This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP H2H Tool Project

Jump to: navigation, search
OWASP Project Header.jpg

OWASP H2H Tool Project

H2H is an opensource project allowing to detect all entry points of web applications developped in Java. Entry point and EndPoint are defined and explained in these articles : and Gartner From our point of view most web applications written in Java are made of spaghetti code and use more and more complex frameworks. H2H aims at making easier the job of detect vulnerabilities of Web applications written in Java by showing them all endpoints. That means focusing on the code, written by the project's developpers, that answers to requests (http requests, RMI calls, etc.) We could have made a list of all servlets, filters or listeners but, with frameworks such as Spring or JSF, granularity is not enough. That's because these frameworks expose their own component (servlet/listener) first, then dispatch the request (according to the uri or a context) to the code developped by the project. H2H analyze all the most used/frequent frameworks to get all the endpoints.

Notre objectif est de trouver 100% des points d'entrée pour améliorer la couverture de test lors des Pentest ou des audits de sécurité. Our purpose is to find 100% endpoints to improve the coverage of test during Pentests or security audit.


H2H is a java agent which realizes several tasks :

  • H2H scan the entire application and all frameworks to list all endpoints. Here is the list of components analyzed by H2H (framework)
  • It is possible to activate a sensor in H2H that monitore each endpoint. For example, this monitoring allows during a Pentest to know if all scenarios have all been through all endpoints.
  • It is possible to activate a sensor in H2H that monitore each endpoint's performance

Visualization of entry points can be done via a new url added by H2H or by the application H2H-Web Vizualisation Project

The project is composed ​of 2 sub-project​s​ : the Core : Agent for Java project and the web : interface for user​-friendly.


H2H is a open source project with licence Apache 2.

This program is free software: you can redistribute it and/or modify it under the terms of the link GNU Affero General Public License 3.0 as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. OWASP XXX and any contributions are Copyright © by {the Project Leader(s) or OWASP} {Year(s)}.

Project Resources

Main Page

Core Project

Vizualisation Project


Issue Tracker

Project Leader

Damien Kerbart
Jean-Louis Boudart
Guillaume Dufour
Nicolas Poirier


Project Type Files TOOL.jpg
Incubator Project Owasp-builders-small.png
Affero General Public License 3.0

News and Events

  • [12 Aout 2015] First Release

Coming soon

How can I participate in your project?

Fork our repository Github and Pull request !

== Installation

For core :

For Web-Project :


The first contributors to the project were:

  • [Jean-Louis Boudart]
  • [Damien Kerbart]
  • [Guillaume Dufour]
  • [Nicolas Poirier]

  • Add Performance Counter for next Release
  • Add export configuration for Apache, F5, Nginx

What does this OWASP project offer you?
What releases are available for this project?
what is this project?
Name: N/A
Purpose: N/A
License: N/A
who is working on this project?
Project Leader(s): N/A
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: N/A
Project Roadmap: Not Yet Created
Key Contacts
  • Contact the GPC to contribute to this project
  • Contact the GPC to review or sponsor this project
current release
last reviewed release

other releases