HTTP-CLI & Security Scanner - Enterprise Edition

Table of Contents

1. Introduction
2. Installation
3. Basic Usage
4. Enterprise Security Features
   • Compliance Reporting
   • RBAC & Privilege Escalation
   • Zero-Trust Architecture
   • Data Governance
5. HTTP Request Features
6. Security Scanning
7. Command Reference
8. Best Practices

---

Introduction

http-cli is a comprehensive HTTP client and security vulnerability scanner written in Go. It combines the utility of tools like Postman/cURL with enterprise-grade security testing capabilities, including compliance mapping, role-based access control (RBAC) testing, and Zero-Trust architecture validation.

---

Installation

Option 1: Download Pre-built Binaries (Recommended)

1. Download the latest release for your platform from GitHub Releases

2. Extract the archive:

   # For Linux/macOS
   tar -xzf httpcli-linux-amd64.tar.gz
   
   # For Windows (PowerShell)
   Expand-Archive httpcli-windows-amd64.zip

3. Move to system PATH (optional, for global access):

   # Linux/macOS
   sudo mv httpcli /usr/local/bin/
   
   # Or add to your user bin directory
   mv httpcli ~/.local/bin/

Option 2: Build from Source

From Source

Prerequisites

• Go 1.18 or higher

Steps

1. Build the tool:

   go mod tidy
   go build -o httpcli main.go

   now move it to user bin or use it from currunt dir

   sudo mv httpcli /usr/local/bin/

2. Run:

   ./httpcli -url "https://api.example.com"

---

Basic Usage

Simple Request

# GET Request
./httpcli -url "https://api.example.com/users"

# POST with JSON
./httpcli -X POST -url "https://api.example.com/users" \
  -H "Content-Type:application/json" \
  -d '{"name":"John", "role":"admin"}'

---

Enterprise Security Features

Compliance Reporting

Automatically map security findings to major compliance standards.

Supported Standards:

• PCI DSS: Payment Card Industry Data Security Standard
• HIPAA: Health Insurance Portability and Accountability Act
• GDPR: General Data Protection Regulation

Usage:

# Generate a report checking against PCI DSS and GDPR
./httpcli -url "https://api.example.com" -scan -compliance pci,gdpr

# Output JSON report for integration
./httpcli -url "https://api.example.com" -scan -compliance pci -report-format json

RBAC & Privilege Escalation

Automated testing for Broken Access Control. Verify if lower-privileged roles can access high-privilege endpoints.

1. Create a roles.json configuration:

   {
       "roles": [
           {
               "name": "guest",
               "headers": { "Authorization": "Bearer guest-token" }
           },
           {
               "name": "user",
               "headers": { "Authorization": "Bearer user-token" }
           }
       ]
   }

2. Run the Scan:

   # Test if 'guest' or 'user' can access the admin panel
   ./httpcli -url "https://api.example.com/admin/settings" -scan -rbac-config roles.json

Zero-Trust Architecture

Validate that your application adheres to Zero-Trust principles: "Never Trust, Always Verify".

Checks Performed:

• Strict Transport Enforcement: Verifies HSTS with includeSubDomains.
• Modern Encryption: Enforces TLS 1.2+ (Flags plaintext or weak ciphers).
• Ubiquitous Authentication: Flags any endpoint that is publicly accessible (status 200 without auth headers).

Usage:

./httpcli -url "https://api.example.com/resource" -scan -check-architecture zero-trust

Data Governance

Ensure security testing itself is secure and auditable.

• Audit Logging: Generates a cryptographically signed log of all actions (audit.log).
• Redaction: Automatically masks secrets (API Keys, Tokens) in console output.

Usage:

# Run with audit logging and output redaction enabled
./httpcli -url "https://api.example.com" -scan -audit-log -redact

---

HTTP Request Features

Supports all standard HTTP capabilities:

• Methods: GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS.
• Headers: Custom key-value pairs (-H "Key:Val").
• Body: Raw string (-d) or file-based (-data-file).
• Files: Multipart upload support (-f "file=@/path/to.pdf").

---

Security Scanning

The tool includes 15+ built-in vulnerability scanners:

• SQL Injection (sql)
• XSS (xss)
• Path Traversal (path)
• SSRF (ssrf)
• XML External Entity (xxe)
• Command Injection (cmd)
• IDOR (idor)
• OWASP API8:2023 Security Misconfiguration (misconfig)
• HTTP Request Smuggling (Desync) (desync)
• And more...

Run a full scan:

./httpcli -url "https://target.com" -scan

Run security misconfiguration scan:

./httpcli -url "https://target.com" -scan -scan-type misconfig

Run HTTP desync/smuggling scan:

./httpcli -url "https://target.com" -scan -scan-type desync

Important Limitations:

Go's HTTP client automatically normalizes headers, limiting raw socket manipulation Detection is conservative and flags potential issues for manual verification Results marked as "Medium" severity require further testing with specialized tools (like Burp Suite's HTTP Request Smuggler)

Note: This is a detection tool, not a full exploitation framework. Positive results should be verified with dedicated desync testing tools.

---

Command Reference

Flag	Description
-url	Target URL (Required)
-scan	Enable security scanning mode
-compliance	Comma-separated standards (pci, hipaa, gdpr)
-rbac-config	Path to RBAC JSON config file
-check-architecture	Architecture mode (e.g., zero-trust)
-audit-log	Enable signed audit logging
-redact	Mask sensitive data in output
-report-format	Report output format (text, json)
-X	HTTP Method (default GET)
-H	Headers (Key:Value,Key:Value)
-d	Request body data
-f	Multipart file uploads

---

Best Practices

1. Zero-Trust: Always run with -check-architecture zero-trust when auditing internal services to ensure no implicit trust exists.
2. Compliance: Use -compliance flags during CI/CD pipelines to catch violations early.
3. Audit: Enable -audit-log when performing penetration tests for client accountability.