from Hacker News

Mitmproxy – Open-source console-based proxy

by isarat on 11/22/17, 8:38 AM with 39 comments

  • by bitexploder on 11/22/17, 5:42 PM

    Don't forget mitmdump. It is a great way to log sessions and chain to other proxies at the same time.

    Also, mitmdump is one of the best and fastest ways to get ahold of web requests with Python to modify it on the fly.

    http://docs.mitmproxy.org/en/stable/mitmdump.html

    I have been using mitmproxy over Burp for day to day web app hacking these days. But we still use Burp scanner for lots of chores. I almost always chain through both to then go back in and use Burp features missing in mitmproxy (exploring site contents, etc.). But those are edge cases mostly needed for professional use and not for tinkering.

  • by mrtksn on 11/22/17, 4:05 PM

    It's not just a console, it also has a web based interface: http://docs.mitmproxy.org/en/stable/mitmweb.html

  • by eapen on 11/22/17, 1:08 PM

    This tool recently helped me troubleshoot a bug I was facing and unable to solve due to the lack of Safari's development tools. Here's a link for anyone interested: http://eapen.in/mitmproxy-for-troubleshooting/

  • by c7h on 11/22/17, 4:11 PM

    one of the best tools for reverse engineering mobile apps. I'm just having problems when certificate pinning is enabled. Does anyone have an idea (or even a solution) how to deal with that?

  • by jenscow on 11/22/17, 1:24 PM

    Just what I was looking for.

    All I wanted to do was change a request header for one host.

    After ~15 minutes I now have a transparent MITM https proxy - and I didn't even have to google the openssl command.

    Edit: Also, the documentation is excellent as the software.

  • by brazzledazzle on 11/22/17, 3:34 PM

    This tool has really helped me on several occasions with a wide variety of issues up and down the stack. Even with debugging web apps because while the chrome Dev tools are awesome they (at least at the time as far as I know) didn't expose the initial headers/network exchange for certain types of auth like NTLM.

  • by ijustdontcare on 11/22/17, 7:47 PM

  • by Lightbody on 11/22/17, 10:26 PM

    Although I don't contribute to it anymore, I worked on a similar project that seems to have some continued activity:

    https://github.com/lightbody/browsermob-proxy

    It's Java-based and forked out from some old MITM code from Selenium. It has a bunch of APIs for manipulating traffic, tweaking DNS resolution, rewriting content, etc. Just passing along in case anyone is looking for alternatives.

  • by jwilk on 11/22/17, 11:51 PM

    Beware that it listens on all interfaces by default:

    https://github.com/mitmproxy/mitmproxy/issues/1293

    I learned this the hard way. If you run a proxy on an unfirewalled machine with public IPv4, it's going to be abused really fast. :-(

  • by platz on 11/22/17, 9:57 PM

    Mitmproxy works pretty well for HTTPS - but it doesn't seem to generate HTTPS certs as well as Fiddler does

  • by pvg on 11/22/17, 2:37 PM

  • by abraae on 11/22/17, 11:33 PM

    I was just looking for something like this. Googling led me to Charles proxy, which seems a pretty capable tool, and I'm growing fond of it though the Java UI is jarringly ugly.

    Does anyone have any experience with charles vs mitmproxy?

  • by mpeg on 11/22/17, 1:22 PM

    I love mitmproxy, super easy to use (and to install an interception certificate) and the scripting support makes it very useful for pentesting iOS app traffic etc where I can't easily modify the client

  • by humanjvm on 11/22/17, 9:06 PM

    I've been using mitmproxy to inspect HTTPS traffic. Are there any Chrome/Wireshark configurations to allow me to inspect HTTPS with Wirshark?

  • by diegorbaquero on 11/22/17, 2:39 PM

    Mitmproxy is amazing! And you can get it easily in macOS with brew. Highly recommended

  • by sheharyarn on 11/22/17, 3:06 PM

    I love Mitmproxy and how easy it is to use! One of my favorite pentesting tools!

  • by CameronBanga on 11/22/17, 2:20 PM

    mitmproxy is great for iOS and Android pen testing. A must have tool.