Overview

Crowbar is a terminal-based web security proxy written in Rust. It intercepts, inspects, and modifies HTTP/HTTPS traffic in real time — entirely from your terminal. Think Burp Suite or ZAP, but keyboard-driven and zero-GUI.

Core capabilities:

MITM proxy with on-the-fly TLS certificate generation
Intercept mode — pause, inspect, edit, forward or drop requests
Request history with filtering and search
Repeater for manual request replay and editing
Regex-powered match & replace rules
Passive vulnerability scanning
WebSocket frame capture
Session save/load and HAR/curl/raw export
URL, Base64, and Hex encoding tools
Macro sequences for request chaining

Installation

Crowbar requires Rust 1.85+ (edition 2024).

$ git clone https://github.com/polera/crowbar.git
$ cd crowbar
$ cargo build --release

The binary lands at target/release/crowbar. Move it somewhere on your $PATH.

Quick Start

# Start with defaults (127.0.0.1:8080)
$ crowbar

# Custom bind address
$ crowbar --bind 0.0.0.0:9090

# Start with intercept enabled, scoped to a domain
$ crowbar --intercept --scope '*.example.com'

# Load a saved session
$ crowbar --load ~/.crowbar/sessions/my-session.json

Point your browser or tool at 127.0.0.1:8080 as an HTTP proxy. For HTTPS, install the CA certificate first (see below).

CA Certificate Setup

On first run, Crowbar generates a root CA at ~/.crowbar/ca.pem. To intercept HTTPS traffic, add this CA to your browser or OS trust store.

Export the certificate

# Print to stdout
$ crowbar ca-export

# Save to a file
$ crowbar ca-export /tmp/crowbar-ca.pem

macOS

$ sudo security add-trusted-cert -d -r trustRoot \
    -k /Library/Keychains/System.keychain ~/.crowbar/ca.pem

Firefox

Settings → Privacy & Security → Certificates → View Certificates → Import → select ~/.crowbar/ca.pem → trust for websites.

Linux (Debian/Ubuntu)

$ sudo cp ~/.crowbar/ca.pem /usr/local/share/ca-certificates/crowbar.crt
$ sudo update-ca-certificates

Proxy & Intercept

The proxy tab is the first thing you see. It shows the current bind address, intercept status, and any pending intercepted request.

With intercept off, traffic flows through and is logged to history. With intercept on, each request pauses for your review. You can:

Forward — send the request (optionally after editing)
Drop — discard the request entirely
Edit — modify method, URI, headers, or body before forwarding

Scope

Scope filters limit which hosts are captured. Patterns use glob matching, so *.example.com captures all subdomains.

$ crowbar --scope '*.example.com' --scope 'api.internal.dev'

History

Every proxied request/response pair is recorded. The history tab lists all entries with method, host, path, status, and size. Use / to filter by any field.

From the history view you can:

Press Enter to inspect request and response details
Press r to send a request to the repeater
Press m to add a request to a macro sequence
Press c, w, or h to export as curl, raw HTTP, or HAR

Response bodies are syntax-highlighted for JSON and HTML, with pretty-printing applied automatically.

Repeater

The repeater lets you edit and resend any request manually. Send a request from history with r, then modify it and hit Ctrl+Enter to send.

Full request editing — method, URI, headers, body
Diff view (d) — side-by-side comparison of original vs. edited request
Response display with status, headers, and body

The repeater is ideal for testing payloads, probing API endpoints, and verifying fixes to discovered issues.

Match & Replace Rules

Define rules to automatically modify traffic as it passes through the proxy. Rules can target requests, responses, or both.

Setting	Options
Target	Request, Response, or Both
Scope	URL, Headers, Body, or All
Mode	Literal or Regex

Each rule has a name, match pattern, replacement string, and can be toggled on/off with Enter. In the rules tab, press a to add, x to delete.

Passive Scanner

Crowbar passively scans proxied responses for common security issues. Findings are attached to history entries and categorized by severity.

Check	Severity
Missing HSTS header	Medium
Missing Content-Security-Policy	Medium
Missing X-Frame-Options	Low
Missing X-Content-Type-Options	Low
Cookie without Secure flag	Medium
Cookie without HttpOnly flag	Low
Cookie without SameSite flag	Low
Server header disclosure	Info
X-Powered-By header disclosure	Info
Stack trace in response body	High

Stack trace detection covers Java, Python, Go, and .NET patterns.

