Haptyc is a python library which was built to add payload position support and Sniper/Clusterbomb/Batteringram/Pitchfork attack types into Turbo Intruder. While Haptyc accomplishes these goals fairly well it also introduces a simpler way to express test sequences in general. While this library was meant to target Turbo Intruder it has no hard dependencies on Turbo Intruder and can be used anywhere one requires test generation in a Python context. Unfortunately at this time since Haptyc was built for a jython interpreter it only supports Python 2.7 (however future changes will fix this).
What are Haptyc tags?
Haptyc tags are tags which a tester can use to annotate an original input payload. A tester can use multiple tags to surround key pieces of data in an HTTP request to wrap it as a positional payload. When tests are being generated Haptyc will parse all the tags in the original payload and generate tests in accordance to the functions associated with the tag names. When Haptyc evaluates a Haptyc tag it will execute the associated tag function (this is called a Haptyc Transform) for a test payload to place in position of the associated tag in the request. Every tag function will receive a data argument and a state argument. The data argument may contain the inner data of the tag or may contain some other test payload sequence. The state argument is a state object associated with the tag where state can be stored between test iterations. Let's review an example.
Example 1: Simple list iteration
GET /animal/[+GuessAnimal]dog[+end] HTTP/1.1
Haptyc Class & Haptyc Transform:
from haptyc import *original = "GET /animal/[+GuessAnimal]dog[+end] HTTP/1.1"class TestLogic(Transform): @ApplyList(["snake","cat","owl","lion"]) def test_GuessAnimal(self, data, state): return data + "?original=" + self.inner() + "&attempt=" + str(state.iter)TestFactory = TestLogic(original)for test in TestFactory: print(test)
GET /animal/snake?original=dog&attempt=0 HTTP/1.1GET /animal/cat?original=dog&attempt=1 HTTP/1.1GET /animal/owl?original=dog&attempt=2 HTTP/1.1GET /animal/lion?original=dog&attempt=3 HTTP/1.1
In the example above we how one can express tests in a simple way using Haptyc. First the Haptyc library is imported. Second we have defined the original data with our Haptyc tag annotations (GuessAnimal). Next the TestLogic class is defined and extended as a Transform class. Inside this class every method that starts with
test_ will get registered as a Haptyc tag for evaluation in the original payload. We use a logic decorator to apply the state logic for this Haptyc transform. In this case we use the
@ApplyList(list) decorator to tell Haptyc to generate a test for every item in the specified list and place that item into the Haptyc transform as the data argument. Inside the transform we return a mutated version of the data to insert back into the position of the tag. In this case the mutation is the list item as data concatenated with the data surrounded by the tag (dog) and then concatentated with the iter value in the state object. Lastly the remaining python shows the TestFactory object being created and all tests being generated in a for loop iterator. This is an example of a standard sniper-style attack which targets a single payload position. Next lets look at other style of attacks.
Example 2: Clusterbomb
GET /animal?type=[%type]dog[%end]&name=[%name]fido[%end] HTTP/1.1
Haptyc Class & Haptyc Transform:
from haptyc import *original = "GET /animal?type=[%type]dog[%end]&name=[%name]fido[%end] HTTP/1.1"class TestLogic(Transform): @ApplyList("snake","cat","owl","lion") def test_type(self, data, state): return data @ApplyList("Frank", "Lisa", "Jin", "Tooth") def test_name(self, data, state): return dataTestFactory = TestLogic(original)for test in TestFactory: print(test)
GET /animal?type=snake&name=Frank HTTP/1.1GET /animal?type=snake&name=Lisa HTTP/1.1GET /animal?type=snake&name=Jin HTTP/1.1GET /animal?type=snake&name=Tooth HTTP/1.1GET /animal?type=cat&name=Frank HTTP/1.1GET /animal?type=cat&name=Lisa HTTP/1.1GET /animal?type=cat&name=Jin HTTP/1.1GET /animal?type=cat&name=Tooth HTTP/1.1GET /animal?type=owl&name=Frank HTTP/1.1GET /animal?type=owl&name=Lisa HTTP/1.1GET /animal?type=owl&name=Jin HTTP/1.1GET /animal?type=owl&name=Tooth HTTP/1.1GET /animal?type=lion&name=Frank HTTP/1.1GET /animal?type=lion&name=Lisa HTTP/1.1GET /animal?type=lion&name=Jin HTTP/1.1GET /animal?type=lion&name=Tooth HTTP/1.1
Example 1 showed how to evaluate transforms sniper style by using the '+' sign annotation in the tag
[+tag][+end]. Example 2 shows how we can use 2 transforms/positions to conduct a clusterbomb-style of attack. As you can see we use 2 separate transform tags called
[%name][%end]. The '%' sign tells Haptyc to evaluate these transforms clusterbomb-style, for every payload in the first transform create a test with the payload from the second transform. The test count is the number of tests of every transform involved multiplied by each other.
Example 3: Pitchfork/BatteringRam
Using the same exact python code we can switch the attack style from clusterbomb to pitchfork by changing the '%' to a '#'. Pitchfork style attacks will place the position payload all in parallel. The test count is the lowest number of tests given of all involved transforms.