Hetty: The Open‑Source HTTP Toolkit Challenging Burp Suite Pro in Modern Web Security Research + Video

Listen to this Post

Featured Image

Introduction:

Hetty is a purpose‑built HTTP toolkit for security research that implements a machine‑in‑the‑middle (MITM) proxy, an HTTP client, and a web‑based admin interface to intercept, inspect, and manipulate HTTP/HTTPS traffic. Designed as a free and open‑source alternative to commercial solutions like Burp Suite Pro, it empowers infosec professionals, bug bounty hunters, and penetration testers with modern features such as built‑in GraphQL support, intelligent scoping, and SQLite‑based project storage.

Learning Objectives:

  • Install and configure Hetty on Linux, Windows, and macOS using package managers, Docker, or standalone binaries.
  • Intercept, edit, and replay HTTP requests/responses to test for common web vulnerabilities.
  • Leverage Hetty’s advanced logging, search, and GraphQL analysis features for efficient security assessments.

You Should Know:

1. Deploying Hetty: Cross‑Platform Installation and Initial Setup

Hetty is distributed as a single binary, making deployment straightforward across operating systems. The fastest method is via package managers, but you can also use Docker or compile from source.

Linux (Snap):

sudo snap install hetty

macOS (Homebrew):

brew install hettysoft/tap/hetty

Windows (Scoop):

scoop bucket add hettysoft https://github.com/hettysoft/scoop-bucket.git
scoop install hettysoft/hetty

Docker (any platform):

docker run -v $HOME/.hetty:/root/.hetty -p 8080:8080 ghcr.io/dstotijn/hetty:latest

After installation, verify that the binary is available:

hetty --version

Start the tool with default settings:

hetty

On first run, Hetty automatically creates a root CA certificate and a SQLite database in `~/.hetty/` and listens on 0.0.0.0:8080. To launch a pre‑configured Chrome instance (bypassing manual proxy setup), use:

hetty --chrome

This command opens Chrome with the correct proxy settings and ignores certificate errors, giving you an immediate testing environment.

2. Configuring the MITM Proxy and Intercepting Traffic

Hetty acts as a man‑in‑the‑middle proxy that logs all HTTP/HTTPS traffic. To begin intercepting requests:

  1. Configure your browser to route traffic through localhost:8080. Recommended approach: use a browser extension such as FoxyProxy (Firefox) or Proxy SwitchyOmega (Chrome) with `http://localhost:8080` as the proxy URL.

    2. Open the admin interface at `http://localhost:8080` and create a new project. Click “Manage Projects” → “New project”, give it a name, and open it.

3. Enable request interception for the active project:

  • In the vertical menu bar, click the folder icon → Projects → cog icon (next to your project) → Intercept tab → toggle “Enable request interception” on.
  1. Browse a website while the proxy is active. Hetty will display a badge on the intercept icon every time a request matches the interception rules. Click the badge, review the request, modify any part (URL, headers, body), and then choose Send to forward it to the target or Cancel to drop it.

  2. Capture HTTPS traffic by installing Hetty’s root CA certificate. The CA files are stored in ~/.hetty/. In the admin interface, navigate to “Settings” → “CA Certificate” and follow the instructions to add it to your browser’s trust store.

  3. Replaying and Manipulating Requests with the HTTP Client

The built‑in Sender module allows you to manually edit and replay any intercepted request, which is essential for testing input validation, authorisation bypasses, and other vulnerabilities.

Steps to replay a request:

  1. In the Proxy logs, locate a request you wish to test.
  2. Click the copy icon next to the log entry. This sends the request to the Sender module.
  3. Switch to the Sender tab (paper plane icon). There you can modify the HTTP method, URL, headers, and body.
  4. Click Send to issue the modified request. The response appears immediately for inspection.

Example: modify a User‑Agent header to test server‑side behaviour

Original request:

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 ...

After editing in Sender:

GET / HTTP/1.1
Host: example.com
User-Agent: CustomTestAgent/1.0

Then click Send. Observe whether the server responds differently (e.g., serves a mobile version or an error page). This technique helps uncover logic flaws and insecure direct object references (IDOR).

4. Scoping, Logging, and Advanced Search

As your testing grows, traffic can become overwhelming. Hetty provides scope and advanced search to keep work organised.

Define a scope:

  • In the project settings, go to the “Scope” tab.
  • Add rules by domain, path, or request type (e.g., api.target.com).
  • Only requests matching the scope will be logged and intercepted, reducing noise.

