To test in the stream tabs:
    1. Select a proxy in the Network panel. The configuration side panel opens.
    2. In the configuration side panel, click Show in streams. The testing panel and configured proxy (with chain context) is added to all stream tabs.

To test a proxy chain in the Network tab or stream tabs, the proxy must be connected to the client. If it's not connected, the test only runs against the individual proxy.

If multiple chains of proxies are connected, the forwarding rules that you specified in the HTTP Parser Configuration dialog determine the path.

Using the testing panel

Each testing panel contains the following:

  • Client Request / Sample Request - This panel enables you to add any HTTP request string. It can be a single request or multiple requests.
  • Parsed Request - This panel shows the parsed request. If multiple requests are entered, each is displayed in the list.

To run a simulation:

  1. Enter any HTTP request string into the Client Request editor.
  2. Click Test.

The input is parsed as a string, even if it's not a valid HTTP request. Any errors are displayed with a tag detailing the issue.

Network Discovery (experimental)

This experimental feature enables you to automatically detect and configure the proxies that process and forward a specific HTTP request. This can help you map out a real-world network path. It is particularly useful for analyzing unknown or third-party systems where proxy behavior is not directly observable.

To automatically detect proxies for a specific HTTP request:

  1. Click Discover Network at the top of the Network tab. The Site Map Domains and Requests dialog opens.
  2. Select a target domain, then a specific request that you want to detect proxies for.
  3. Click Detect Proxy Chain.

A chain of proxies is detected and automatically added to the Network tab. This may take a few minutes. Where possible, each proxy is pre-configured with the inferred HTTP parser settings.

Discovery process

Burp sends multiple variations of the selected request to probe the target endpoint, then detects error responses. It analyzes and clusters the responses to:

  • Detects the presence of HTTP parsers at different points in the chain.
  • Group responses into distinct proxies based on timing and behavioral characteristics.
  • Attempt to identify parser behavior, configuration details, and vendor fingerprints.

Please note that this feature is experimental and may be unreliable in some environments. Results should be interpreted with care.