Bambda (Inline Lua Filters)

Bambda is Hugin’s inline Lua expression engine for filtering and transforming the flow table. Where Lua extensions are full extensions with manifests and hooks, Bambdas are one-line expressions — written inline in the Logger’s filter bar — that decide whether to keep, drop, flag, or transform each flow.

The name is a nod to Burp’s “Bambda” feature; same idea, Lua instead of Java.

🔗Use Cases

  • Filter the Logger to “POSTs to /api/* with a JSON body and admin somewhere in the body”
  • Highlight all flows where a specific cookie value differs from the most recent one (session rotation detection)
  • Drop noise — block 200 responses to /static/* from showing in the table without changing capture
  • Custom search beyond what the toolbar filters offer
  • Quick one-off transformations during triage

🔗Filter Bambda

The filter bar at the top of the Logger has a Bambda mode toggle. When enabled, the input becomes a Lua expression that returns true (keep this flow) or false (hide it).

The expression has access to a flow global with all request/response data:

flow.method == "POST" and flow.path:match("^/api/") and flow.body:find("admin", 1, true)
flow.status >= 500
flow.host == "api.example.com" and flow.headers["content-type"]:find("json")

The expression is re-evaluated as you type (debounced 300ms). Syntax errors show inline below the bar.

🔗Transform Bambda

A transform Bambda runs through the flow table and produces a new column with the result of the expression:

-- Compute response size in KB
return string.format("%.1f KB", #flow.response.body / 1024)
-- Extract a field from a JSON body
local data = json.decode(flow.response.body)
return data and data.user and data.user.email or "—"

The new column appears in the Logger as a custom column with your expression as the header (renameable).

🔗Test Bambda

Before applying a complex Bambda, Test it against a single selected flow:

  • Returns the result + execution time
  • Shows the value of any local variables for inspection
  • Surfaces stack traces for errors

🔗Built-in Presets

15 ready-to-use Bambdas (bambda.rs::builtin_presets):

errors, forbidden, redirects, api_posts, json_responses, large_responses, with_params, auth_headers, cors_headers, set_cookie, no_cache, tls_only, plaintext, empty_body, interesting_status.

Custom presets are stored at ~/.hugin/bambda_presets.json via the save_preset action and joined with built-ins when the presets action is called.

🔗Saved Bambdas

Save your Bambdas (with name + description) for reuse. Saved Bambdas appear in the dropdown next to the filter bar. Project-scoped.

🔗Available Globals

In the Lua sandbox:

  • flow — the current flow with .method, .url, .host, .path, .query_string, .status, .body (response), .request_body, .headers (request), .response_headers, .cookies, .tags, .flagged, .created_at, .latency_ms, .size
  • json — JSON encode/decode utilities
  • string — full Lua stdlib string library
  • regex — Hugin’s regex helper (regex.match(pattern, text))
  • base64 — Base64 encode/decode
  • url_encode / url_decode
  • prev — the previous flow (for diff-style Bambdas)

The sandbox doesn’t expose: filesystem, network, system commands. Bambdas are pure compute.

🔗Performance

Bambdas run client-side (in the desktop process) on the visible flow set. At 100k+ flows, complex Bambdas may slow the table — narrow with toolbar filters first, then refine with Bambda.

🔗MCP

The bambda MCP tool exposes:

  • filter — apply a Bambda to a flow set, return matches
  • transform — apply a transform Bambda, return computed values
  • test — test against a single flow, return result + diagnostics
  • presets — list built-in presets
  • save_preset — save a custom Bambda
  • delete_preset — remove a custom Bambda

Useful for AI agents: “filter the project to authenticated POSTs that include a CSRF token, group by endpoint” — Bambda + grouping in one pass.