crowbar

Overview

Crowbar is a terminal-based web security proxy written in Rust. It intercepts, inspects, and modifies HTTP/HTTPS traffic in real time — entirely from your terminal.

Core capabilities:

Crowbar TUI  - History view

The Crowbar TUI on startup

Supported Platforms

OSArchitecture
Linux (musl)x86_64, aarch64
macOSx86_64, aarch64 (Apple Silicon)
FreeBSDx86_64, aarch64
OpenBSDx86_64, aarch64

Installation

Crowbar requires Rust 1.85+ (edition 2024).

$ git clone https://github.com/polera/crowbar.git
$ cd crowbar
$ cargo build --release

The binary lands at target/release/crowbar. Move it somewhere on your $PATH.

Cross-compile

The Makefile supports cross-compilation via cross for multiple platforms:

# Build all release binaries
$ make release

# Build for a single target
$ make linux-amd64
$ make macos-arm64

Binaries are placed in dist/ as crowbar-<version>-<os>-<arch>.

Quick Start

# Start with defaults (127.0.0.1:8080)
$ crowbar

# Custom bind address
$ crowbar --bind 0.0.0.0:9090

# Start with intercept enabled, scoped to a domain
$ crowbar --intercept --scope '*.example.com'

# Start with Vim editor mode
$ crowbar --editor-mode vim

# Decode gRPC traffic against your .proto schema
$ crowbar --proto-dir ./protos

# Load a saved session
$ crowbar --load ~/.crowbar/sessions/my-session.json

Point your browser or tool at 127.0.0.1:8080 as an HTTP proxy. For HTTPS, install the CA certificate first (see below).

CA Certificate Setup

On first run, Crowbar generates a root CA at ~/.crowbar/ca.pem. To intercept HTTPS traffic, add this CA to your browser or OS trust store.

Export the certificate

# Print to stdout
$ crowbar ca-export

# Save to a file
$ crowbar ca-export /tmp/crowbar-ca.pem

macOS

$ sudo security add-trusted-cert -d -r trustRoot \
    -k /Library/Keychains/System.keychain ~/.crowbar/ca.pem

Firefox

Settings → Privacy & Security → Certificates → View Certificates → Import → select ~/.crowbar/ca.pem → trust for websites.

Linux (Debian/Ubuntu)

$ sudo cp ~/.crowbar/ca.pem /usr/local/share/ca-certificates/crowbar.crt
$ sudo update-ca-certificates

Proxy & Intercept

The proxy tab is the first thing you see. It shows the current bind address, intercept status, and any pending intercepted request.

With intercept off, traffic flows through and is logged to history. With intercept on, each request pauses for your review. You can:

Crowbar TUI  - Proxy tab

Proxy tab with intercept controls and current request view

Scope

Scope filters limit which hosts are captured. Patterns use glob matching, so *.example.com captures all subdomains.

$ crowbar --scope '*.example.com' --scope 'api.internal.dev'

Runtime reconfiguration

Press b in the Proxy tab to change the bind address, or s to edit scope patterns — both without restarting Crowbar.

History

Every proxied request/response pair is recorded. The history tab lists all entries with method, host, path, status, and size. Use / to filter by any field.

From the history view you can:

Response bodies are syntax-highlighted for JSON and HTML, with pretty-printing applied automatically. The detail view also displays security findings, WebSocket messages, and gRPC frames when applicable.

Repeater

The repeater lets you edit and resend any request manually. Send a request from history with r, then modify it and hit Ctrl+Enter to send.

The repeater is ideal for testing payloads, probing API endpoints, and verifying fixes to discovered issues.

Crowbar TUI  - Repeater tab

Repeater with side-by-side request and response panes

Match & Replace Rules

Define rules to automatically modify traffic as it passes through the proxy. Rules can target requests, responses, or both.

SettingOptions
TargetRequest, Response, or Both
ScopeURL, Headers, Body, or All
ModeLiteral or Regex

Each rule has a name, match pattern, replacement string, and can be toggled on/off with Enter. In the rules tab, press a to add, x to delete.

