BandsalatThe versatile web hacker toolkit

Bandsalat helps web penetration testers and bug bounty hunters untangle the Web

Free Download

Bandsalat is a modern take on an intercepting proxy with a focus on innovation, productivity and sometimes magic. It comes with everything you would expect for manual web penetration testing.

Feature Highlights

Less context switching All data at your fingertips

Filter host, path or content-type with wildcards and bodies with CSS selectors.

Instantly get deep insights into parameters, cookies, certificates, referers, EXIF and more.

Select two rows to instantly compare requests, reponses, parameters, cookies, etc.

Select more than two rows to see aggregated data to understand what you're working with.

Switch to /download

hero screenshot

Sensible WebSockets It's not a table, lol

Have you ever used a messaging app? Then you already know how to use the WebSocket editor. It's literally a chat window (*ahem* on steroids).

Expand for meme 
Mom, can we have WebSockets?

No.
 There is WebSockets at     Home.


      At home:

+-----------+---+------+------+
| Literally | a | huge | dump |
+-----------+---+------+------+

Chat with hot servers in your area

websockets screenshot

No awkward forced UI Text UI ≡ Best UI

HTTP headers are multiline text that you can edit/copy/paste.

Conditions use a very simple DSL and no weirdly nested AND/OR/NOT UI elements.

Project scope is just multiline wildcard text with a simple exclude-operator.

Fuzzer uses literal Liquid templates with the full power of filters and conditions.

You get the point. Bandsalat does not force everything into clunky UI elements.

Download Bandsalat

hero screenshot

Extract the data you need There's so much treasure in your proxy data

Use SQL to query HTML/XML bodies, JSON bodies, HTTP headers and whatnot. Scraping has never been easier.

Examples:

Find all external scripts

You can access the DOM and use CSS selectors inside SQL!? Excuse me? 
SELECT
  dom_attributes.value
FROM
  bodies,
  dom_attributes(text, 'script[src]', 'src')

Extract all query parameters

This one combines nicely with the Fuzzer ;) 
SELECT
    search_params.name, search_params.value
FROM
    requests, search_params(search)

CLICK IF YOU ♥ SQL OR 1#

Show me more stupid crazy examples

Find all HTTP flows where the response was an image shot with a Canon or Potato

I need that all the time, you know :D 
SELECT
  *
FROM
  full_http
WHERE
  exif(response_body, 'Name') IN ('Canon', 'Potato')

Get all CSP script-src directives

  SELECT
    csp.value
  FROM
    response_headers AS h, csp(h.value)
  WHERE
    h.name_lower IN (
      'content-security-policy',
      'content-security-policy-report-only',
      'x-content-security-policy',
      'x-webkit-csp'
    )
  AND
    csp.name = 'script-src'

Example: Find all HTTP flows where the response contains a <form> with a hidden <input> that contains Base64 encoded JSON data where the name key has a value of Bandsalat

Amen! 
SELECT
    *
FROM
    full_http,
    dom_attributes(
      response_body_text,
      'form input[hidden]',
      'value'
    )
WHERE
    json_extract(
        base64_decode(
            dom_attributes.value
        ),
        '$.name'
    ) = 'Bandsalat'
treasure-hunter screenshot

Encode it, decode it, compress it, decompress it, encrypt it, decrypt it, hash it, script it. Technologic.

With Digester you create pipelines that process data. Chain operations like URL encoding, HTML entities, JSON strings, Base64, Hex, Gzip, Brotli, sha256 and even custom scripts. Everything updates instantly.

Om nom nom

NOT-THE-BEES screenshot

Edit HTTP faster IDE level HTTP editing

Never type Content-Type or application/json; charset=utf-8 ever again. There's autocomplete for headers, pathnames and more.

Play pretend HTTP client now!

Automate your manual testing Modify HTTP and WebSocket traffic on-the-fly

{add, remove, edit, fake, pause, drop, fork, tag, script} × {requests, responses, headers, bodies, messages}.

Hours of automation could safe you minutes of work 🤯

Start saving time

transformer screenshot

Multi-window, multi-monitorWindows, windows everywhere (even on Linux)

Open anything in a new window. No matter if it's a whole module or just a single HTML body.

All windows and state (selected items, scroll position etc.) are restored when you open your project the next day.

Download (in a new window)

not-linux screenshot

Own your proxy data It's just SQLite

A *.bandsalat project file is literally a SQLite file. With a vanilla SQLite client you can always access and share your raw (but tidily normalized) proxy data. Even when you don't have a Bandsalat license anymore. No vendor lock-in.

Stop pwning your data

sqlitebrowser screenshot

Ready to find your first vulnerability?

Start Hacking 👩🏻‍💻