Releases: c0dejump/HExHTTP
Releases · c0dejump/HExHTTP
v2.6
Updated:
- New payloads (sorted and add news payloads)
- Fix bugs
- Uncommon header updated, Integrating scans of source files (HTML, JS, etc.) to identify headers that are not commonly used
- Added a cache poisoning check by testing whether a body is added to the GET request to verify if it is cached
- If the "hu" option isn't enough and the WAF is very sensitive, you can now use the "stealth" option, which replaces Python's default requests.Session with a curl_cffi-backed session that impersonates a real Chrome 120 browser at the TLS level
- Fix multi-threading false positives: per-URL combo tracking, UUID cache busters to prevent cross-thread cache collisions, and domain-level WAF lock so all threads pause together instead of hammering the targe
v2.5
Updated:
- News payloads
- Fixed bugs
- Linting
- Technologies testing remake
- Correction of over half of false positives
- Rename modules header_checks
- Better WAF detection & timeout
News:
- False positive baseline in "utils.py"
- Centralization of the main requests made for CP/CPDoS scans in "global_requests.py"
- HHMP CPDoS module, Host Header Manipulation Poisoning, likely host header injection but some different
- Generates an interactive HTML report from scan results with -o option (export json/csv in HTML)
v2.4
v2.3
v2.2
v2.1
Updated:
- Fixed cpdos_main: Reworking the source code to avoid FP and improve detection, as well as being able to send headers not authorized by the basic requests library & recreating a “fresh” session before launching the cpdos modules
- New payloads
- Fixed logic and style bug
News:
- CVE-2025-57822 module check
- Add random user-agent during cpdos to avoid overly strict waf
v2.0
New:
- HTTP proxy module, you can send behavior and confirmed request directly in burp (or other HTTP proxy) now (utils/proxy.py)
- Check CVE-2021-27577 by Claude AI
- Multiple method poisoning analysis (modules/cp_check/methods_poisoning)
- Fat methods poisoning
- Cross Mixed Methods CPDoS (Cross-method cache poisoning, negative caching, Mix methods)
- Origin CORS DoS by Geluchat
- Uncommon header analysis (retrieves the non-common headers from the request and replays them for testing purposes)
- Debug headers checks
- PR and push are now checked against formatting, linting, type checking, security checking and regression testing (quality workflow)
- Version handles beta versioning now
- DX : Small Test Bed to verify regression
Updated:
- setup and requirements consolidated into pyproject.toml
- dockerfile is now in sync with how hexhttp is installed
- headerfuzz dictionary was overwriting its payloads using the same key
- Banner and version concerns are now separated
- technologies module got renamed to align with class name
- Proxy and Burp options allows to specify proxy server to pass issues or whole traffic
- Fixed bugs
- Remake server_error checks
- Remake Helper (-h) & README.md
- Unrisk page checking on the last CVE
- New payloads
- upgrade H2C DoS by Geluchat
- BIG Linting
- Added "utils" repository
- Moving certain files/folders/functions to linting
- Implementation of the cli.py file to lighten hexhttp.py
- HTTP Version & protocol analysis updated
- Vhosts misconfiguration analysis updated
- Methods analysis updated
Deleted:
- Cookies reflection tests (already completed in other modules)
- vuln_notify feature never really implemented and was too platform specific
v1.9.2
v1.9.1
v1.9
What's Changed
News
- New module to check cache poisoning via backslash transformation
- New Akamai check (https://web.archive.org/web/20230101082612/https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/#How-to-prevent) + Linting
Updated:
- Cleaning and tidying up threads
- Fixed header add by -H option, now you can add multiple headers, exemple: -H "toto: titi" -H "plop: plip"
- News payloads
- Fixed bugs/FP