Crowbar TUI  - Rules tab

Match & Replace rules configuration

Import & Export

Rules can be saved to and loaded from JSON files in ~/.crowbar/rules/.

Imported rules are merged with existing rules. Tilde expansion (~/) is supported in import paths.

Passive Scanner

Crowbar passively scans proxied responses for common security issues. Findings are attached to history entries and categorized by severity.

CheckSeverity
Missing HSTS headerMedium
Missing Content-Security-PolicyMedium
Missing X-Frame-OptionsLow
Missing X-Content-Type-OptionsLow
Cookie without Secure flagMedium
Cookie without HttpOnly flagLow
Cookie without SameSite flagLow
Server header disclosureInfo
X-Powered-By header disclosureInfo
5xx server error responsesMedium
Stack trace in response bodyHigh

Stack trace detection covers Java, Python, Go, and .NET patterns.

WebSocket Support

Crowbar captures WebSocket handshakes and relays frames between client and server. Captured messages are displayed with timestamps, direction (client → server or server → client), and payload content.

Both text and binary frames are supported.

gRPC Inspection

Crowbar automatically detects application/grpc traffic and extracts individual protobuf frames from the wire format. Each message is displayed with its compressed flag and length in the history detail view.

gRPC responses are parsed per the HTTP/2 gRPC wire protocol: a 5-byte header (compression flag + 4-byte length) followed by the serialized protobuf payload. Multi-message streams are split into individual frames for inspection.

Schema-aware decoding

Point Crowbar at your .proto files and it decodes gRPC messages with real field names, enum names, and accurate types — instead of the schema-agnostic heuristic decoder. Crowbar compiles the supplied .proto directories into a descriptor pool and resolves each /package.Service/Method path to its request and response message types.

# Decode against your .proto schema (repeat for multiple dirs)
$ crowbar --proto-dir ./protos --proto-dir ./vendor/protos

# Add extra import/include paths for protos that import across roots
$ crowbar --proto-dir ./protos --proto-include ./third_party

With a schema loaded, decoded messages can be edited and replayed in the Repeater with full re-encoding through a real protobuf encoder. When no schema is loaded or a message type can't be resolved, Crowbar falls back to the heuristic decoder automatically. Schema directories can also be set via the proto_dir and proto_include config keys.

Encoding Tools

The tools tab provides an interactive encoder/decoder. Type or paste input and see the output update in real time.

ToolDescription
URL Encode/DecodeRFC 3986 percent-encoding
Base64 Encode/DecodeStandard Base64 conversion
Hex Encode/DecodeHexadecimal byte representation

Switch between tools with l/h, edit input with e, and copy output to the system clipboard with Ctrl+Y.

Crowbar TUI  - Tools tab

Encoding tools with live input/output

Macros & Sequences

Chain multiple requests into a sequence and execute them in order. Useful for multi-step workflows like login → action → verify.

Editor Modes

All text editors in Crowbar (intercept, repeater, tools, rules) share one of two editing modes, toggled at any time with F2.

Default mode

Standard text editing with arrow key navigation, Home/End, Ctrl+Home/Ctrl+End, Backspace/Delete, and Enter for new lines. Press Esc to exit the editor.

Vim mode

Enters normal mode by default. Press i, a, I, A, o, or O to switch to insert mode; press Esc to return to normal mode, and q in normal mode to exit the editor.

KeyAction
h / j / k / lMove left / down / up / right
0 / $Jump to line start / end
^First non-whitespace character
w / b / eWord forward / backward / end
gg / GGo to beginning / end of text
xDelete character at cursor
D / d$Delete to end of line
ddDelete entire line
dwDelete word
uUndo
qExit editor

Set the initial editor mode via CLI (--editor-mode vim) or config file (editor_mode = "vim").

Multi-Instance Support

Run multiple Crowbar instances simultaneously. If the default port (8080) is already in use, Crowbar automatically tries the next available port — scanning up to 25 consecutive ports from the base address. This avoids conflicts with other local services or other Crowbar instances.