WebSocket Support

Crowbar captures WebSocket handshakes and relays frames between client and server. Captured messages are displayed with timestamps, direction (client → server or server → client), and payload content.

Both text and binary frames are supported.

Encoding Tools

The tools tab provides an interactive encoder/decoder. Type or paste input and see the output update in real time.

Tool	Description
URL Encode/Decode	RFC 3986 percent-encoding
Base64 Encode/Decode	Standard Base64 conversion
Hex Encode/Decode	Hexadecimal byte representation

Switch between tools with l/h, edit input with e.

Macros & Sequences

Chain multiple requests into a sequence and execute them in order. Useful for multi-step workflows like login → action → verify.

Add requests from history with m
View the macro queue in the repeater tab with M
Each step tracks status: pending, running, complete, or error
Remove steps with x or clear all with X

Keyboard Shortcuts

Global

Key	Action
`Tab` / `Shift+Tab`	Switch tabs
`1`–`5`	Jump to tab
`?`	Show help
`Ctrl+S`	Save session
`q` / `Ctrl+C`	Quit

Proxy Tab

Key	Action
`i`	Toggle intercept on/off
`f`	Forward intercepted request
`d`	Drop intercepted request
`e`	Edit intercepted request
`b`	Change bind address
`C`	Export CA certificate

History Tab

Key	Action
`j` / `k`	Navigate entries
`g` / `G`	Jump to first / last
`/`	Filter
`Enter`	View details
`r`	Send to repeater
`m`	Add to macro
`c`	Export as curl
`w`	Export as raw HTTP
`h`	Export all as HAR

Repeater Tab

Key	Action
`Ctrl+Enter`	Send request
`e`	Edit request
`d`	Toggle diff view
`M`	Toggle macro view
`j` / `k`	Scroll request
`J` / `K`	Scroll response

Rules Tab

Key	Action
`a`	Add new rule
`x`	Delete selected rule
`Enter`	Toggle enabled/disabled
`n` / `p` / `e`	Edit name / pattern / replacement
`t`	Cycle target (Request → Response → Both)
`s`	Cycle scope (URL → Headers → Body → All)
`R`	Toggle regex mode

Tools Tab

Key	Action
`e`	Edit input
`l` / `h`	Next / previous tool
`j` / `k`	Scroll output

CLI Reference

Main command

crowbar [OPTIONS]

Flag	Description	Default
`--bind <ADDR>`	Proxy bind address	`127.0.0.1:8080`
`--intercept`	Start with intercept enabled	off
`--scope <PATTERN>`	Host scope (repeatable)	all hosts
`--config <PATH>`	Config file path	`~/.crowbar/config.toml`
`--load <PATH>`	Load session from file	—

Subcommands

# Export the CA certificate
$ crowbar ca-export [OUTPUT_PATH]

# Import a HAR file
$ crowbar import <FILE> --name <SESSION_NAME>

Configuration

Optionally configure defaults in ~/.crowbar/config.toml. CLI flags always override config file values.

# ~/.crowbar/config.toml
bind = "127.0.0.1:8080"
intercept = false
scope = ["*.example.com"]

File locations

Path	Purpose
`~/.crowbar/config.toml`	Configuration file
`~/.crowbar/ca.pem`	Root CA certificate
`~/.crowbar/ca.key`	Root CA private key
`~/.crowbar/sessions/`	Saved sessions
`~/.crowbar/exports/`	Exported files
`~/.crowbar/crowbar.log`	Proxy log

Sessions & Export

Save your current session with Ctrl+S. Sessions are stored as JSON in ~/.crowbar/sessions/ and can be reloaded with --load.

Export formats

Format	Key	Description
HAR	`h`	HTTP Archive — standard format, compatible with browser dev tools and other proxies
curl	`c`	Executable curl command for reproducing the request
Raw HTTP	`w`	Raw HTTP request/response text

Importing

$ crowbar import recording.har --name my-session

Imports a HAR file as a session for further analysis in Crowbar.