An open-source HTTP proxy and web security testing Framework.
Work in progress. Core tools are stable on my build. Some UI polish and features are still being added. Scanning is powered by Nuclei and SQLMap — both battle-tested and maintained by their own teams. Custom scanning engines are being ruminated. Please come back for several updates and changes in the coming months to update.
- security-hardening cluster
- Panic recovery on every backend goroutine
- Various security hardens( check commits)
- Form <-> JSON body conversion to Repeater/Intruder encoder menus
- syntax highlighting
- UI color presets, just in case you don't like defaults
- scope/project persistence
- AI/MCP integration
- collaborator setup, possible interactsh integration to collab with a team
Full MITM HTTP/HTTPS interception.
- Pause requests mid-flight, edit the raw text, then Forward or Drop
- Intercept responses too — modify before the browser sees them
- Forward All clears the queue instantly
- Scope filter — restrict capture to specific hosts (glob or regex)
- History clears on every restart so you start clean
- Click any row for full request + response with Raw / Hex / Render views
- Right-click any row → Send to Repeater / Intruder / SQLMap
Replay and modify individual requests.
- Multiple named tabs
- Follow-redirects toggle
- Response panel: Raw · Hex dump · Rendered HTML · Pretty JSON
- Grep search across response body
- Right-click encode/decode (URL, Base64, HTML entities, hex)
Parameterized fuzzer.
Modes:
| Mode | Behaviour |
|---|---|
| Sniper | One payload set, one position at a time |
| Battering Ram | One payload set, all positions simultaneously |
| Pitchfork | Multiple payload sets, advanced in lockstep |
| Cluster Bomb | Multiple payload sets, full cartesian product |
Payloads:
- Paste directly or load from file — large files are streamed, not loaded into RAM
- 14 transforms: URL encode/decode, Base64 encode/decode, MD5, SHA-256, Hex encode/decode, HTML encode, Uppercase, Lowercase, Reverse, Prefix, Suffix
Results:
- Table: index, payload, status, length, duration, grep matches
- Click any row → modal with Request / Raw / Headers / Body / Hex / Render tabs
- Session tabs — switch between multiple attack configs without losing results
Active spider with a visual graph.
- Follows
<a href>,<form action>,<script src>, asset links - Extracts URLs from inline JS (fetch/XHR patterns)
- Parses JSON responses for embedded path strings
- Infers parent paths — finds
/api/v1/usersfrom/api/v1/users/123 - Wordlist fuzzing — paste paths or load a file to brute-force directories alongside the crawl
- D3 force graph — nodes coloured by status code; 404s are dropped silently
- Click any node → Send to Repeater
Passive scanner running against proxied traffic.
Scans every response and request body in real time for 14 patterns:
| Pattern | Severity |
|---|---|
| AWS Access Key | Critical |
| GitHub Token | Critical |
| Private Key block | Critical |
| Credit Card number | Critical |
| Slack Token | Critical |
| JWT | High |
| Generic API key | High |
| Password in request body | High |
| Bearer Token | Medium |
| SQL query in response | Medium |
| Stack trace / exception | Medium |
| Debug info leakage | Medium |
| Internal IP | Low |
| Email address | Info |
- Findings appear live as traffic is proxied — no manual scan trigger
- Severity filter, per-pattern toggles
- Expand any row for the snippet in context
- Right-click → Send to Repeater
- CSV export
Runs your locally installed Nuclei engine against a target, with all scan traffic captured in Harness proxy history.
- Tag filter, severity filter, custom templates path, rate limit
- Streaming output with severity colour coding
- Stop at any time
- Intercept is automatically suspended during scans so it doesn't interfere
Windows Defender will flag Nuclei as malware. This is a false positive — Nuclei is an open-source scanner used by the security community. Add an exclusion for the Nuclei binary in Windows Security before installing.
Launches SQLMap against a target, with all SQL test traffic visible in proxy history.
- Send any history entry directly to SQLMap with one click
- Configurable technique, level, risk, DBMS, dump flags
- Streaming output in-app
Runs JavaScript analysis against captured proxy history and crawler data.
- Write arbitrary JS — both
requestsandcrawlNodesare passed in as arrays - 9 built-in templates: SQL params, open redirects, JWT tokens, admin paths, error responses, large responses, JSON APIs, POST creds, CORS
- Right-click results → Send to Repeater / Intruder / SQLMap
Session token management for authenticated testing.
- Extraction rules (regex or JSONPath) to pull tokens from responses
- Auto-inject the active token into every proxied request (header, cookie, or body)
- Re-auth macro — define a sequence of requests to re-authenticate; replays automatically on 401 and retries
Rewrite rules applied to every request and response.
