
Show HN: Mitmproxy 1.0 released, now with a web interface - mhils
https://corte.si/posts/code/mitmproxy/announce_1_0/index.html
======
Goopplesoft
Forgot this was written in python. Scanned the code to see how they do
http/2\. This lib seems useful for general python use:

[https://github.com/mitmproxy/mitmproxy/tree/master/pathod](https://github.com/mitmproxy/mitmproxy/tree/master/pathod)

[https://github.com/mitmproxy/mitmproxy/blob/master/mitmproxy...](https://github.com/mitmproxy/mitmproxy/blob/master/mitmproxy/net)

The whole package very well written. I'll definitely read through it and add
it to my list of repos people should scan if they work with python.

~~~
mhils
Thanks!

We actually use [https://github.com/python-
hyper/hyper-h2](https://github.com/python-hyper/hyper-h2) to implement
mitmproxy's HTTP/2 support and have our own HTTP/2 mini-stack for fuzzing that
(which is also exposed in pathod).

------
mhils
Author(s) here - happy to answer any questions and take feedback! :)

~~~
capt8bit
Many thanks to you, cortesi, and the rest of the team.

I hope this doesn't mean that the command-line interface is going to become a
second-class interface? The CLI is what originally attracted me to mitmproxy.
Having CLI keyboard shortcuts helped me immediately speed up my workflow
faster than I was ever able to customize ZAP or Burp.

I love mitmproxy and use it for all my web application pentests. The
flexibility is amazing, and allows me to quickly adapt, or write a rewrite
rule or plugin, in any situation. Regex rules for limits and intercepts are
amazing too.

Keep up the good work.

~~~
tptacek
That's interesting to me. Can you describe your Burp workflow, and how you
accomplish the same things in mitmproxy?

One of the things we're doing this year for our clients is selling them on the
idea of doing basic security integration testing as part of their normal dev
process, which might involve these companies buying copies of Burp for their
team. But I could probably be convinced that mitmproxy would work just as
well.

(I am, for what it's worth, extremely familiar with Burp, but only casually
acquainted with mitmproxy).

~~~
capt8bit
> (I am, for what it's worth, extremely familiar with Burp, but only casually
> acquainted with mitmproxy).

You may be disappointed, since I am the opposite. I use burp in rare cases
now, since I've been using mitmproxy for so long.

>That's interesting to me. Can you describe your Burp workflow, and how you
accomplish the same things in mitmproxy?

You may also be disappointed on how my methodology might differ. I work for a
shop that performs grey-box (authenticated) web application tests that focus
on manual comprehensive coverage. So my work flow goes something like this:

    
    
      - Manually walk the entire authenticated application, or designated portion. Populating all areas and using all application functionality.
      - Analyze mitmproxy logs to identify all application entry points, and other OWASP areas of interest. (mitmproxy's "Limit" feature makes this fast and easy)
      - Manually Test every endpoint, or other item, by duplicating the request, editing, and resending.
    

This is pretty basic, so I'm sure you see how this could be done with burp's
repeater and intruder, which were the main areas I used.

In mitmproxy you can easily duplicate a flow, edit it, and resend it. Then,
based on the response, resend it again. That's what I do for API testing, for
web application testing it is usually closer to:

    
    
      - Stage requests in Hackbar on Firefox and send the request, which goes through mitmproxy.
      - Use Mitmproxy for fine-tuning anything, watching the details, and scripting the tedious.
    

> One of the things we're doing this year for our clients is selling them on
> the idea of doing basic security integration testing as part of their normal
> dev process, which might involve these companies buying copies of Burp for
> their team. But I could probably be convinced that mitmproxy would work just
> as well.

My basic common work flow is probably not very helpful in this case, but I
think mitmproxy could still be very helpful to you. You probably know that
mitmproxy can replay a series of requests, and has a great scripting API. I
think these two features could be used together to meet a lot of your needs.
Let me tell you about some of my experiences:

In some cases a customer just can't get their fix quite right, so I will need
to repeatedly perform a series of tedious steps to retest an issue. So, I
automate the process by using mitmproxy to save a file of the steps involved
in testing the vulnerability. This may be something like:

    
    
      Log in -> Create widget -> edit widget -> destroy widget -> submit note
    

Then, I can pass this to mitmdump to be replayed, with sticky-cookies enabled,
and I just watch the output to make sure the output is correct.

As far as scripting goes, you may be interested in cases where I wanted to
quickly test every input parameter for input validation of a list of
characters. The script I wrote would be run on every request I made to the
site I was testing, if it was a post request it would do the following:

    
    
      - Duplicate the request for every POST parameter in the request
      - Inject the list of characters in to the post parameter
      - Run/Replay the new request
    

Hopefully you can make sense of my examples. I think by replaying request, or
writing simple testing scripts, you could automate a lot of the basic security
integration testing.

The beautiful thing about mitmproxy is that it has a simple, powerful,
scriptable, core. By using the powerful building-blocks it's provided I can
make it do whatever I want it to do. But, it may require a little python
scripting.

