// the product

The whole toolkit, one window

native · keyboard-first · one binary

The real Hugin desktop app — proxy, scanner, intruder, repeater, an AI agent, and the Pro offensive bundle in one native window. Click anything in the sidebar. Switch the theme. It's the product, not a screenshot.

Theme
HUGIN :8080 Intercept off AI All Traffic No Environment All Projects
HTTP History Overview Filter flows… (method:POST) All Colors All Only OOS Show hidden
#HostMethodPath & QueryStatusExtSizeTimeSent At
1api.acme.internalGET/api/v2/accounts/8273200json4.2K148ms19:44:01
2auth.acme.ioPOST/auth/login3020240ms19:44:01
3api.acme.internalGET/api/v2/users?sort=id200json18K284ms19:44:00
4auth.acme.ioDEL/sessions/4f9c403json31196ms19:43:59
5api.acme.internalPUT/api/v2/accounts/82732040180ms19:43:58
6cdn.acme.ioGET/assets/app.4f2.js200js142K61ms19:43:58
7api.acme.internalGET/api/v2/scope429json8833ms19:43:57
8api.acme.internalPOST/graphql200json6.1K210ms19:43:56
9api.acme.internalGET/api/v2/orders/55021500html1.4K902ms19:43:55
10auth.acme.ioGET/.well-known/jwks.json200json1.1K40ms19:43:54
11api.acme.internalPATCH/api/v2/accounts/8273/role403json92120ms19:43:53
12cdn.acme.ioGET/img/avatar/8273.png200png22K54ms19:43:52
13api.acme.internalGET/api/v2/accounts/8273/cards200json2.3K132ms19:43:51
14api.acme.internalPOST/api/v2/transfers201json402356ms19:43:50
15auth.acme.ioGET/oauth/authorize?client=…302071ms19:43:49
16api.acme.internalGET/api/v2/notifications200json5.0K88ms19:43:48
Showing 1–16 of 1,284
Sitemap In scope ⌕ filter host or path… 3 hosts · 142 endpoints
Hosts
api.acme.internal96
/api/v2/accounts
/api/v2/accounts/{id}
/api/v2/users
/api/v2/orders
/graphql
auth.acme.io31
cdn.acme.io15
Endpoints /api/v2/accounts/{id}
MethodStatusParamsLast seen
GET200id19:44:01
PUT204id · role · plan19:43:58
PATCH403id · role19:43:53
DEL403id19:43:50
GET200id · expand19:43:47
GET /api/v2/accounts/8273 200 · json · 1.1 KB
GET /api/v2/accounts/8273 HTTP/2
host: api.acme.internal
authorization: Bearer eyJhbGciOiJI…

HTTP/2 200 OK
content-type: application/json

{"id": 8273, "owner": "u_5521",
 "role": "member", "balance": 428815}
PassiveActiveLive AuditConsolidateRefuse OOS
ScanResults 9Checks 88Run Log
Run · ac62ce96 · scanning api.acme.internal87%
CRITSQL injection — boolean-based blindapi.acme.internal · /api/v2/users?sort=param: sort
HIGHBroken object-level authorization (IDOR)api.acme.internal · /api/v2/accounts/{id}BOLA
HIGHJWT signature not verified (alg:none)auth.acme.io · /auth/loginjwt
MEDReflected XSS in search parameteracme.io · /search?q=param: q
MEDCORS allows credentialed wildcard originapi.acme.internal · *headers
LOWMissing HSTS headeracme.io · *headers
acme · logingraphqlaccounts/8273+
GET https://api.acme.internal/api/v2/accounts/8273 200 · 1.1 KB · 180 ms
Request
POST /api/v2/accounts/8273 HTTP/2
host: api.acme.internal
authorization: Bearer eyJhbGciOiJI…
content-type: application/json

{"role": "admin", "plan": "enterprise"}
Response 200 OK · 180 ms
HTTP/2 200 OK
content-type: application/json

{"id": 8273, "role": "admin",
 "plan": "enterprise", "updated": "2026-06-14"}
accounts · sniper+
SniperPitchforkCluster bomb position: id = §payload§
#PayloadStatusLengthResult
182732001,102baseline
282742001,140other tenant ✓
312001,190admin record ✓
49999940474not found
5040392denied
682002001,138other tenant ✓
78273e40061bad request
880012001,144other tenant ✓
Explore 6Auto
Runs 6 / 6
⌕ search runs…
AllActiveDoneFailed
explore — IDOR on accounts APIcomplete14 steps
explore — auth & session handlingcomplete9 steps
explore — GraphQL surfacerunning3 steps
explore — file upload pathsbudget_exhausted7 steps
explore — JWT & cookiescomplete5 steps
explore — rate-limit bypasserror2 steps
Race TestSessionsDiscoverBatchMicroserviceOrchestrateParam HuntProtocol Race
Configuration PRO
Single-packet
https://shop.acme.io/api/redeem
POST
code=SAVE20&cart=88f1
20
1
Warmup phasesMicro-jitterPayload fuzzing
Results
20Sent1.4msWindowRedeemedExpected

Race won — the coupon applied four times. Classic check-then-act, exploitable only with single-packet timing.

Viewtool

A Hugin tool.

Live in the app — this showcase renders the headline tools in full; everything in the sidebar ships in the same binary.

Connected Copilot Commands Logs Decoder Settings ↓ 238.9 KB  ↑ 12.4 MB Pro v0.1.1

calibrated against the live app · the real components, rendered from the same Kanagawa tokens the binary ships · click the sidebar, switch the theme · one native binary, no JVM, no Electron

// what's inside

Every tool, one binary

community free · Pro adds the offensive bundle

  1. intercepting proxy

    HTTP/1.1, HTTP/2, HTTP/3 and WebSocket · intercept, match & replace, scope · a sitemap that builds itself.

  2. vulnerability scanner

    46 active + 42 passive checks across the OWASP & API Top 10 · out-of-band detection over 6 protocols.

  3. repeater + intruder

    Hand-edit and replay, or run sniper / pitchfork / cluster-bomb attacks at full speed with Turbo mode.

  4. autonomous AI agent

    Set a budget and an "explore" run drives the proxy, scanner, intruder and decoder over 162 MCP tools.

  5. race conditions PRO

    Single-packet attacks beat check-then-act windows the proxy can't — coupon abuse, double-spend, TOCTOU.

  6. Synaps WASM PRO

    Install and run community scanner modules, sandboxed in WebAssembly — extend the engine without trusting it.

Download Hugin → See it break a login How it compares