{"id":13542082,"url":"https://github.com/mlcsec/headi","last_synced_at":"2025-12-25T01:28:08.135Z","repository":{"id":44937410,"uuid":"322859400","full_name":"mlcsec/headi","owner":"mlcsec","description":"Customisable  and automated HTTP header injection","archived":false,"fork":false,"pushed_at":"2024-06-27T11:20:13.000Z","size":38,"stargazers_count":244,"open_issues_count":1,"forks_count":54,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-04-02T09:41:18.187Z","etag":null,"topics":["bugbounty","golang","header-injection"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mlcsec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-12-19T13:56:16.000Z","updated_at":"2025-03-26T16:25:32.000Z","dependencies_parsed_at":"2024-08-01T10:26:09.231Z","dependency_job_id":null,"html_url":"https://github.com/mlcsec/headi","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/mlcsec/headi","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mlcsec%2Fheadi","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mlcsec%2Fheadi/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mlcsec%2Fheadi/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mlcsec%2Fheadi/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mlcsec","download_url":"https://codeload.github.com/mlcsec/headi/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mlcsec%2Fheadi/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28015522,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-12-24T02:00:07.193Z","response_time":83,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bugbounty","golang","header-injection"],"created_at":"2024-08-01T10:01:01.149Z","updated_at":"2025-12-25T01:28:08.107Z","avatar_url":"https://github.com/mlcsec.png","language":"Go","readme":"# headi\nCustomisable and automated HTTP header injection.  Example run from the HTB machine Control:\n\n\u003ca href=\"https://asciinema.org/a/381187\" target=\"_blank\"\u003e\u003cimg src=\"https://asciinema.org/a/381187.svg\" /\u003e\u003c/a\u003e\n\n`InsecureSkipVerify` is not currently configured, if you want to disable security checks then feel free to uncomment `crypto/tls` in the imports and the `TLSClientConfig:   \u0026tls.Config{InsecureSkipVerify: true},` lines in http transport configuration and then build locally.\n\n\u003cbr\u003e\n\n## Install\n```\ngo install github.com/mlcsec/headi@latest\n```\n\nOr from git:\n```shell\ngit clone https://github.com/mlcsec/headi.git\nmake before.build\nmake build.headi\nsudo mv headi /usr/local/bin\n```\n\n\u003cbr\u003e\n\n## Headers\nInjects the following HTTP headers:\n* Client-IP\n* Connection\n* Contact\n* Forwarded\n* From\n* Host\n* Origin\n* Referer\n* True-Client-IP\n* X-Client-IP\n* X-Custom-IP-Authorization\n* X-Forward-For\n* X-Forwarded-For\n* X-Forwarded-Host\n* X-Forwarded-Server\n* X-Host\n* X-HTTP-Host-Override\n* X-Original-URL\n* X-Originating-IP\n* X-Real-IP\n* X-Remote-Addr\n* X-Remote-IP\n* X-Rewrite-URL\n* X-Wap-Profile\n\nAn initial baseline request is made to gauge the normal response for the target resource.  Green indicates a change in the response and red no change.  `[+]` and `[-]` respectively.\n\n\u003cbr\u003e\n\n## Usage\nTwo options for HTTP header injection:\n\n1. Default payloads (127.0.0.1, localhost, etc.) are injected into the headers mentioned above\n2. Custom payloads can be supplied (e.g. you've enumerated some internal IPs or domains) using the `pfile` parameter\n\n```\n$ headi\nUsage:\n  headi -u https://target.com/resource\n  headi -u https://target.com/resource -p internal_addrs.txt\n\nOptions:\n  -p, --pfile \u003cfile\u003e       Payload File\n  -t, --timeout \u003cmillis\u003e   HTTP Timeout\n  -u, --url \u003curl\u003e          Target URL\n```\nCurrently only takes one URL as input but you can easily bash script for numerous URLs like so:\n```\n$ for i in $(cat urls); do headi -url $i;done\n```\n","funding_links":[],"categories":["Exploitation","Weapons","Go (531)","Go"],"sub_categories":["Header Injection","Tools"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmlcsec%2Fheadi","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmlcsec%2Fheadi","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmlcsec%2Fheadi/lists"}