Let me know if want additional attempts at clarification.

 _edited for formatting_

~~~
tptacek
This is great.

For what it's worth, the approach you take with web applications is pretty
much the same as the one used by all the high-end software security firms
(certainly Matasano, iSEC, Leviathan, and Bishop Fox). Out on a limb, I'd say
every consultant at every one of those firms gets a copy of Burp.

The walk/filter/replay workflow you're talking about is one Burp is built
around --- that's the Proxy History, "Send To Repeater", and "Repeater"
features.

Regarding software teams at startups: I totally buy that mitmproxy is more
scriptable than Burp (it doesn't hurt that most of the people we're working
with in 2017 are Python shops). But I used Intruder _a lot_ when testing, and
I'm not sure I'd want to lose that; I think there's a lot of value in the sort
of but not quite random fuzzing Burp is good at doing, for serendipity finds.

------
mstade
TIL a new word: abstruse.

Mitmproxy is a great tool for debugging web applications at a low level,
particularly security related issues. Even for a n00b like myself the CLI was
easy to use, but I'm happy to see a web interface as well. Keep up the good
work!

------
colemickens
Nice but, I'd pay money for built in SAZ support. Maybe just exposing the web
interface to colleagues might be sufficient, but generally if they can't open
it in Fiddler, it may have never happened, even if I provide complete
instructions for opening the flow.

(And I've spent a nontrivial amount of time to make the SAZ post processor
thing to work but after spending an hour or two trying to get compatible
versions and python's environment setup, I gave up, installed a Windows VM and
made a Fiddler capture...)

edit: Now I feel guilty for a feature request in an announcement post. Thank
you for mitmproxy! It's definitely something I use weekly and I very much
appreciate the support that Maximilian has given me in various GitHub issues,
Slack, etc.

~~~
nimrody
There's a Fiddler version for Linux (based on mono) which, in my experience,
works quite well. Easier than starting up a windows VM.

The killer feature of Fiddler, for me, is the timeline display which we use to
optimise network heavy apps.

~~~
colemickens
Kind of a non-starter for me, as this is a headless cloud VM with more RAM and
CPU than any PC I've ever owned. If I were to actually install X, Xrdp, etc...
I'm not in a better situation than simply using Windows in the first place.

And I suppose it's been long enough since trying Fiddler for Linux that I
should reserve my experiences from last time around. I've gotten pretty used
to mitmproxy. Seems to be the defacto, goto tool for HTTP captures on Linux.

~~~
feld
Why wouldn't X window forwarding be ok?

~~~
colemickens
I've never had X forwarding work well enough to actually be usable, and last
time I checked NX was still a massive (/non-free) pain to setup.

Besides, I _already_ have a workflow that works perfectly fine, is headless as
I prefer, works with mitmproxy, etc.

Also, I installed Fiddler from AUR again this afternoon and it just looked
awful. The settings menus were unreadable, for example.

------
janvdberg
Looks cool! How does this compare to Burp Suite? I am specifically looking for
something more lightweight.

~~~
capt8bit
I have used mitmproxy for performing web application pentest for years.

If you want something to create/intercept/edit/tamper/replay requests, this is
your tool. If you want to script any of those things, this is still your tool.

However, burp comes with a lot of bells and whistles that don't make a lot of
sense to build in to mitmproxy, but you can script yourself. For example,
there is no intruder, spider, or scanner tool. But, they have an easy to use
interface to write scripts that will be run on every request you make, or
individual requests.

Or, you can just pass all mitmproxy traffic out to burp and get the best of
both worlds.

~~~
SCHiM
I found burps active scanning feature in the pro version insanely valuable. So
far it has found blind SQL injections, numerous xss vulns, command injection
and even XXE. I think it's very hard to script such a comprehensive feature
into mitmproxy (that is burp pro with collaborator servers).

Still if you're comparing the free version of burp with mitmproxy they do seem
very similar. I wouldn't know for sure since I've never used mitmproxy.

~~~
tptacek
I wouldn't bother with the free version of Burp. If that's where you're at,
use Fiddler or mitmproxy.

For software developers doing routine integration-test security checks, I
think there's probably a lot of value in the scanner. For professional
testers, though, I think the scanner does more harm than good: if it's
routinely spotting things you don't spot manually, you should revise your
technique.

------
lox
I'd love to figure out how to use Mitmproxy to intercept traffic from Docker
containers for debugging on macOS, I've never been able to make it work.

~~~
Steeeve
I've done this a few times - intercepting traffic to applications running
within docker, not intercepting docker's internal communications.

I usually use a container specifically for MITMProxy rather than install it
alongside whatever I'm troubleshooting.

It was pretty straightforward. I don't recall having to do anything tricky to
make it work.

------
SimeVidas
The web interface is available only _after_ installing the Python tool, or?

~~~
mhils
Not sure if this answers your question: You can download our precompiled
standalone binaries from
[https://github.com/mitmproxy/mitmproxy/releases/](https://github.com/mitmproxy/mitmproxy/releases/),
run the mitmweb executable and your browser should open.

