
Mitmproxy – Open-source console-based proxy - isarat
https://mitmproxy.org/
======
bitexploder
Don't forget mitmdump. It is a great way to log sessions and chain to other
proxies at the same time.

Also, mitmdump is one of the best and fastest ways to get ahold of web
requests with Python to modify it on the fly.

[http://docs.mitmproxy.org/en/stable/mitmdump.html](http://docs.mitmproxy.org/en/stable/mitmdump.html)

I have been using mitmproxy over Burp for day to day web app hacking these
days. But we still use Burp scanner for lots of chores. I almost always chain
through both to then go back in and use Burp features missing in mitmproxy
(exploring site contents, etc.). But those are edge cases mostly needed for
professional use and not for tinkering.

~~~
nopcode
I don't understand how this can be faster or more friendly than using Burp.

Would you mind sharing an example flow?

~~~
bitexploder
I just like working in terminal. Some things I can do faster in mitmproxy
(filtering with lots of constraints, shooting response or request data to a
pipe). It has a mutt like interface so if mutt seems fast and intuitive then
mitmproxy will feel similar. I have spent a lot of years thrashing around in
the Burp GUI and mostly I don't need all the features all the time :)

Things that are a few clicks in Burp are a few terse keystrokes or key presses
in mitmproxy. IDK, give it a shot and see if it makes sense . Most of our team
just sticks with Burp FWIW.

------
mrtksn
It's not just a console, it also has a web based interface:
[http://docs.mitmproxy.org/en/stable/mitmweb.html](http://docs.mitmproxy.org/en/stable/mitmweb.html)

~~~
hans_mueller
I'd say, it's not just a web based interface, it also is a console.

------
eapen
This tool recently helped me troubleshoot a bug I was facing and unable to
solve due to the lack of Safari's development tools. Here's a link for anyone
interested: [http://eapen.in/mitmproxy-for-
troubleshooting/](http://eapen.in/mitmproxy-for-troubleshooting/)

------
c7h
one of the best tools for reverse engineering mobile apps. I'm just having
problems when certificate pinning is enabled. Does anyone have an idea (or
even a solution) how to deal with that?

~~~
Aissen
Even without certificate pinning, starting with Android 7, you must decompile
the app to allow user provided certificates. Or use an xposed module if you
have a rooted device.

See this mitmproxy bug:
[https://github.com/mitmproxy/mitmproxy/issues/2054](https://github.com/mitmproxy/mitmproxy/issues/2054)

And this tool is nice to automate decompiling, adding the line in the manifest
to be able to use user-installed certificates, and recompiling:
[https://github.com/levyitay/AddSecurityExceptionAndroid](https://github.com/levyitay/AddSecurityExceptionAndroid)

Also, if the app uses Google signin, you _have_ to be rooted, because play
services uses the package manager to check the app signer before giving the
app a token.

~~~
justinjlynn
Just wait until they go full 'treacherous computing' and turn on remote
attestation using TPMs.

~~~
Aissen
Remote attestations already exist with SafetyNet, but don't use TPMs (IIRC).
TPMs are interesting because they allow _local_ attestations; and it's
happening already, for some use cases: [https://android-
developers.googleblog.com/2017/09/keystore-k...](https://android-
developers.googleblog.com/2017/09/keystore-key-attestation.html)

~~~
justinjlynn
wow... thanks for the link. I need to keep a closer eye on the platform,
apparently.

------
jenscow
Just what I was looking for.

All I wanted to do was change a request header for one host.

After ~15 minutes I now have a transparent MITM https proxy - and I didn't
even have to google the openssl command.

Edit: Also, the documentation is excellent as the software.

------
brazzledazzle
This tool has really helped me on several occasions with a wide variety of
issues up and down the stack. Even with debugging web apps because while the
chrome Dev tools are awesome they (at least at the time as far as I know)
didn't expose the initial headers/network exchange for certain types of auth
like NTLM.

~~~
emj
Mitmproxy is nice, but I think dev tools have become alot better, I discovered
that because my standard work horse Chrome+Wireshark is very fincky with SSL:

    
    
        SSLKEYLOGFILE=$HOME/ssl_crt_dbg google-chrome --user-data-dir=TEMPUSER
    

Then you configure wireshark SSL decoding with with pre master key file as
"ssl_crt_dbg", it fails too often for me.

Now days I use remote-debugging and Python a lot:

    
    
      $ google-chrome --remote-debugging-port=9222
    
      import PyChromeDevTools
      chrome = PyChromeDevTools.ChromeInterface(host="localhost", port=9222)
      chrome.Network.enable()
      while True:
         print chrome.wait_message(timeout=0.1)
    
    

But the simplicity of a Mitmproxy is almost as great as wireshark.

~~~
pimlottc
Can you explain more what you're doing with the python code?

------
ijustdontcare
[https://docs.mitmproxy.org/en/latest/mitmproxy.html](https://docs.mitmproxy.org/en/latest/mitmproxy.html)
Nice TLS work

------
Lightbody
Although I don't contribute to it anymore, I worked on a similar project that
seems to have some continued activity:

[https://github.com/lightbody/browsermob-
proxy](https://github.com/lightbody/browsermob-proxy)

It's Java-based and forked out from some old MITM code from Selenium. It has a
bunch of APIs for manipulating traffic, tweaking DNS resolution, rewriting
content, etc. Just passing along in case anyone is looking for alternatives.

------
jwilk
Beware that it listens on all interfaces by default:

[https://github.com/mitmproxy/mitmproxy/issues/1293](https://github.com/mitmproxy/mitmproxy/issues/1293)

I learned this the hard way. If you run a proxy on an unfirewalled machine
with public IPv4, it's going to be abused _really_ fast. :-(

------
platz
Mitmproxy works pretty well for HTTPS - but it doesn't seem to generate HTTPS
certs as well as Fiddler does

~~~
mhils
Mitmproxy dev here - please feel free to file a bug on GitHub if you have a
reproducible example where we fail. :)

------
pvg
Many previous discussions:

[https://hn.algolia.com/?query=mitmproxy&sort=byPopularity&pr...](https://hn.algolia.com/?query=mitmproxy&sort=byPopularity&prefix=false&page=0&dateRange=all&type=story)

------
abraae
I was just looking for something like this. Googling led me to Charles proxy,
which seems a pretty capable tool, and I'm growing fond of it though the Java
UI is jarringly ugly.

Does anyone have any experience with charles vs mitmproxy?

------
mpeg
I love mitmproxy, super easy to use (and to install an interception
certificate) and the scripting support makes it very useful for pentesting iOS
app traffic etc where I can't easily modify the client

~~~
cowabungamann
how do disable certificate pinning on iOS?

~~~
mpeg
Haven't had to as the apps I targeted weren't using it. Can't think of an
obvious way without rooting the device though...

~~~
bitexploder
That is because there isn't a good solution. You can get away with repackaging
an IPA and hand modifying the binary depending on how they are performing the
pinning, but it is always going to be time consuming to do it this way. If you
are serious about tinkering you pretty much need a jailbroken device, which is
getting harder to maintain by the year.

------
humanjvm
I've been using mitmproxy to inspect HTTPS traffic. Are there any
Chrome/Wireshark configurations to allow me to inspect HTTPS with Wirshark?

------
diegorbaquero
Mitmproxy is amazing! And you can get it easily in macOS with brew. Highly
recommended

------
sheharyarn
I love Mitmproxy and how easy it is to use! One of my favorite pentesting
tools!

------
CameronBanga
mitmproxy is great for iOS and Android pen testing. A must have tool.

