anotherhadi/spilltea
1
Fork 0
mirror of https://github.com/anotherhadi/spilltea.git synced 2026-05-20 01:32:33 +02:00
Code Issues Packages Projects Releases Wiki Activity
51 Commits 1 Branch 5 Tags
172a77e13bb5d5f0789ae01c51497d40e83c5597
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Hadi 172a77e13b fix: security hardening and code quality 
- SQL query mode uses read-only SQLite connection with PRAGMA query_only=ON
- Lua sandbox removes dofile/loadfile/load after OpenBase to block file access
- Plugin manager sorts by priority once at load time; GetPlugins is a plain copy
- Proxy appends [body truncated] marker when body hits size limit
- App startup exits with os.Exit(1) on DB open failure
- tickCmd uses tea.Tick instead of time.Sleep in a goroutine
- ErrMsg with non-nil error shows notification then quits
- DB stores path for use by read-only query connection
- WAL journal mode + NORMAL synchronous set in migrate()
- config.go uses errors.Is(err, os.ErrNotExist)
- main.go uses os.UserHomeDir() and removes racy port pre-check
- findings renderer is cached and rebuilt only on width change

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-19 13:38:10 +02:00
.github
Add pre-commit hook for vendorHash validation #7
2026-05-19 00:02:21 +02:00
cmd/spilltea
fix: security hardening and code quality
2026-05-19 13:38:10 +02:00
docs
typo
2026-05-19 11:51:27 +02:00
internal
fix: security hardening and code quality
2026-05-19 13:38:10 +02:00
plugins
Add "disable_by_default" flag for plugins
2026-05-19 11:18:16 +02:00
.gitignore
Init
2026-05-12 19:12:29 +02:00
.goreleaser.yaml
Edit main path
2026-05-12 19:16:31 +02:00
docs.go
move docs to root
2026-05-18 21:50:32 +02:00
flake.lock
Init
2026-05-12 19:12:29 +02:00
flake.nix
v0.0.4
2026-05-19 00:03:37 +02:00
go.mod
Update deps
2026-05-18 23:42:29 +02:00
go.sum
Update deps
2026-05-18 23:42:29 +02:00
lefthook.yml
Add pre-commit hook for vendorHash validation #7
2026-05-19 00:02:21 +02:00
LICENSE
Init
2026-05-12 19:12:29 +02:00
plugins.go
Change plugins behavior
2026-05-13 16:52:12 +02:00
README.md
move legal disclaimer
2026-05-18 23:47:00 +02:00

README.md

logo

Spilltea

A minimal, terminal-based HTTP(S) proxy for pentesters and CTF players.
Think Burp Suite or Caido, but entirely in your terminal.

Go Version Release License: MIT Go Report Card

What is Spilltea?

Spilltea is a terminal-native HTTP(S) interception proxy. It sits between your browser and the internet, letting you inspect, modify, and replay traffic without ever leaving your terminal.

It is intentionally minimal. No Electron, no browser, no bloat. Just a fast, keyboard-driven tool that gets out of your way.

demo

Legal Disclaimer

This tool is provided for educational purposes and authorized security testing only.

Use Spilltea only on systems and networks you own or have explicit written permission to test. Intercepting network traffic without authorization may violate local laws (such as the Computer Fraud and Abuse Act, GDPR, or equivalent legislation in your jurisdiction).

The author(s) and contributors are not responsible for any misuse, damage, or legal consequences resulting from the use of this software. By using Spilltea, you agree that you are solely responsible for ensuring your usage is lawful and authorized.

Features

  • Intercept: Pause requests and responses in-flight. Inspect and modify them (even with your favorite editor) before forwarding.
  • HTTP History: Every request that passes through the proxy is stored. Browse, search and filter your full session history.
  • Replay: Pick any request from the history, modify it if needed, and send it again. Useful for manual testing and quick iteration
  • HTTPS Support (using go-mitmproxy under the hood)
  • Vim-like Navigation: The entire interface is keyboard-driven with Vim-inspired shortcuts. Use h/j/k/l to move, gg/G to jump to the top/bottom, / to search, q to close panels, and more. All keybindings are fully customizable via the config file.
  • Built-in Integrations:
    • FFuf Export: Generate a ffuf command or configuration directly from a request to start fuzzing instantly.
    • cURL / HTTPie: Copy any request as a curl or httpie command to your clipboard.
    • Markdown Export: Export any request and its response as a clean Markdown snippet, ready to drop into a report.

Installation

Go install 
go install github.com/anotherhadi/spilltea/cmd/spilltea@latest

Requires Go 1.22+. The binary will be placed in $GOPATH/bin (or ~/go/bin).

Nix (temporary run, no install) 
nix run github:anotherhadi/spilltea
NixOS (flake)

Add spilltea to your flake inputs:

inputs.spilltea.url = "github:anotherhadi/spilltea";

Then add the package to your system or home-manager packages:

environment.systemPackages = [ inputs.spilltea.packages.${pkgs.system}.default ];

Project Management

Spilltea organizes work into projects. Each project maps to a SQLite database file that stores all intercepted traffic for that session & a log files.

On startup, you choose:

  • New project: enter a name, stored in ~/.local/share/spilltea/projects/ by default
  • Existing project: pick from a list of previous projects
  • Temporary: no name needed, stored in /tmp/spilltea/projects/ and will be deleted on your next reboot!

Configuration

Spilltea is fully configured via a YAML file at ~/.config/spilltea/config.yaml. Check the default configuration with all the options here

CLI Flags

Usage: spilltea [flags]

      --add-default-config      copy the default config file to the config path and exit
      --add-default-plugins     copy built-in example plugins into the plugins dir and exit
  -c, --config string           path to config file
      --host string             proxy host (overrides config)
      --plugins-dir string      path to plugins dir (overrides config)
  -p, --port int                proxy port (overrides config)
  -P, --project string          project name to open directly, or "tmp" for a temporary session
      --upstream-proxy string   upstream proxy URL, e.g. http://user:pass@host:8888 (overrides config)
  -v, --version                 print version

Plugin System

Spilltea supports plugins written in Lua. Plugins are loaded from ~/.config/spilltea/plugins/ by default and do not require recompilation or access to the source code. For a full reference and examples, see the plugin documentation or plugin examples.

Deployment

spilltea runs locally on the machine used for pentesting or CTF. There is no separate server component.

If you need to run spilltea on a remote machine (e.g., a VPS or pivot host), use SSH port forwarding:

ssh -L 8080:127.0.0.1:8080 user@remote-host

Then point your browser at 127.0.0.1:8080 as usual.

Tech Stack

Component Library
TUI bubbletea
Styles lipgloss
Proxy / MITM / TLS go-mitmproxy
Storage modernc.org/sqlite
Config viper
Plugins gopher-lua
Reference in New Issue View Git Blame Copy Permalink
S
Description
A minimal, terminal-based HTTP(S) proxy for pentesters and CTF players.
burpsuitecybersecuritycybersecurity-toolspentesting
Readme MIT 1.5 MiB
Languages
Go 94.3%
Lua 4.7%
Nix 0.5%
Python 0.3%
Shell 0.2%