Keyboard Shortcuts

Global

KeyAction
Tab / Shift+TabSwitch tabs
15Jump to tab
?Show help
F2Toggle editor mode (Default / Vim)
Ctrl+SOpen save dialog
q / Ctrl+CQuit (with save prompt)

Proxy Tab

KeyAction
iToggle intercept on/off
fForward intercepted request
dDrop intercepted request
eEdit intercepted request
bChange bind address
sEdit scope patterns
CExport CA certificate
j / kScroll request body

History Tab

KeyAction
j / kNavigate entries
g / GJump to first / last
/Filter
EnterView details
rSend to repeater
mAdd to macro
cExport as curl
wExport as raw HTTP
hExport all as HAR

Repeater Tab

KeyAction
Ctrl+EnterSend request
eEdit request
dToggle diff view
MToggle macro view
j / kScroll request
J / KScroll response
xRemove macro step
XClear all macro steps

Rules Tab

KeyAction
aAdd new rule
xDelete selected rule
EnterToggle enabled/disabled
n / p / eEdit name / pattern / replacement
tCycle target (Request → Response → Both)
sCycle scope (URL → Headers → Body → All)
RToggle regex mode
IImport rules from file
EExport rules to file

Tools Tab

KeyAction
eEdit input
l / hNext / previous tool
j / kScroll output
Ctrl+UClear input
Ctrl+YCopy output to system clipboard

CLI Reference

Main command

crowbar [OPTIONS]
FlagDescriptionDefault
--bind <ADDR>Proxy bind address127.0.0.1:8080
--interceptStart with intercept enabledoff
--scope <PATTERN>Host scope (repeatable)all hosts
--config <PATH>Config file path~/.crowbar/config.toml
--editor-mode <MODE>Editor mode (default or vim)default
--proto-dir <PATH>.proto directory for gRPC schema decoding (repeatable)
--proto-include <PATH>Extra import/include path for protos (repeatable)
--load <PATH>Load session from file

Subcommands

# Export the CA certificate
$ crowbar ca-export [OUTPUT_PATH]

# Import a HAR file
$ crowbar import <FILE> --name <SESSION_NAME>

# Export a rules template
$ crowbar rules-export [OUTPUT_PATH]

# Validate a rules file
$ crowbar rules-validate <FILE>

Configuration

Optionally configure defaults in ~/.crowbar/config.toml. CLI flags always override config file values.

# ~/.crowbar/config.toml
bind = "127.0.0.1:8080"
intercept = false
scope = ["*.example.com"]
editor_mode = "default"  # or "vim"
proto_dir = ["./protos"]         # .proto dirs for gRPC decoding
proto_include = ["./third_party"] # extra import/include paths

File locations

PathPurpose
~/.crowbar/config.tomlConfiguration file
~/.crowbar/ca.pemRoot CA certificate
~/.crowbar/ca.keyRoot CA private key
~/.crowbar/rules/Exported rule sets
~/.crowbar/sessions/Saved sessions
~/.crowbar/exports/Exported files
~/.crowbar/crowbar.logProxy log

Sessions & Export

Press Ctrl+S to open the save dialog, which shows a pre-filled path in ~/.crowbar/sessions/. Edit the path if needed and press Enter to save, or Esc to cancel. Sessions are stored as JSON and include history entries and any repeater macros. Reload a saved session with --load.

When quitting (q or Ctrl+C), Crowbar prompts to confirm. Press y to save before exiting, n to quit without saving, or Esc to cancel and stay.

Export formats

FormatKeyDescription
HARhHTTP Archive — standard format, compatible with browser dev tools and other proxies
curlcExecutable curl command for reproducing the request
Raw HTTPwRaw HTTP request/response text

Importing

$ crowbar import recording.har --name my-session

Imports a HAR file as a session for further analysis in Crowbar.

Development

# Run all checks (clippy + cargo audit)
$ make checks

# Run clippy lints only
$ make lint

# Clean build artifacts
$ make clean

CI runs clippy and cargo audit on every push and pull request to main.