← Docs

Tool Reference

All 17 tools organized by tier.

Free — 12 tools Pro — +5 tools

Free Tier

Core HTTP workflow. Available to all users.

hunt free

Set active hunt — creates database if new, loads existing if found.

Parameters: id (string, required), target (string), notes (string), data_dir (string), user_agent (string), proxy (string), scope_file (string), default_headers (object), config_file (string)

hunt id: "acme-2026-q1", target: "acme.com"
  → Hunt created: acme-2026-q1 (acme-2026-q1.sqlite)

send free

Send HTTP request and store in hunt database.

Parameters: method (string, required), url (string, required), headers (object), body (string), body_file (string), multipart (array), raw_headers (array), http_version (string), sni (string), request_target (string), raw_path (boolean), save_response (string), name (string), notes (string), grep (string), grep_ignore_case (boolean), follow_redirects (boolean), max_redirects (integer), timeout_ms (integer), url_encode (boolean), pause_after_headers_ms (integer), content_length_override (integer), connection_id (string), keep_alive_ms (integer), close_connection (boolean)

send method: "GET", url: "https://target.com/api/users"
  → 200 OK | 142ms | 2.3kb | application/json

scope free

Manage scope rules — add/remove include/exclude rules, import presets, check URLs.

Parameters: action (string, required), type (string), host_pattern (string), path_pattern (string), protocol (string), port (string), notes (string), id (integer), preset (string), url (string)

scope action: "import", preset: "exclude-static"
  → 3 exclude rules added

save free

Name a request for quick retrieval.

Parameters: id (string, required), name (string, required), notes (string)

save id: "last", name: "login-request"
  → Saved

fetch free

Retrieve a stored request/response by ID or name.

Parameters: id (string), name (string), part (string), offset (integer), limit (integer), grep (string)

fetch id: "last"
  → 200 OK | 142ms | request + response

search free

Regex search through stored requests and responses.

Parameters: query (string, required), in (string), status (integer), method (string), limit (integer)

search query: "api_key=[A-Za-z0-9]+", in: "response"
  → 3 matches across 2 requests

session free

Cookie jar management — list, get, set, delete, clear cookies, import from response headers.

Parameters: action (string, required), url (string), name (string), value (string), domain (string), path (string), expires (integer), secure (boolean), http_only (boolean), same_site (string), set_cookies (array)

session action: "set", name: "session_id",
        value: "abc123", domain: "target.com"

profile free

Variable profile management — save, load, list, delete named snapshots of variables.

Parameters: action (string, required), name (string)

profile action: "save", name: "user-alice"
profile action: "load", name: "user-bob"

import free

Import raw HTTP request from Burp or other tools — stores as crafted.

Parameters: raw (string, required), name (string), https (boolean)

import raw: "GET /api/users HTTP/1.1\r\n..."
  → Imported as crafted request

chain free

Execute multi-step request chain with variable extraction between steps.

Parameters: steps (array, required), stop_on_error (boolean), stop_on_extract_fail (boolean), stop_on_missing_var (boolean), forward_cookies (boolean), single_connection (boolean), timeout_ms (integer)

chain steps: [login → fetch with {{token}}],
       stop_on_error: true

export free

Export a stored request to curl, python, go, httpie, har, or raw HTTP format.

Parameters: id (string), name (string), format (string, required)

export name: "login-request", format: "curl"
  → curl -X POST 'https://target.com/login' ...

encode free

Encode or decode payloads for injection testing. Encodings: url, double, html, base64, unicode, hex. Chain multiple left-to-right.

Parameters: value (string, required), encoding (string), chain (array), mode (string)

encode value: "<script>alert(1)</script>",
       chain: ["url", "base64"]

Pro Tier

Advanced attack tools. $19/mo or $190/yr.

intruder pro

Burp Intruder-style fuzzing with sniper, battering ram, pitchfork, and cluster bomb attack types.

Parameters: method (string, required), url (string, required), attack_type (string, required), headers (object), raw_headers (string), body (string), http_version (string), sni (string), request_target (string), payloads (object), payload_ranges (object), payload_files (object), threads (integer), timeout_ms (integer), filter_status (array), filter_length_gt (integer), filter_length_lt (integer), filter_time_gt (number), filter_time_lt (number), filter_match (string), filter_exclude_payload (string), output_dir (string), session_setup (array)

intruder method: "GET",
         url: "https://target.com/users/§id§",
         attack_type: "sniper",
         payloads: {"id": ["1","2","3","100","999"]}

race pro

Race condition testing with burst, single_packet, and staggered timing modes.

Parameters: method (string, required), url (string, required), headers (object), raw_headers (string), body (string), body_file (string), multipart (array), name (string), sni (string), request_target (string), raw_path (boolean), count (integer), payloads (array), payload_marker (string), timing (string), grep (string), grep_ignore_case (boolean), timeout_ms (integer), session_setup (array)

race method: "POST",
     url: "https://target.com/api/redeem",
     count: 20, timing: "burst"
  → RACE DETECTED | 3/20 succeeded | 2ms window

oob pro

Out-of-Band interaction detection via Interactsh for blind vulnerability testing.

Parameters: action (string, required), server (string), token (string), correlation_id (string)

oob action: "register"
  → Payload: abc123.oast.fun (correlation_id: abc123)

parallel pro

Send multiple different HTTP requests simultaneously.

Parameters: requests (array, required), sync (boolean), stagger_ms (integer), grep (string), grep_ignore_case (boolean), timeout_ms (integer), repeat (integer), repeat_delay_ms (integer), grep_first (boolean), session_setup (array)

parallel requests: [
         {"method":"GET","url":".../balance"},
         {"method":"POST","url":".../transfer","body":"..."},
         {"method":"GET","url":".../balance"}
       ], sync: true

send_h2 pro

Send HTTP/2 request over TLS with ALPN negotiation.

Parameters: method (string, required), url (string, required), headers (object), raw_headers (array), body (string), body_file (string), sni (string), name (string), notes (string), grep (string), grep_ignore_case (boolean), timeout_ms (integer), raw_mode (boolean), content_length_override (integer), pause_after_headers_ms (integer), connection_id (string), close_connection (boolean), keep_alive_ms (integer)

send_h2 method: "POST",
        url: "https://target.com/api",
        raw_mode: true