Logging and searching:

All proxied requests are stored in the SQLite database. The admin interface offers a powerful search bar that supports fields like url, method, status, host, and body. For example:
– `url contains “/admin”` – find all requests to admin paths.
– `status >= 400` – quickly locate server errors or access violations.
– `method == “POST” and host contains “api”` – drill into API POST calls.

You can also export logs for further analysis or integration with other tools. To store traffic to a custom directory when starting Hetty:

hetty --addr :8080 --log-dir ./traffic_logs

This creates a separate file for each HTTP interaction, facilitating later review or parsing with scripts.

5. Testing GraphQL APIs and Modern Web Frameworks

Modern applications often expose GraphQL endpoints, which require specialised testing techniques. Hetty includes dedicated GraphQL support, such as query analysis, mutation testing, and schema introspection.

Use Hetty to test a GraphQL endpoint:

  1. Set your browser or API client to use Hetty’s proxy (localhost:8080).

2. Interact with the GraphQL application normally.

  1. In the Proxy logs, filter for requests to `/graphql` (or the endpoint path).
  2. Copy a legitimate query to the Sender, then modify it to probe for vulnerabilities:

– Introspection – try `{__schema{types{name}}}` to discover the API schema.
– Deep recursion – craft a nested query that consumes excessive resources.
– Batch requests – send multiple queries in one HTTP call to test for batching attacks.

Hetty’s ability to intercept and edit GraphQL payloads in real time makes it a valuable asset for API security assessments, especially when combined with its scope filtering to concentrate only on GraphQL endpoints.

  1. Automating Security Tests by Chaining Hetty with Other Tools

While Hetty excels at manual testing, it can also serve as a logging and forwarding proxy for automated security scanners. For instance, you can route traffic from sqlmap through Hetty to analyse SQL injection attempts:

sqlmap -u "http://target.com/login.php?user=admin" --proxy=http://127.0.0.1:8080

All sqlmap requests will appear in Hetty’s logs, allowing you to see exactly what payloads were sent and how the server responded. Similarly, you can integrate Nikto or custom fuzzing scripts to benefit from Hetty’s search and export capabilities.

For continuous monitoring, run Hetty with verbose logging enabled:

hetty --verbose --json

This outputs logs in JSON format, ready for ingestion by tools like Elasticsearch or Splunk for longer‑term analysis.

  1. Mitigating Common Pitfalls: Certificate Errors and Scope Leakage

Two frequent issues when using MITM proxies are certificate trust errors and accidentally capturing out‑of‑scope traffic.

Certificate errors:

  • On Linux: copy the CA certificate (~/.hetty/hetty_cert.pem) to `/usr/local/share/ca-certificates/` and run sudo update-ca-certificates.
  • On Windows: import the certificate into the “Trusted Root Certification Authorities” store.
  • Use `hetty –chrome` to launch a dedicated Chrome instance that ignores certificate errors, but avoid this for production or authorised testing only.

Scope leakage:

Always set a tight scope before starting any engagement. If you forget, Hetty may log requests to unrelated domains (e.g., your search engine queries). To clean up, you can delete project‑specific records by removing the database file (~/.hetty/hetty.db) or by creating a new project with proper filters.

Example: secure project setup

hetty --db /secure/path/project1.db --addr :9090 --verbose

Using a dedicated database and a non‑default port helps prevent mixing data from different tests and reduces accidental exposure.

What Undercode Say:

  • Open‑source empowerment: Hetty delivers Burp‑class MITM proxying and request manipulation without licensing costs, democratising web security testing for independent researchers and small teams.
  • Modern by design: Native GraphQL support and a clean web UI make Hetty a future‑ready toolkit, yet it remains fully functional for traditional HTTP/HTTPS assessments.
  • Active community: With nearly 10,000 stars on GitHub and an active Discord, Hetty is continuously improved, incorporating feedback from the infosec community.

Prediction:

As more development moves toward GraphQL‑driven, single‑page applications and API‑first architectures, tools like Hetty that natively handle these modern constructs will become indispensable. Within two years, we can expect Hetty to incorporate built‑in fuzzing engines and AI‑assisted vulnerability discovery, directly competing with commercial solutions. Its lean, container‑friendly design also positions it as a preferred component in continuous security pipelines (DevSecOps), where lightweight, scriptable proxies can validate every API deployment.

▶️ Related Video (80% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: 0xfrost Hetty – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky