What’s Haptyc?
Haptyc is a python library which was built to add payload position support and Sniper/Clusterbomb/Batteringram/Pitchfork attack types into Turbo Intruder. While Haptyc accomplishes these goals fairly well it also introduces a simpler way to express test sequences in general. While this library was meant to target Turbo Intruder it has no hard dependencies on Turbo Intruder and can be used anywhere one requires test generation in a Python context. Unfortunately at this time since Haptyc was built for a jython interpreter it only supports Python 2.7 (however future changes will fix this).
What are Haptyc tags?
Haptyc tags are tags which a tester can use to annotate an original input payload. A tester can use multiple tags to surround key pieces of data in an HTTP request to wrap it as a positional payload. When tests are being generated Haptyc will parse all the tags in the original payload and generate tests in accordance to the functions associated with the tag names. When Haptyc evaluates a Haptyc tag it will execute the associated tag function (this is called a Haptyc Transform) for a test payload to place in the position of the associated tag in the request. Every tag function will receive a data argument and a state argument. The data argument may contain the inner data of the tag or may contain some other test payload sequence. The state argument is a state object associated with the tag where a state can be stored between test iterations.
Documentation
Tag Types
- [+tag]inner[+end] – Sniper style iterative transform
- [%tag]inner[%end] – Clusterbomb style iterative transform
- [#tag]inner[#end] – Batteringram/Pitchfork style iterative transform
- [@tag]inner[@end] – Stateless persistant transform
Logic Decorators
| Name |
Arguments |
data input |
Description |
| @ApplyIteration(n) |
n= # of Iterations |
inner value of the haptyc tag |
Logic to generate N tests with inner as data |
| @ApplyRange(b,e,s=1) |
b = begin value, e = max value, s = step |
generated value of the range |
Logic to generate a test for every value stepped with the value given as data |
| @ApplyList(L) |
L = python list |
item of the list |
Logic to generate a test for every value in the list given as data |
| @ApplyFilelist(path) |
path = filesystem path |
item of the list |
Logic to generate a test for every value in the filelist given as data |
| @ApplyPayloads(name) |
name = builtin list name |
item of the list |
Logic to generate a test for every value in the built-in list given as data |
Haptyc Class Decorators
| Name |
Arguments |
Description |
| @CloneTransform(srcname, destname) |
srcname=string of a transform method copy from, destname=string of a non-existent transform method to copy into |
CloneTransform is used to copy the implementation of one transform into another namespace without needing to copy/paste. This is useful in ‘%’ and ‘#’ style attacks when you need to re-use the same transform implementation in multiple positions |
Transform Class Helper Methods
| Name |
Description |
| self.inner() |
Retrives the inner payload of the tag |
| self.stop() |
Will immediately stop test generation of that transform |
| self.me() |
Will return the name of the current transform context |
| self.set_label(label) |
Will set the label for this current test |
| self.get_label(label) |
Will get the label for this current test |
Transform Helper State Attributes
| Name |
Description |
| state.iter |
Current iteration count of the transform (0-based) |
| state.init |
Boolean that indicates if in the initialization stage |
Helper Mutation Functions
| Name |
Description |
| radamsa(data) |
This function will execute radamsa on the input data and returns its result (radamsa is required to be installed) |
| index_insert(data, list, index) |
This function will insert a payload from the list into the supplied data at the supplied index |
| random_insert(data, list) |
This function will insert a payload from the list into the supplied data at a random index |
Bulitin Wordlists
- @ApplyPayloads(“0-9”)
- @ApplyPayloads(“10 letter words”)
- @ApplyPayloads(“11 letter words”)
- @ApplyPayloads(“12 letter words”)
- @ApplyPayloads(“3 letter words”)
- @ApplyPayloads(“4 letter words”)
- @ApplyPayloads(“5 letter words”)
- @ApplyPayloads(“6 letter words”)
- @ApplyPayloads(“7 letter words”)
- @ApplyPayloads(“8 letter words”)
- @ApplyPayloads(“9 letter words”)
- @ApplyPayloads(“a-z”)
- @ApplyPayloads(“CGI scripts”)
- @ApplyPayloads(“Directories – long”)
- @ApplyPayloads(“Directories – short”)
- @ApplyPayloads(“dirsearch”)
- @ApplyPayloads(“Extensions – long”)
- @ApplyPayloads(“Extensions – short”)
- @ApplyPayloads(“Filenames – long”)
- @ApplyPayloads(“Filenames – short”)
- @ApplyPayloads(“Format strings”)
- @ApplyPayloads(“Form field names – long”)
- @ApplyPayloads(“Form field names – short”)
- @ApplyPayloads(“Form field values”)
- @ApplyPayloads(“Fuzzing – full”)
- @ApplyPayloads(“Fuzzing – JSON_XML injection”)
- @ApplyPayloads(“Fuzzing – out-of-band”)
- @ApplyPayloads(“Fuzzing – path traversal”)
- @ApplyPayloads(“Fuzzing – path traversal (single file)”)
- @ApplyPayloads(“Fuzzing – quick”)
- @ApplyPayloads(“Fuzzing – SQL injection”)
- @ApplyPayloads(“Fuzzing – template injection”)
- @ApplyPayloads(“Fuzzing – XSS”)
- @ApplyPayloads(“HTTP headers”)
- @ApplyPayloads(“HTTP verbs”)
- @ApplyPayloads(“IIS files and directories”)
- @ApplyPayloads(“Interesting files and directories”)
- @ApplyPayloads(“Local files – Java”)
- @ApplyPayloads(“Local files – Linux”)
- @ApplyPayloads(“Local files – Windows”)
- @ApplyPayloads(“Passwords”)
- @ApplyPayloads(“Server-side variable names”)
- @ApplyPayloads(“Short words”)
- @ApplyPayloads(“SSRF targets”)
- @ApplyPayloads(“User agents – long”)
- @ApplyPayloads(“User agents – short”)
- @ApplyPayloads(“Usernames”)
Copyright (C) 2021 defparam
