sender

package
v0.27.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 3, 2026 License: MIT Imports: 15 Imported by: 0

Documentation

Overview

Package sender issues one-off HTTP/HTTPS requests directly to a target (bypassing the proxy listener) and records each as a flow. It backs the Repeater and Intruder modules.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Header struct {
	Key   string `json:"key"`
	Value string `json:"value"`
}

Header is a single session header applied to outgoing sends.

func ExtractSessionHeaders added in v0.8.0

func ExtractSessionHeaders(resp *http.Response) []Header

ExtractSessionHeaders pulls auth headers from a login response.

func RunLoginMacro added in v0.8.0

func RunLoginMacro(cl *http.Client, m LoginMacro) ([]Header, error)

RunLoginMacro issues the recorded login request and returns session headers.

type LoginMacro added in v0.8.0

type LoginMacro struct {
	Enabled     bool   `json:"enabled"`
	Target      string `json:"target"`      // scheme://host[:port]
	Request     string `json:"request"`     // raw HTTP request
	RefreshSecs int    `json:"refreshSecs"` // auto-refresh interval; 0 = manual / 401 only
	ReauthOn401 bool   `json:"reauthOn401"` // retry the original send once after re-login
}

LoginMacro records a login request. Running it extracts session credentials (Set-Cookie, Authorization) from the response and applies them to the global session headers. Optional TTL refresh and automatic re-auth on 401.

type Macro added in v0.7.0

type Macro struct {
	Enabled    bool   `json:"enabled"`
	Target     string `json:"target"`     // scheme://host[:port] for the refresh request
	Request    string `json:"request"`    // raw HTTP request (request line + headers + optional body)
	Extract    string `json:"extract"`    // regex with one capture group, run over the refresh RESPONSE
	InjectMode string `json:"injectMode"` // "header" | "placeholder"
	InjectName string `json:"injectName"` // header name, or the placeholder text to replace (e.g. §CSRF§)
}

Macro defines a token-refresh request whose response feeds a value into every subsequent send — for CSRF tokens that rotate per request, or to re-auth. The refresh request is sent with a plain client (never recorded, never recursive).

type Request

type Request struct {
	Method    string
	URL       string
	Headers   map[string][]string
	Body      []byte
	Flags     int64           // e.g. store.FlagRepeater / store.FlagIntruder, OR'd onto the flow
	Context   context.Context // optional: cancel an in-flight send (e.g. an active-scan kill switch)
	NoSession bool            // skip the global session headers + token macro (authz replays carry their own identity)
	// contains filtered or unexported fields
}

Request describes a request to send.

type Sender

type Sender struct {
	// contains filtered or unexported fields
}

Sender sends requests and persists them as flows.

func New

func New(st *store.Store, cap *capture.Capturer) *Sender

New builds a Sender. The client does not follow redirects (each hop is its own flow, like Burp) and does not verify TLS — a security-testing tool routinely talks to targets with self-signed or invalid certificates.

func (*Sender) RunLoginMacroNow added in v0.8.0

func (s *Sender) RunLoginMacroNow() ([]Header, error)

RunLoginMacroNow runs the login macro immediately (API / manual re-auth).

func (*Sender) Send

func (s *Sender) Send(r Request) (*store.Flow, error)

Send issues r, captures the response, and persists a flow. Transport-level failures are recorded as an errored flow (502) rather than returned as errors; only malformed input returns an error.

func (*Sender) SetLoginMacro added in v0.8.0

func (s *Sender) SetLoginMacro(m LoginMacro)

func (*Sender) SetMacro added in v0.7.0

func (s *Sender) SetMacro(m Macro)

SetMacro configures the token-refresh macro applied before each send.

func (*Sender) SetOnPersist added in v0.12.0

func (s *Sender) SetOnPersist(fn func(*store.Flow))

SetOnPersist registers a callback invoked after each flow is stored. The control plane wires this to SSE flow.new so Repeater/Intruder/MCP sends refresh Proxy History the same way proxied traffic does.

func (*Sender) SetSession

func (s *Sender) SetSession(enabled bool, headers []Header)

SetSession configures the session headers auto-applied to outgoing sends.

func (*Sender) SetSessionHostHeaders added in v0.12.0

func (s *Sender) SetSessionHostHeaders(hh map[string][]Header)

SetSessionHostHeaders configures per-host auth header overrides. When a send target's hostname matches a key, those headers replace the global headers for that request. Pass nil to clear all per-host overrides.

func (*Sender) SetSessionRefresh added in v0.8.0

func (s *Sender) SetSessionRefresh(fn func([]Header))

SetSessionRefresh registers a callback invoked when a login macro produces new session headers (auto-refresh, manual run, or 401 re-auth).

func (*Sender) SetSessionScope added in v0.12.0

func (s *Sender) SetSessionScope(fn SessionScope)

SetSessionScope sets the host gate for session injection (typically target scope).

func (*Sender) TestLoginMacro added in v0.11.0

func (s *Sender) TestLoginMacro(m LoginMacro) (status int, headers []Header, err error)

TestLoginMacro dry-runs the given login macro: it issues the login request and returns the response status plus the session headers it WOULD set, WITHOUT touching the live session. Backs the UI "Test" button so an operator can see what the macro does (and whether it captures a session) before relying on it.

type SessionScope added in v0.12.0

type SessionScope func(host, scheme string, port int, path string) bool

SessionScope decides whether session headers may be attached to a send target. When nil, session headers are not injected (fail closed).

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL