Mastering Web Traffic: A Developer's Guide to Hetty
Hetty can be an invaluable tool for software engineers, particularly when working on web applications or APIs. It's not just for dedicated security researchers. Here's how it can help you
Debugging and Troubleshooting
You can use Hetty as a proxy to intercept and inspect all HTTP/HTTPS traffic between your application and a server. This is a powerful way to debug issues with API calls, check request headers, or see the exact response your application is receiving. This is much more detailed than simply checking a browser's developer console.
API Development and Testing
When developing an API, you can use Hetty to see how different clients interact with it. You can intercept requests from your front-end and see if they're structured correctly. You can also manually craft and send requests to test API endpoints, which is a great way to perform ad-hoc testing before writing a formal test suite.
Security Testing
As a software engineer, you're responsible for writing secure code. Hetty allows you to perform basic security tests. You can manipulate requests to see how your application handles unexpected inputs, test for common vulnerabilities like SQL injection or cross-site scripting (XSS), and see if your application leaks sensitive information in its responses.
Understanding Network Communication
For junior engineers or those new to web development, Hetty provides a tangible way to see how the HTTP protocol works. By watching requests and responses in real-time, you can gain a deeper understanding of headers, cookies, and other essential components of web communication.
You can run Hetty in a couple of different ways, but the easiest and most common is using Docker.
Docker simplifies the setup significantly, as it handles all dependencies for you.
Step 1
Pull the Docker image
First, pull the Hetty Docker image from Docker Hub.
docker pull dstotijn/hetty
Step 2
Run the container
Next, run the container. This command will start Hetty, mapping port 8080 from the container to your local machine.
docker run -p 8080:8080 dstotijn/hetty
Step 3
Access the Hetty UI
Once the container is running, you can access the web interface by navigating to http://localhost:8080 in your browser. From there, you can configure the proxy settings.
If you prefer not to use Docker, you can install Hetty manually.
Step 1
Install Go
Hetty is written in Go, so you need to have Go installed on your system. You can download it from the official Go website.
Step 2
Clone the repository
Clone the Hetty repository from GitHub.
git clone https://github.com/dstotijn/hetty.git
Step 3
Build and run
Navigate to the project directory and build the application.
cd hetty
go build
./hetty
Let's walk through a simple example of using Hetty to intercept traffic from a browser.
Configure Your Browser
You need to tell your browser to route its traffic through Hetty.
Go to your browser's proxy settings.
Set the HTTP and HTTPS proxy to localhost and the port to 8080.
To capture HTTPS traffic, you'll need to install Hetty's root CA certificate. Hetty's UI provides instructions for this. Without it, you'll get certificate errors.
Make a Request
With the proxy configured, open a new tab and navigate to a website, for example, https://example.com.
Inspect the Traffic in Hetty
Now, switch back to the Hetty web interface at http://localhost:8080. You should see the request and response for example.com in the "Intercept" or "History" tab.
This is what a captured request might look like
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 ...
Accept: text/html,...
...
You can then modify this request and forward it to see how the server responds. For instance, you could change the User-Agent to see if the server serves a different page.