explaingit

dstotijn/hetty

10,203GoAudience · developerComplexity · 2/5Setup · easy

TLDR

A free open source HTTP proxy and security testing toolkit that intercepts, logs, edits, and replays web traffic, a no-cost alternative to Burp Suite Pro for bug bounty hunters and penetration testers.

Mindmap

mindmap
  root((repo))
    What it does
      MITM proxy
      Traffic interception
      Request replay
    Features
      Edit requests in flight
      Domain scoping
      Project databases
      HTTP client tool
    Install Options
      Homebrew macOS
      Snap Linux
      Docker
      Binary download
    Audience
      Security researchers
      Bug bounty hunters
      Pentesters
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Intercept and inspect HTTP and HTTPS traffic from a web app to understand what data it sends to the server.

USE CASE 2

Edit a captured request mid-flight to test whether a web application properly validates user input.

USE CASE 3

Replay previously captured requests to reproduce bugs or test API behavior during a security engagement.

USE CASE 4

Organize separate bug bounty testing sessions in local project databases and revisit them later.

Tech stack

Go

Getting it running

Difficulty · easy Time to first run · 30min

You need to install Hetty's root certificate in your browser to intercept and inspect HTTPS traffic.

In plain English

Hetty is an open source HTTP toolkit built for security researchers and people doing bug bounty work. Its goal is to provide a free alternative to commercial tools like Burp Suite Pro that are commonly used in web application security testing. The central feature is a machine-in-the-middle (MITM) proxy. When you configure your browser or test device to send traffic through Hetty, it intercepts all HTTP and HTTPS requests and responses, logging them so you can review what data an application is sending and receiving. You can pause specific requests or responses mid-flight, inspect and edit them, then decide whether to forward or cancel them. This is useful for understanding how a web application works or for testing whether it validates input properly. Beyond passive logging, Hetty includes an HTTP client for composing and sending custom requests, as well as the ability to replay any previously captured request. A scoping system lets you focus logging on specific domains or paths so you are not flooded with traffic from unrelated sources. All captured data is stored in a local project database, so you can organize separate testing sessions and come back to them later. The admin interface is web-based, which means you access it through a browser after starting the Hetty server. Installation is available through Homebrew on macOS, Snap on Linux, Scoop on Windows, or as a Docker container. It can also be downloaded as a standalone binary. Hetty was still under active development as of the README, with a public backlog listing upcoming features.

Copy-paste prompts

Prompt 1
Set up Hetty as a MITM proxy on macOS using Homebrew, configure my browser to route traffic through it, and intercept HTTPS requests from a test web app.
Prompt 2
Using Hetty, capture a login request, modify the username field, and replay it to test for an authentication bypass vulnerability.
Prompt 3
How do I configure Hetty's scoping feature to only log traffic from one specific domain during a bug bounty engagement?
Prompt 4
Run Hetty in a Docker container and set it up to intercept traffic from a mobile app during a security assessment.
Prompt 5
Using Hetty, how do I intercept and modify a JSON API response before it reaches my browser?
Open on GitHub → Explain another repo

← dstotijn on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.