A Macro is a recorded multi-step HTTP sequence that Hugin can replay on demand. The classic use case is session maintenance: log in, navigate to a page, grab a CSRF token, then run scans or attacks while Hugin keeps the session fresh by re-running the macro whenever it detects expiry.
Macros pair with Session Rules — Session Rules detect “session is invalid” and trigger a macro to re-authenticate, then propagate the new tokens forward.
🔗Recording a Macro
- Open the Macros view (under Workspace in the sidebar)
- Click + New Macro
- Pick the source flows from your captured History — multi-select 1–N flows that constitute the login flow
- Hugin builds the macro: each flow becomes a step in the macro’s request sequence
- Edit the steps if needed (rename, reorder, delete)
- Save
The macro now exists as an ordered list of HTTP requests with extraction rules.
🔗Step Configuration
Each step has:
- Request — full HTTP request (editable, supports
{{template}}interpolation from earlier steps and environment variables) - Extract — list of
(name, regex_or_jsonpath)pairs. Captured values become available to subsequent steps as{{step_<n>.<name>}}. - Validation — optional check on the response (status code, body contains, etc.) — if validation fails, the macro is marked failed and downstream steps don’t execute
- Wait — optional delay before this step
🔗Common Extractions
| Token type | Extract from | Pattern |
|---|---|---|
| CSRF token | Response body | <input name="_csrf" value="([^"]+)" |
| Session cookie | Set-Cookie header | cookie:session_id |
OAuth code | Location header | code=([^&]+) |
| Bearer access_token | JSON response body | JSONPath $.access_token |
JWT sub claim | Decoded JWT | (run RunJavaScript step) |
🔗Running a Macro
Three modes:
🔗Manual
Click Run in the Macros view. Useful for testing or one-off auth refresh. Results show up in the run history with extracted values.
🔗From Session Rule
A Session Rule detects expiry (e.g., 401 response) and triggers the linked macro. Extracted tokens are propagated into subsequent requests automatically.
🔗From Workflow
A Workflow action node can invoke a macro. Use case: “every time a 419 (CSRF expired) response is captured, run the refresh-csrf macro”.
🔗Inter-Step Templating
Within a macro, later steps reference earlier outputs:
Step 1: GET /login → extract csrf_token
Step 2: POST /login (body: csrf_token={{step_1.csrf_token}}&user=...&pass=...) → extract session_cookie
Step 3: GET /api/me (header: Cookie: {{step_2.session_cookie}}) → extract user_idSupported template namespaces:
{{step_N.<name>}}— extracted value from step N{{env.<name>}}— variable from active Environment{{macro.input.<name>}}— input parameters passed when the macro was invoked
🔗Macro Inputs
A macro can declare inputs (e.g., username, password) that must be supplied at run time. Inputs are referenced as {{macro.input.<name>}} in any step. When invoked from a Session Rule, inputs are pulled from the rule’s config.
🔗Test Mode
The Test button runs the macro in dry-run mode — actually issues the requests, shows what was extracted at each step, but doesn’t propagate results to a Session Rule or Workflow. Useful for debugging.
🔗Storage
Macros are stored as JSON in the project database. They travel with .huginproject exports.
🔗MCP
The macros MCP tool exposes:
Macro management:
list_macros,get_macro,create_macro(fromflow_ids),update_macro,delete_macrorun_macro(executes with input params)test_macro(dry-run)
Live recording (capture macros from your live proxy traffic):
record_start— begin recording subsequent flows into a new macrorecord_stop— stop recording and finalise the macrorecord_status— current recording staterecord_list— list active recording sessions
Session rules (linked into the same tool):
list_rules,create_rule,update_rule,delete_rule,enable_rule,disable_rule