send
Issue HTTP requests with full control over method, URL, headers, and body. Supports raw headers, connection reuse, and TLS SNI override. Results are stored in the hunt database for later analysis.
Instructions
Send HTTP request and store in hunt database. See rqwstr_docs(topic="hunts") for the core workflow. Cookie handling: an explicit Cookie in headers or raw_headers suppresses the per-hunt cookie jar (the jar is only injected when no Cookie is supplied). A Cookie set in both sources is additive on the wire — both propagate, not deduped. send injects jar cookies outbound but NEVER auto-stores Set-Cookie: for multi-step authenticated flows use chain (forward_cookies), or session(action="import_from_response") after a login response. See rqwstr_docs(topic="cookies") for the full store model and setting explicit Cookie payloads (session fixation, deserialization, etc.).
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| sni | No | TLS SNI override. Decouples SNI from Host header for HTTPS requests. When set the TLS ServerName uses this value instead of the Host header. | |
| url | Yes | Target URL (must include scheme) | |
| body | No | Request body string | |
| grep | No | Regex to filter response. Use .* to return full body | |
| name | No | Save request with this name for quick lookup. If the name is already used in this hunt an integer suffix is appended (name-2, name-3, ...) and the stored name is reported back, so the request stays retrievable via fetch. | |
| notes | No | Attach notes to request | |
| method | Yes | HTTP method (GET POST PUT DELETE etc) | |
| headers | No | Request headers as key-value pairs | |
| raw_path | No | Send URL path exactly as provided without Go net/url normalization. Preserves percent-encoded sequences like %2f literally. For web cache deception and path traversal attacks. | |
| body_file | No | Relative path under hunt artifacts directory for request body; absolute paths require RQWSTR_ALLOW_ABSOLUTE_FILE_PATHS=1. Overrides body. | |
| multipart | No | Multipart form-data parts. Each part: {name, value, filename, content_type, body_file/file_path}. File paths are relative to hunt artifacts unless RQWSTR_ALLOW_ABSOLUTE_FILE_PATHS=1. Overrides body/body_file. | |
| timeout_ms | No | Request timeout in milliseconds (default 30000) | |
| url_encode | No | URL-encode query parameter values | |
| raw_headers | No | Raw headers appended verbatim. No validation — enables duplicate headers and header smuggling. Array of [name, value] pairs: [["X-Custom", "val"]]. | |
| http_version | No | HTTP version: 1.0 or 1.1 (default 1.1) | |
| connection_id | No | Reuse H1 connection by ID. Same connection_id = same TCP connection. For H1 smuggling self-verification (send smuggle + follow-up on same connection). Auto-closes after 60s idle. | |
| keep_alive_ms | No | Hold connection open after response. Milliseconds. Use with connection_id to keep poisoned bytes alive until a victim request. | |
| max_redirects | No | Max redirects to follow (default 10) | |
| save_response | No | Relative path under the hunt artifacts directory to save raw response body bytes | |
| request_target | No | Override request-line target. Use for absolute-form requests (RFC 7230 §5.3.2) e.g. GET https://backend/ HTTP/1.1 | |
| close_connection | No | Close a pooled connection by connection_id. Returns immediately without sending a request. | |
| follow_redirects | No | Follow HTTP redirects (default false) | |
| grep_ignore_case | No | Case insensitive grep matching | |
| pause_after_headers_ms | No | Pause between sending headers and body in milliseconds. For pause-based CL.0 desync attacks where the backend times out waiting for the body. | |
| content_length_override | No | Override Content-Length header value independent of actual body length. For CL mismatch smuggling. | |
| save_response_overwrite | No | Overwrite an existing save_response artifact (default false) |