Replace httpx (python)/httpx (project discovery)/curl/ffuf, etc with blasthttp#2992
Open
Replace httpx (python)/httpx (project discovery)/curl/ffuf, etc with blasthttp#2992
Conversation
- Add blasthttp (>=0.1.3) as HTTP engine, remove httpx subprocess dependency - Remove HTTPEngine subprocess, all HTTP now in-process via shared blasthttp client - Remove curl helper, use request() with resolve_ip and request_target - Remove obsolete ffuf module (replaced by web_brute) - Remove obsolete httpx module (replaced by http) - Add native http module using blasthttp batch API - Add native web_brute module using blasthttp batch API - Add web_brute_shortnames module - Add generic_ssrf module - Rewrite sslcert to use blasthttp cert_info - Add blasthttp mock infrastructure for tests - Add resolve_ip passthrough in test conftest for localhost - Add rate limit tests - Add 5-minute default timeout for downloads - Rename output http module to webhook - Fix elastic output module import - Update all module tests for blasthttp mock API
- Remove DEP_FFUF and DEP_CURL from shared_deps.py - Remove ffuf version config from defaults.yml - Update presets (dirbust-light, dirbust-heavy, dotnet-audit) to use web_brute/web_brute_shortnames instead of ffuf/ffuf_shortnames - Update test_scan.py module stat tests for renamed modules - Remove httpx Python library from dependencies - Update telerik comment
This was referenced Mar 27, 2026
liquidsec
changed the title
Contributor
📊 Performance Benchmark Report
📈 Detailed Results (All Benchmarks)
🎯 Performance Summary+ 2 improvements 🚀
! 1 regression ⚠️
21 unchanged ✅🔍 Significant Changes (>10%)
🐍 Python Version 3.11.15 |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## 3.0 #2992 +/- ##
======================================
- Coverage 91% 91% -0%
======================================
Files 440 443 +3
Lines 37230 37838 +608
======================================
+ Hits 33711 34261 +550
- Misses 3519 3577 +58 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This was referenced Mar 27, 2026
…ts and http_title instead
- Set _module_threads = 4 so multiple URLs can be fuzzed in parallel - Add configurable concurrency option (default 50) - Wire rate option through to blasthttp request_batch as rate_limit - Warn when module rate is overridden by more restrictive global setting - Add test for blasthttp min(global, per_call) rate limit behavior (requires blasthttp >= 0.1.4)
…clean # Conflicts: # bbot/modules/httpx.py # bbot/test/benchmarks/test_excavate_benchmarks.py # bbot/test/benchmarks/test_scan_throughput_benchmarks.py
…ion-sharedloop blasthttp 0.2.0: shared event loop (eliminate executor bridge)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces BBOT's entire HTTP infrastructure with blasthttp, a Rust-based HTTP library with Python bindings. This eliminates the httpx Go binary subprocess, the curl subprocess helper, and the HTTPEngine ZMQ subprocess — all HTTP now runs in-process through a shared blasthttp client.
What changed
New HTTP engine:
helpers.request()→WebHelper→ sharedblasthttp.BlastHTTP()clientweb.http_rate_limitconfig, enforced at the client level across all callersresolve_ipparameter for DNS pinning (likecurl --resolve) — connects to a specific IP while preserving hostname for Host header and TLS SNIrequest_targetparameter for request-line override (SSRF/smuggling testing)response.cert_infoShared event loop (blasthttp 0.2.0):
pyo3-async-runtimesto return native Python coroutines viafuture_into_py()run_in_executor_io()wrappers around blasthttp calls replaced with directawait— HTTP requests no longer consume OS threadsRemoved:
httpxGo binary module and its test (bbot/modules/httpx.py)ffufGo binary module and its test (bbot/modules/ffuf.py,ffuf_shortnames.py)HTTPEngineZMQ subprocess (bbot/core/helpers/web/engine.py)AsyncClient/ httpx Python library (bbot/core/helpers/web/client.py)helpers.web.curl()subprocess helperDEP_FFUFandDEP_CURLshared dependency definitionshttpxPython library from dependenciesAdded:
bbot/modules/http.py— native HTTP module using blasthttp batch API (replaces httpx Go binary)bbot/modules/web_brute.py— native web fuzzer using blasthttp batch API (replaces ffuf)bbot/modules/web_brute_shortnames.py— IIS shortname resolver using ML predictionbbot/modules/generic_ssrf.py— SSRF detection modulebbot/modules/output/webhook.py— renamed fromoutput/http.pyto avoid collision with scan modulebbot/core/helpers/web/blast_response.py— response wrapper for blasthttp PyO3 objectsbbot/test/mock_blasthttp.py— mock infrastructure for test HTTP interceptiontest_web_rate_limit.py)Updated:
sslcertmodule rewritten to use blasthttpcert_infoinstead of independent pyOpenSSL connectionshost_headerandgeneric_ssrfmodules converted fromcurl()torequest()withresolve_ip/request_targetelasticoutput module fixed to import fromwebhookinstead of deletedhttpblasthttp_mock.add_response())dirbust-light,dirbust-heavy,dotnet-auditreferenceweb_bruteinstead offfufresolve_ip=127.0.0.1requests to real blasthttpBug fixes
Blacklist.get()NoneType crash —_make_event_seed()could returnNonewhen host validation fails, causingAttributeErroron.hostaccess. Events hitting this path were silently dropped from the scan pipeline. AddedNoneguard with defensive tests.clean_dns_record()didn't strip quote characters that dnspython'sto_text()can produce on certain record types, causingValidationErrorand silently skipping DNS children. Added.strip("'\"")beforerstrip(".").AttributeError: 'str' object has no attribute 'get'when iterating dict keys. Addedisinstance(json, list)guard.yara_rules.match()was called synchronously on the event loop, serializing all 8 excavate workers despite_module_threads = 8. Offloaded torun_in_executor_cpu()for real parallelism (YARA releases the GIL). ~2.5-3x throughput improvement.ip-*andhttp-title-*tags — The newhttpmodule was creatingip-{hostname}andhttp-title-{title}tags instead of using_resolved_hostsandhttp_titlelike the old httpx module did. Fixed to match post-naming-standardization conventions from PR Preset naming standardization / tag cleanup #2986._drain_queues()infinite loop on Ctrl+C — When a module's queue wasNone/False, the drain loop never raisedQueueEmptyand spun forever, causing the scan to hang after "Aborting scan" until a second Ctrl+C. Moved the None/False check outside the loop.web_brutesequential bottleneck —_module_threadsdefaulted to 1, meaning queued URLs were fuzzed one at a time. Bumped to 4. Added configurableconcurrencyoption. Wired the previously unusedrateoption through to blasthttprequest_batch.min(global, per_call)so modules can enforce tighter limits.Dependency changes
blasthttp>=0.2.0httpx>=0.28.1