Browser Engines

Hugin can drive four different browser engines for crawling, taint analysis, and PoC capture: Chrome (via CDP), Mullvad Browser (via Marionette), Servo (IPC child process), and Hugin (pure-Rust in-process JS engine, Chrome-134 fingerprint). The MCP browser tool currently exposes Chrome, Mullvad, and Servo via the browser_type parameter; the Hugin native engine is used internally (e.g., for the Blitz renderer behind hugin browse).

Each engine has different trade-offs around fingerprint, automation visibility, and speed.

🔗Chrome (CDP)

The default for full-featured testing. Hugin spawns a Chrome instance with a custom profile and connects via the Chrome DevTools Protocol.

🔗Properties

• Fingerprint — BoringSSL TLS stack + Chrome user-agent. Matches a real Chrome’s JA3/JA4 signature so requests blend with normal web traffic.
• Automation markers — navigator.webdriver is false (we patch it out at launch); CDP detection partially mitigated by anti-detect script injection
• Speed — fastest of the three for JS-heavy SPAs
• Memory — heaviest; Chrome’s ~200 MB baseline plus per-tab overhead
• Use cases — crawling SPAs, taint analysis, PoC video capture, anything requiring real browser DOM

🔗Setup

Requires Chrome / Chromium installed system-wide:

• macOS: /Applications/Google Chrome.app (auto-detected) or brew install chromium
• Linux: apt install chromium-browser or equivalent
• Windows: standard Chrome install

Alt path via Settings → Network → Browser Path.

🔗Launching

hugin browse <url> opens the Blitz-rendered Hugin engine, not Chrome — see the Hugin (Native JS Engine) section below for that command. To launch Chrome programmatically, use the MCP browser tool:

browser action:"launch" browser_type:"chrome"
browser action:"navigate" url:"https://target.com"

Or via the desktop UI’s Browser view → Launch Chrome.

🔗Mullvad Browser (Marionette)

Firefox-based privacy browser, controlled via Mozilla’s Marionette protocol.

🔗Properties

• Fingerprint — Firefox TLS stack + Mullvad user-agent. Looks like genuine privacy-focused user traffic
• Automation markers — none visible by default (Marionette is server-side)
• Speed — middle of the pack
• Memory — slightly lighter than Chrome
• Use cases — testing privacy-protection features and fingerprint-sensitive targets

🔗Setup

Requires Mullvad Browser installed:

• Download from https://mullvad.net/download/browser/
• Hugin auto-detects standard install paths

🔗Launching

Via MCP:

browser action:"launch" browser_type:"mullvad"

Or from the desktop Browser view → Launch Mullvad Browser. The launcher creates the temporary profile, imports the CA, and disables the extensions / pinning settings listed below in one step.

🔗Quick Setup Behaviour

The “Launch Mullvad Browser” button creates an isolated profile with:

• Hugin proxy pre-configured (HTTP + HTTPS to 127.0.0.1:8080)
• Hugin CA cert imported via certutil
• Certificate pinning disabled (security.cert_pinning.enforcement_level = 0)
• HSTS preload disabled
• HTTPS-Only Mode disabled
• Mullvad Browser Extension disabled (it would override proxy settings via SOCKS)

Your real Mullvad Browser profile is untouched.

Requirement: certutil (from the NSS suite). On macOS: brew install nss.

🔗Servo (Embedded Engine)

Hugin’s bundled headless web engine. No external browser binary needed.

