hax generates HTTP request variants, applies structured mutations,
and checks RFC-grounded predicates to find compliance violations in
web services.
Unlike scanners (nuclei), fuzzers (ffuf), or proxies (burp), hax
treats HTTP compliance as a property-testing problem:
# Build
make build
# Quick compliance audit
./hax audit https://example.com
# See what's available
./hax list groups
./hax list mutations
# Full property-based test run
./hax run -t https://example.com
# JSON output for pipelines
./hax --json audit https://example.com# From source
git clone https://github.com/aygp-dr/http-axiom.git
cd http-axiom
make install # installs to ~/.local/bin/hax
# Cross-compile
make build-all # outputs to dist/Produces HTTP request variants from the cartesian product of axes:
| Axis | Values |
|---|---|
| Method | GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS |
| Path | User-supplied list |
| Headers | Standard + custom |
| Auth | none, bearer, basic, cookie |
| Origin | omitted, same-site, cross-site |
| Repeat | single, N×, concurrent |
| Operator | Effect |
|---|---|
| method-rotate | Cycle through HTTP methods |
| header-omit | Remove required headers |
| header-corrupt | Malform header values |
| header-forge | Inject forged headers (XFF, X-Real) |
| origin-cross-site | Set cross-origin Origin header |
| origin-same-site | Set same-site Origin header |
| repeat-N | Replay request N times |
| repeat-concurrent | Replay request concurrently |
Five RFC-grounded predicate groups:
| Group | Predicates |
|---|---|
| headers | CSP, HSTS, SameSite, CORP |
| methods | idempotency, safety, retries |
| cross-origin | CSRF, CORS, JSONP, redirect |
| cache | ETag, no-store, Vary, 304 |
| state | workflow skip, TOCTOU, replay |
Reports pass/fail verdicts. Uses Hegel-based shrinking to find the smallest request that still triggers a failure.
| Command | Description |
|---|---|
generate (gen) | Generate HTTP request variants |
mutate (mut) | Apply mutation operators to requests |
check | Run predicate checks against a target |
run | Full pipeline: generate → mutate → check |
list (ls) | List predicates, mutations, groups, methods |
audit | Quick compliance audit of an endpoint |
shrink | Minimize a failing test case |
doctor | Run diagnostic health checks |
quickstart | Onboarding context for agents |
version | Print version info |
| Flag | Description |
|---|---|
-t, --target | Target URL |
-V, --verbose | Verbose output |
--json | JSON output |
-v, --version | Print version |
-h, --help | Show help |
main.go CLI entry point (hand-written arg routing) go.mod Module (zero deps) Makefile Build, test, lint, install CLAUDE.md Agent coding context AGENTS.md Agent development rules internal/ generator/generator.go Request variant generation mutation/mutation.go Mutation operators predicate/predicate.go RFC-grounded predicate checks oracle/oracle.go Verdict + shrinking
- Zero dependencies — Go stdlib only. No CLI frameworks.
- Hand-written flag parsing — follows sb / cprr pattern.
- Single binary — cross-compiles to linux/darwin (amd64/arm64).
- JSON output —
--jsonflag on all commands for pipeline integration. - Property-based — not signature scanning, not random fuzzing.
Two deliberately vulnerable targets for development and demos:
# Built-in lightweight Go server (15 endpoints, all predicate groups)
make haxgoat # starts on :9999
./hax audit http://localhost:9999
./hax audit http://localhost:9999/secure
# OWASP Juice Shop via Docker (real REST API + OpenAPI spec)
make juice-shop # starts on :3000
./hax audit http://localhost:3000
# Auto-detect and audit whichever is running
make smokeSee cmd/haxgoat/main.go for the full endpoint manifest, or
query /manifest at runtime.
make build # Build with version info
make test # Run tests
make test-race # With race detector
make lint # Vet + gofmt + golangci-lint
make smoke # Audit against haxgoat or Juice Shop
make help # All targetsMIT