- Actions: Replace (text or regex) or Remove
- Case-sensitive toggle, URL scope per rule
- Live test panel — paste sample input and preview the output before enabling
- 6 presets: Strip CSP, Strip HSTS, Spoof User-Agent, Disable Accept-Encoding, Flag SQL errors, Add X-Forwarded-For
No prebuilt binaries yet — build from source. The installer script handles all dependencies.
git clone https://github.com/X0CBAN/Harness
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
cd Harness
.\scripts\install-deps.ps1
wails buildThe script installs Go, Node.js, and Wails if they're not already present. Optional prompts for Nuclei and SQLMap.
git clone https://github.com/X0CBAN/Harness
cd Harness
chmod +x scripts/install-deps.sh
bash scripts/install-deps.shThe script detects your package manager and installs the right webkit2gtk version. On newer distros (webkit2gtk 4.1) the build command is:
wails build -tags webkit2_41On older distros (webkit2gtk 4.0):
wails buildThe install script prints the correct command for your system at the end.
Manual deps (Debian/Ubuntu/Parrot):
# webkit2gtk 4.1 (newer distros — Parrot, Ubuntu 23+, Debian 12+)
sudo apt install libgtk-3-dev libwebkit2gtk-4.1-dev gcc pkg-config build-essential
# webkit2gtk 4.0 (older distros)
sudo apt install libgtk-3-dev libwebkit2gtk-4.0-dev gcc pkg-config build-essentialgit clone https://github.com/X0CBAN/Harness
cd Harness
bash scripts/install-deps.sh
wails buildManual deps via Homebrew:
brew install go node
go install github.com/wailsapp/wails/v2/cmd/wails@v2.12.0macOS builds are currently untested. If something breaks, open an issue.
- Run
harness(orharness.exe) — proxy starts on127.0.0.1:8080 - Install the CA cert (see below)
- Either:
- Click Launch Browser in the toolbar — opens an isolated Chromium session with the proxy already configured
- Or configure your existing browser manually to use
127.0.0.1:8080as HTTP/HTTPS proxy
Harness generates a local CA on first run. It never leaves your machine.
Windows: Settings → Install CA Certificate (one click, imports into CurrentUser trust store for Chrome/Edge)
macOS: Settings → Install CA Certificate — runs sudo security add-trusted-cert against the System keychain. Restart your browser after.
Linux: Settings → Install CA Certificate — copies the cert to /usr/local/share/ca-certificates/ and runs update-ca-certificates. Uses pkexec or sudo.
Firefox (all platforms): Firefox has its own trust store and ignores the system one.
- Settings → Export Certificate — saves
harness-ca.crtto your desktop - Firefox → Settings → Privacy & Security → View Certificates → Authorities → Import → select the file → check "Trust this CA to identify websites"
- Backend: Go + goproxy + SQLite
- Frontend: React + Vite + Zustand
- Desktop: Wails v2 — native WebView2 on Windows, WebKit on Linux/macOS. No Electron.
harness/
├── main.go
├── internal/
│ ├── proxy/ # core proxy, Wails app bindings, match/replace engine
│ ├── cert/ # CA generation, per-host cert caching, OS trust store install
│ ├── history/ # SQLite request/response + crawl node store
│ ├── repeater/ # raw HTTP request replayer
│ ├── intruder/ # fuzzing engine — 4 modes, 14 transforms, streaming payloads
│ ├── crawler/ # HTML/JS/JSON spider
│ ├── tokens/ # token extraction, injection, re-auth macros
│ ├── nuclei/ # Nuclei process management and output streaming
│ └── sqlmap/ # SQLMap process management and output streaming
└── frontend/src/
├── pages/ # one file per tab
├── stores/ # Zustand state
├── components/ # shared utilities (hex dump, body extract, JSON format)
└── bridge.js # Wails ↔ Go RPC wrappers
- Linux performance on low-resource VMs — the WebKit2GTK renderer is heavy. Expect lag in VMs with less than 2GB RAM or no GPU acceleration. Native installs are fine.
- Linux window quirks — window decorations and sizing behave differently depending on your desktop environment. Known to look off on some GNOME and tiling WM setups. Works best on a standard desktop session.
- macOS untested — builds should work but haven't been run on real hardware yet. Open an issue if something breaks.
- Secrets scanner only peeks 32 KB — responses larger than 32 KB will only be scanned up to that limit. Findings in the tail of a large response will be missed.
- Launch Browser requires Chromium — Firefox doesn't support
--ignore-certificate-errorsvia CLI flag so it can't be used with the one-click launch. Install Chromium (sudo apt install chromium) if the button does nothing. - Nuclei and SQLMap must be installed separately — the installer script offers to install them, but Harness won't run scans if they're not on PATH.
Only test systems you own or have explicit written permission to test. Unauthorized security testing is illegal.
MIT