🔗Properties

• Fingerprint — Hugin’s embedded TLS stack (BoringSSL); user-agent configurable. Less battle-tested than Chrome’s fingerprint but uniquely useful for zero automation markers
• Automation markers — none. No navigator.webdriver, no CDP fingerprint, no Marionette socket — just a normal-looking HTTP/HTTPS client with full DOM rendering and JS execution
• Speed — slower than Chrome on JS-heavy SPAs; faster on simple pages
• Memory — lightest; ~50 MB baseline
• Use cases — fingerprint-sensitive scraping, deep-engine taint tracking, anti-bot bypass on targets that detect headless Chrome

🔗Deep-Engine Hooks

Servo exposes hooks that Chrome and Mullvad don’t:

• inject_script — inject JS before the page’s own scripts execute. Useful for taint instrumentation, fingerprint spoofing.
• network_intercept — capture every HTTP request at the engine level, bypassing the DOM. Sees XHR, fetch, beacon, every resource load.
• block_url — block requests at the engine level by regex. Faster than browser-level blocking; works against sites that detect content-blocking extensions.
• dom_snapshot — structured DOM tree as JSON, with bounding boxes.
• query_dom — CSS-selector queries with element bounds — useful for visual PoC alignment.
• console_log — drain captured console messages.

🔗Launching

Via MCP:

browser action:"launch" browser_type:"servo"

Servo runs as an IPC child process — it’s spawned on demand and torn down on stop.

🔗Hugin (Native JS Engine)

The Hugin native engine is a pure-Rust JavaScript runtime + minimal renderer (Blitz). It runs in-process — no external binary, no IPC.

🔗Properties

• Fingerprint — Chrome 134-style headers + TLS profile baked into the engine
• Automation markers — none
• Speed — fast for simple pages; weaker JS compatibility on advanced SPAs vs Chrome/Servo
• Memory — lightest of all four; runs alongside the desktop UI without spawning extra processes
• Use cases — hugin browse <url> for quick PoC capture; in-process headless rendering when you want zero IPC overhead

🔗Launching

The CLI entry point is the hugin browse subcommand:

hugin browse https://target.com
hugin browse https://target.com --width 1440 --height 900

The browse command always uses the Hugin native engine — it does not currently accept a --browser flag to switch to Chrome / Mullvad / Servo. For those, use the MCP browser tool described above.

🔗Choosing an Engine

Use case	Recommended engine
First-pass crawling	Chrome
Heavy JS / SPA inspection	Chrome
Fingerprint-sensitive target	Mullvad first; Servo as alternate
PoC video / screenshot for report	Chrome
Headless CI / scheduled scans	Servo
Taint analysis with pre-script injection	Servo
Privacy-focused user simulation	Mullvad
Quick in-process page render	Hugin (hugin browse)
Memory-constrained / low-power	Hugin or Servo

🔗Browser Map

All four engines share a common abstraction — BrowserMap — keyed by proxy port. Switching engines on the same proxy port reuses the same MCP tool actions and REST endpoints; the user picks the engine and the rest of Hugin doesn’t care.

Browser sessions persist across actions — once you launch Chrome on port 8080, all subsequent navigate, exec_js, screenshot, etc. use that same instance until you stop it.

🔗Anti-Detect (Chrome)

For the Chrome engine, an anti-detect script is injected via Page.addScriptToEvaluateOnNewDocument on every new document. It patches:

• navigator.webdriver → undefined (also deletes from prototype chain — Akamai checks both)
• window.chrome.{app,csi,loadTimes,runtime} synthesised to look like a real Chrome
• navigator.plugins → 3 plugins (Chrome PDF Plugin, Chrome PDF Viewer, Native Client)
• navigator.languages → ['en-US', 'en']
• Permissions API — notifications query matches Notification.permission (real-Chrome behaviour)
• WebGL getParameter — vendor/renderer return real GPU values instead of leaking “ANGLE”

Mullvad and Servo each have their own fingerprint posture inherent to the engine; the Chrome anti-detect script doesn’t apply to them. There is no per-launch opt-out flag — the script is always injected when Chrome is launched via Hugin’s manager.

🔗See Also

• Browser Automation — full chapter on programmatic browser control
• Taint Analysis — Servo’s deep-engine hooks make it the best engine for runtime DOM XSS detection
• Browser Setup — manual setup of regular browsers (Chrome, Firefox, system) for proxying without using Hugin’s launchers