WAF bypass & antibot
Pro tierLook like real Chrome to every WAF and anti-bot system — TLS JA3/JA4, HTTP/2 SETTINGS, navigator, WebGL, canvas and fonts all match a coherent browser profile. Challenge scripts execute natively and set the bypass cookie.
What it does
Chrome 134 TLS fingerprint
The proxy's upstream connector reproduces Chrome's exact ClientHello — cipher order, X25519MLKEM768 post-quantum key exchange, GREASE, extension permutation. JA3/JA4 hashes match real Chrome, bypassing Cloudflare, Akamai, Imperva and DataDome TLS fingerprinting.
HTTP/2 fingerprint matching
Akamai-format HTTP/2 fingerprint string with Chrome's exact SETTINGS, WINDOW_UPDATE and pseudo-header order (m,a,s,p). The scanner and crawler produce the same H2 fingerprint as the browser, so WAFs can't split traffic by protocol layer.
navigator & window spoofing
webdriver=false, 5 Chrome PDF plugins, Client Hints (Sec-CH-UA with getHighEntropyValues), hardwareConcurrency, deviceMemory, 130+ native functions return [native code]. Automation artifacts (cdc_, __selenium, __playwright, _phantom) are deleted from window.
WebGL, canvas & fonts
WebGL renderer strings match the OS (ANGLE Apple Metal on macOS, NVIDIA on Windows), canvas noise is consistent per-profile, and font enumeration returns OS-correct lists (Helvetica Neue on macOS, Segoe UI on Windows). Cross-layer validation catches mismatches anti-bot systems flag.
anti-bot challenge execution
DataDome, Akamai and PerimeterX challenge scripts execute in the Boa JS engine with full Chrome 134 spoofing. Cookies set by challenge scripts flow into every subsequent sub-resource request, so the bypass sticks for the whole session.
WAF detection & FP suppression
35 WAF signatures (Cloudflare, Imperva, Akamai, DataDome, PerimeterX, Sucuri, F5, Fortinet, Wallarm, Radware) detected via Aho-Corasick. The scanner suppresses false positives on WAF-blocked responses and backs off after consecutive blocks — no more noise from WAF tarpits.
WAF evasion engine
Encoding mutations (double/triple URL, overlong UTF-8, mixed-case hex), Unicode tricks (enclosed alphanumerics that NFKC-normalize, homoglyphs, zero-width chars), header bypasses (X-Forwarded-For, X-Original-URL, True-Client-IP), chunked transfer abuse, protocol quirks and content-type confusion — 8 categories of payload mutation.
captcha solving & shadow worker
Detects DataDome, GeeTest, hCaptcha, reCAPTCHA and Turnstile. Shadow worker runs fetch() inside a Web Worker outside DataDome's hooks, persona distribution spreads requests across browser tabs with separate cookie contexts, and a 3-phase shadow session warms trust before high-speed extraction.
Coherent, not bolted on
Burp and Caido have no native TLS fingerprint matching — you need extensions or a separate proxy. Hugin builds the Chrome 134 profile into the MITM engine itself: the proxy, the scanner, the crawler and the browser all share one coherent fingerprint across TLS, HTTP/2, headers and JavaScript. A WAF that fingerprints any layer sees the same Chrome on every layer.
Chrome 134 cipher list, X25519MLKEM768 post-quantum hybrid key exchange, GREASE per-connection random, extension permutation (Chrome 110+ randomizes order to defeat static JA3). OCSP stapling, SCT, ALPN h2+http/1.1.
HEADER_TABLE_SIZE=65536, ENABLE_PUSH=false, MAX_CONCURRENT_STREAMS=1000, INITIAL_WINDOW_SIZE=6291456, MAX_HEADER_LIST_SIZE=262144, ENABLE_CONNECT_PROTOCOL=true, NO_RFC7540_PRIORITIES=true. WINDOW_UPDATE=15663105. Pseudo-header order m,a,s,p.
navigator.webdriver=false (not undefined), Object.isFrozen(navigator.languages)=true, Function.prototype.toString returns [native code] for 130+ functions, cdc_/__selenium/__driver/__playwright/_phantom deleted, webdriver moved to prototype so getOwnPropertyDescriptor returns undefined.
35 signatures via Aho-Corasick: cloudflare, cf-ray, aws waf, awselb, imperva, incapsula, sucuri, mod_security, fortigate, barracuda, f5 big-ip, citrix netscaler, perimeterx, px-captcha, datadome, shape security, reblaze, wallarm, radware, appwall, fastly, stackpath. Bot-challenge interstitial detection at any status including 200.
Double/triple URL encoding, IIS %u encoding, mixed-case hex, overlong UTF-8, null-byte injection, HTML entities, hex string — each payload runs through the chain before sending.
Enclosed alphanumerics (①②⑦.⓪.⓪.① for 127.0.0.1) that NFKC-normalize to ASCII on Python/Ruby backends but bypass WAF regex. Cyrillic homoglyphs (а/е/о/р/с/х/у/i), zero-width chars (ZWSP/ZWNJ/ZWJ/BOM), RTL override, IDN homograph attacks.
14 IP-spoofing headers (X-Forwarded-For, X-Real-IP, CF-Connecting-IP, True-Client-IP, Fastly-Client-IP) × 10 values. URL rewriting (X-Original-URL, X-Rewrite-URL) × 12 path variants. Host manipulation, method override (16 methods incl. PROPFIND/MKCOL), cache poisoning, protocol downgrade.
Web Worker fetch() outside DataDome's window.fetch hooks — 3 workers at 16 rps = ~49 req/s. Persona distribution across browser tabs with separate cookie contexts. 3-phase shadow session: warm trust → harvest datadome cookie → high-speed extraction.
The rest of the toolkit
Intercepting proxy
Every request your browser makes, on your terms — pause it, rewrite it, release it. HTTP/1.1, HTTP/2, HTTP/3 and WebSocket, with on-the-fly TLS.
Vulnerability scanner
An active and passive scanner that ships free — OWASP and API Top 10, with blind out-of-band detection.
Repeater
Send it once. Change one field. Send it again. The careful, hand-driven probe — request and response side by side, over and over.
Intruder
Automated payload attacks at full speed — four modes, 21 generators, 32 processors, and a Turbo mode with raw-TCP batching.
AI agent & MCP PRO
Set a budget, hit explore, and an autonomous agent drives every tool over 169 MCP tools — or wire opencode, Cursor or your own agent straight in.
Race conditions PRO
Beat check-then-act windows the proxy can't reach — single-packet attacks, last-byte sync and barrier coordination.
Synaps WASM modules PRO
Extend the scanner without trusting the code — community modules compiled to WebAssembly and run in a hard sandbox.