explaingit

x0cban/harness

Analysis updated 2026-05-18

10JavaScriptAudience · ops devopsComplexity · 4/5Setup · hard

TLDR

An open-source desktop HTTP/HTTPS proxy and web security testing toolkit with traffic interception, fuzzing, secret detection, and Nuclei and SQLMap integrations.

Mindmap

mindmap
  root((Harness))
    Core tools
      Proxy intercept
      Repeater
      Intruder fuzzer
      Crawler
    Scanners
      Secrets scanner
      Nuclei integration
      SQLMap integration
    Advanced
      JS scripting
      Token manager
      Match and replace
    Platform
      Go backend
      Wails desktop
      Windows Linux macOS
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Intercept and modify HTTP/HTTPS requests from a browser during a web app penetration test

USE CASE 2

Use the Intruder module to fuzz a login form with a wordlist to find weak credentials

USE CASE 3

Scan proxied traffic passively for leaked secrets like AWS keys, GitHub tokens, and JWTs

USE CASE 4

Send a captured request directly to SQLMap to test for SQL injection vulnerabilities

What is it built with?

GoJavaScriptWailsNucleiSQLMap

How does it compare?

x0cban/harnessjeonghopark/collective-trajectoriesabivan-tech/zvec-mcp
Stars10109
LanguageJavaScriptJavaScriptJavaScript
Setup difficultyhardeasymoderate
Complexity4/54/53/5
Audienceops devopsdesignerdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1h+

Build from source only (no prebuilt binaries), requires Go, Node.js, and webkit2gtk, Windows Defender may flag Nuclei as malware (known false positive).

License terms are not clearly stated in the available README.

In plain English

Harness is an open-source desktop application for web security testing. It intercepts HTTP and HTTPS traffic between your browser and a server, letting you inspect, modify, and replay requests and responses. It is positioned as a free alternative to commercial tools like Burp Suite. The application is built with a framework called Wails, which packages a Go backend with a JavaScript frontend into a native desktop app. You build it from source and run it on Windows, Linux, or macOS. Once running, it listens on a local port and acts as a proxy: you configure your browser to route traffic through it, and all requests and responses pass through Harness where you can intercept them before they are forwarded. The main features include a Proxy for intercepting and editing traffic, a Repeater for replaying and tweaking individual requests, an Intruder for parameterized fuzzing in several modes, and a Crawler that maps a site's structure as a visual graph. The Secrets Scanner passively monitors all proxied traffic in real time and flags patterns like AWS keys, GitHub tokens, private keys, credit card numbers, and JWTs as they pass through. Harness also integrates with two external tools: Nuclei (a widely used vulnerability scanner) and SQLMap (a SQL injection testing tool). You can send any request from the proxy history directly to SQLMap with a single click. Traffic from Nuclei and SQLMap runs through the proxy history so all requests are captured in one place. Additional features include a scripting panel where you write JavaScript to query captured requests, a token manager that auto-injects session tokens and can replay login sequences on 401 errors, and a Match and Replace system for rewriting requests or responses with regex rules. The tool is described as a work in progress. No prebuilt binaries exist yet, you build from source using installer scripts that handle Go, Node.js, and Wails dependencies.

Copy-paste prompts

Prompt 1
I'm using Harness as an HTTP proxy for a web penetration test. How do I intercept a POST request, modify the body, and forward it? Walk me through the Proxy and Repeater workflow.
Prompt 2
Show me how Harness's Intruder modes work (Sniper, Battering Ram, Pitchfork, Cluster Bomb) and when to use each one for credential stuffing versus parameter fuzzing.
Prompt 3
I want to build and run Harness on Kali Linux. Walk me through the install-deps.sh script, webkit2gtk version selection, and the wails build command.
Prompt 4
How does Harness's token manager work for authenticated testing? Show me how to configure an extraction rule and a re-auth macro that replays on 401 errors.

Frequently asked questions

What is harness?

An open-source desktop HTTP/HTTPS proxy and web security testing toolkit with traffic interception, fuzzing, secret detection, and Nuclei and SQLMap integrations.

What language is harness written in?

Mainly JavaScript. The stack also includes Go, JavaScript, Wails.

What license does harness use?

License terms are not clearly stated in the available README.

How hard is harness to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is harness for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub x0cban on gitmyhub

Verify against the repo before relying on details.