Introducing Hetty: The Open-Source HTTP Toolkit Revolutionizing Security Research

In the ever-evolving landscape of cybersecurity, having the right tools can make the difference between uncovering critical vulnerabilities and leaving your systems exposed. Enter Hetty—an open-source HTTP toolkit designed specifically for security researchers, penetration testers, and bug bounty hunters. With features rivaling commercial giants like Burp Suite Pro, Hetty is quickly becoming a go-to solution for professionals seeking flexibility, power, and transparency. In this comprehensive guide, we’ll explore everything you need to know about Hetty, from its standout features to advanced usage tips, and why it deserves a spot in your security toolkit.


Why Hetty? The Rise of Open-Source Security Tools

The Need for Accessible Security Research Tools

Security research demands precision, adaptability, and the ability to dissect web traffic at scale. While proprietary tools like Burp Suite Pro dominate the market, their licensing costs and closed-source nature can limit accessibility. Hetty bridges this gap by offering a free, open-source alternative with a focus on community-driven development. Whether you're probing APIs for vulnerabilities or analyzing HTTP traffic, Hetty empowers you with enterprise-grade capabilities without the price tag.

Key Features That Set Hetty Apart

Hetty isn’t just another proxy tool—it’s a full-fledged HTTP toolkit tailored for modern security challenges. Here’s what makes it stand out:

  1. Machine-in-the-Middle (MITM) HTTP Proxy
    Intercept, log, and analyze HTTP/HTTPS traffic with ease. Hetty’s proxy supports advanced search and filtering, making it simple to isolate critical requests.
  2. Request/Response Interception & Modification
    Pause and manipulate traffic mid-flow. Edit headers, bodies, or even cancel requests to test application resilience.
  3. Scope Management
    Organize your workflow with project-specific scopes, ensuring focused testing and clutter-free logs.
  4. Built-In HTTP Client
    Craft custom requests or replay captured traffic directly from the intuitive web interface.
  5. Database-Backed Projects
    Save sessions, logs, and configurations in a structured database for seamless continuity across tasks.

Getting Started with Hetty: Installation & Setup

Installing Hetty Across Platforms

Hetty’s cross-platform compatibility ensures it runs smoothly on macOS, Linux, Windows, and even Docker. Here’s how to get started:

macOS (Homebrew)

brew install hettysoft/tap/hetty

Linux & Windows

  • Linux: Download the latest release from GitHub and add the binary to your $PATH.
  • Windows: Use Scoop for hassle-free installation:
    scoop bucket add hettysoft https://github.com/hettysoft/scoop-bucket.git
    scoop install hettysoft/hetty
    

Docker

Run Hetty in a container with persistent storage:

docker run -v ~/.hetty:/root/.hetty -p 8080:8080 ghcr.io/dstotijn/hetty:latest

Launching Hetty & Initial Configuration

Start Hetty with default settings:

hetty --addr :8080

This command:

  • Generates a root CA certificate (~/.hetty/hetty_cert.pem) for MITM proxying.
  • Initializes a BadgerDB database at ~/.hetty/hetty.db for project storage.
  • Launches the admin interface at http://localhost:8080.

Pro Tip: Use hetty --chrome to auto-launch a preconfigured Chrome instance, bypassing certificate warnings.


Mastering Hetty’s Core Features

1. Proxy Logs & Traffic Analysis

Hetty’s proxy logs are a goldmine for dissecting web traffic. Navigate to the Proxy Logs tab to:

  • Filter Requests: Use regex or keywords to pinpoint specific endpoints (e.g., url =~ "/api/v1").
  • Copy to Sender: Right-click any log entry to clone requests into the HTTP client for replay or modification.

Proxy Logs Interface
The proxy logs interface offers advanced search and one-click request cloning.

2. Intercepting & Modifying Traffic

Interception is where Hetty shines. Enable request/response interception via Project Settings:

  • Request Interception: Halt outgoing requests to edit headers, bodies, or URLs.
  • Response Interception: Modify server responses to test client-side handling of malformed data.

Example Workflow:

  1. Enable interception in your project settings.
  2. Trigger a request (e.g., login attempt).
  3. Edit the intercepted request to inject a SQLi payload.
  4. Forward the modified request and analyze the response.

3. Crafting Requests with the HTTP Client

The Sender module allows manual request crafting:

  • Replay proxied requests with tweaked parameters.
  • Test endpoints for IDOR, SSRF, or authentication flaws.
  • Chain requests using variables for multi-step exploit testing.

Use Case: Simulate a broken access control attack by replaying a user’s POST request with an elevated role=admin header.


Advanced Techniques for Security Pros

Leveraging Scopes for Targeted Testing

Scopes let you define boundaries for your tests (e.g., *.example.com). Benefits include:

  • Reduced Noise: Automatically exclude out-of-scope traffic.
  • Focused Logs: Simplify reporting by isolating relevant requests.

Automating with Hetty’s API

For power users, Hetty’s GraphQL API (accessible at /graphql) enables automation:

  • Bulk-export logs for analysis in SIEM tools like ELK.
  • Integrate with CI/CD pipelines to scan staging environments pre-deployment.

Certificate Management Made Simple

Trust Hetty’s root CA system-wide to eliminate browser warnings:

hetty cert install

This command auto-configures trust stores on macOS, Linux, and Windows.


Hetty vs. Burp Suite: How They Stack Up

Feature Hetty Burp Suite Pro
Cost Free & Open-Source $$$ (Subscription)
MITM Proxying
Interception
Scope Management
Extensibility GraphQL API BApp Store & Plugins
Community Support Growing Mature

Verdict: Hetty is ideal for researchers prioritizing customization and cost-efficiency, while Burp remains the choice for enterprise teams needing plug-and-play extensibility.


Joining the Hetty Community

Contribute to the Project

Hetty thrives on community input. Whether you’re a developer, documenter, or tester, here’s how to help:

  • Code Contributions: Submit PRs via GitHub.
  • Feedback & Ideas: Join discussions on GitHub or Discord.

Stay Updated

  • Follow @dstotijn for release announcements.
  • Watch the GitHub repo to track new features like upcoming plugin support.

Conclusion: Why Hetty Belongs in Your Toolkit

Hetty represents a paradigm shift in security tooling—a fusion of open-source ethos and professional-grade functionality. Its modular design, coupled with active development, positions it as a formidable alternative to costly solutions. Whether you’re a solo researcher or part of a red team, Hetty’s flexibility and depth make it indispensable for modern web security challenges.

Ready to Dive In?

  • Download Hetty from GitHub.
  • Explore the official docs for advanced configurations.
  • Share your journey with the community!

🔒 Secure Your Workflow with Hetty—Because Every Request Tells a Story.


Looking for more tools to elevate your security game? Check out Mobbin for design insights that can inspire your next secure app interface. From authentication flows to API dashboards, Mobbin’s repository is a treasure trove for developers and designers alike. 🚀

Next Post Previous Post
No Comment
Add Comment
comment url
mobbin
kinsta-hosting
screen-studio