🚨 Meta Bug Bounty 🤑🔥
An Instagram account takeover triggered through Meta Pixel wasn't something most hunters were looking for... 👀 https://t.co/aZCkv5bNHd
💎 More real bug bounty write-ups, methodologies & exclusive content:
👉 https://t.co/FeMz53HSN0
Burp Suite Professional costs 475 dollars a year per seat.
A senior software engineer in Amsterdam built the open source replacement as a side project. He put it on GitHub for free. It has 10,569 stars.
His name is David Stotijn. The software is Hetty.
Here is what Hetty is.
An HTTP toolkit for security research. A machine-in-the-middle proxy that sits between your browser and the target. Every request and every response flows through Hetty. You can read them, search them, intercept them, edit them, replay them, and send them again.
This is the core loop of every web application security test ever performed. Burp Suite charges 475 dollars a year for it. Hetty does the same job for zero.
Here is the feature set.
A machine-in-the-middle HTTP proxy with full logs and advanced search. An HTTP client for manually creating and editing requests, and replaying any request you already proxied. Request and response interception for manual review, with full edit, send, receive, and cancel control. Scope support to keep your work organized to a single target. A web-based admin interface that runs in your browser. Project-based database storage so multiple engagements stay separate. A GraphQL service for programmatic access.
The installer is a single Go binary. Works on macOS, Linux, and Windows. No Java runtime, no enterprise license server, no machine fingerprinting, no telemetry.
Here is the price ladder.
Burp Suite Professional: 475 dollars a year per seat.
Burp Suite Enterprise: thousands per year, contact sales for a quote.
Burp Suite Community Edition: free, but throttled, no scanner, no project save, no intruder rate.
OWASP ZAP: free and open source, now owned by Checkmarx after a 2024 acquisition.
Hetty: zero. Forever. One binary. No account.
A pentester working full time pays Burp 475 dollars a year. A team of 10 pentesters pays 4,750 dollars a year. A bug bounty hunter who finds one vulnerability has already paid for Burp twice over.
Or they download a 30 MB Go binary written by a freelancer in Amsterdam and keep every dollar they earn.
David has not pushed a new commit in 16 months. The last commit was January 13, 2025. That is normal for a tool that is feature-complete. HTTP has not changed. The proxy still proxies. The intercept still intercepts. MIT licensed code does not expire when the maintainer takes a break.
Buy a domain. Find a bug. Cash a bounty.
PortSwigger took a free industry tool and put it behind a 475 dollar paywall. A freelancer in Amsterdam gave it back. On every platform. For zero dollars.
Your proxy. Your binary. Your bounties.
(Link in the comments)
I remember my Telegram account got banned on the official app. A few months later, I installed Telegram X and was surprised to see that my account was still active there. All my chats were restored. After that, I tried logging into the official Telegram app again and it worked. I was able to access my account normally. If your Telegram account gets banned, you can also try logging into the same account through Telegram X. It worked for me.
@4osp3l Bro, are you getting as many bugs as you did half a year ago? I think you’re getting fewer bugs compared to back then. Correct me if I’m wrong.
@Maskoff023 Mythos and Daybreak Ais are stopping me from going further.
I started web application hacking in 2022 and have read these books 4–5 times:
The Web Application Hacker’s Handbook
Bug Bounty Bootcamp
Real‑World Bug Hunting
Web Hacking Arsenal
I solved 80% of the PortSwigger labs.
@ishowcybersec What will be the future of bug hunters?
Since Daybreak by OpenAI and Mythos by Anthropic already write and secure code, most bugs are fixed in staging.
So I think anyone considering bug hunting may find it not worthwhile.