Analysis updated 2026-05-18
Intercept and modify HTTP/HTTPS requests from a browser during a web app penetration test
Use the Intruder module to fuzz a login form with a wordlist to find weak credentials
Scan proxied traffic passively for leaked secrets like AWS keys, GitHub tokens, and JWTs
Send a captured request directly to SQLMap to test for SQL injection vulnerabilities
| x0cban/harness | jeonghopark/collective-trajectories | abivan-tech/zvec-mcp | |
|---|---|---|---|
| Stars | 10 | 10 | 9 |
| Language | JavaScript | JavaScript | JavaScript |
| Setup difficulty | hard | easy | moderate |
| Complexity | 4/5 | 4/5 | 3/5 |
| Audience | ops devops | designer | developer |
Figures from each repo's GitHub metadata at analysis time.
Build from source only (no prebuilt binaries), requires Go, Node.js, and webkit2gtk, Windows Defender may flag Nuclei as malware (known false positive).
Harness is an open-source desktop application for web security testing. It intercepts HTTP and HTTPS traffic between your browser and a server, letting you inspect, modify, and replay requests and responses. It is positioned as a free alternative to commercial tools like Burp Suite. The application is built with a framework called Wails, which packages a Go backend with a JavaScript frontend into a native desktop app. You build it from source and run it on Windows, Linux, or macOS. Once running, it listens on a local port and acts as a proxy: you configure your browser to route traffic through it, and all requests and responses pass through Harness where you can intercept them before they are forwarded. The main features include a Proxy for intercepting and editing traffic, a Repeater for replaying and tweaking individual requests, an Intruder for parameterized fuzzing in several modes, and a Crawler that maps a site's structure as a visual graph. The Secrets Scanner passively monitors all proxied traffic in real time and flags patterns like AWS keys, GitHub tokens, private keys, credit card numbers, and JWTs as they pass through. Harness also integrates with two external tools: Nuclei (a widely used vulnerability scanner) and SQLMap (a SQL injection testing tool). You can send any request from the proxy history directly to SQLMap with a single click. Traffic from Nuclei and SQLMap runs through the proxy history so all requests are captured in one place. Additional features include a scripting panel where you write JavaScript to query captured requests, a token manager that auto-injects session tokens and can replay login sequences on 401 errors, and a Match and Replace system for rewriting requests or responses with regex rules. The tool is described as a work in progress. No prebuilt binaries exist yet, you build from source using installer scripts that handle Go, Node.js, and Wails dependencies.
An open-source desktop HTTP/HTTPS proxy and web security testing toolkit with traffic interception, fuzzing, secret detection, and Nuclei and SQLMap integrations.
Mainly JavaScript. The stack also includes Go, JavaScript, Wails.
License terms are not clearly stated in the available README.
Setup difficulty is rated hard, with roughly 1h+ to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.