
Charles – Web Debugging Proxy Application - punnerud
https://www.charlesproxy.com/
======
ejcx
I actually use a local instance of nginx/openresty as my web debugging proxy.
I should write a blog on it or something, since it seems like few people do.

It's free. It's a breeze to set up, all you need to do is point it at the
upstream server you are testing, and it has lua support so you can write code
and modify requests on the fly, strip headers, inject things with code.

All the work is already done to manipulate HTTP requests and responses in
nginx so it is actually really smooth, there is no learning curve of a new
tool, and everything just works.

~~~
bckmn
I would greedily read a write-up about this.

~~~
ejcx
Cool! I'll write it this week and get back to you.

~~~
GVRV
Please post it here on HN when you're done. I'd love to read such a tutorial
as well!

------
xeno42
I've had a license for Charles Proxy for the last 9 years and it's been a
seriously useful tool, not just for introspecting http/https traffic (and
recording those sessions to attach to tickets), but for dynamically modifying
requests and responses.

couple of examples that come to mind:

* Want to test your production/deployed app against a dev/local api server? Have it redirect traffic to a different host and rewrite any headers required (production vs dev api keys for example) - That includes DNS spoofing and re-mapping host names as required.

* Found a bug on a web site and want to test a fix to the javascript without setting up a whole environment? Copy the javascript file in question to your hdd, modify it as desired and have Charles serve that file up when the browser/app requests the original

I don't have any connection to the author; just been well worth its price for
me.

------
waxjar
We use Charles extensively at work, it's a great tool.

The only thing that really annoys me is that, this being a Java app, the
interface works slightly different than the standard OS X interface I'm using
to.

I regularly use cmd + backspace, for example, to delete all text until between
the beginning of the line and the cursor. In Charles this is a hot key that
removes all recorded requests. There are more of such things.

I've been looking for a similar app with a native UI, but haven't been able to
find one yet.

~~~
aggregator-ios
Give [https://interceptapp.xyz](https://interceptapp.xyz) a try. Fully native.
Currently in alpha.

Disclosure: I'm the developer.

~~~
seanp2k2
Nice, the part about JSON schema decoding seems useful. I've done that by hand
and ripped apart enough curl requests from chrome network tools -> right click
-> copy as curl to want an easier way. Paw can also import HTTP requests into
itself (free plugin) and export Python Requests code or different curl or many
other versions for different languages, as well as inspecting the request and
response headers and bodies, making things like the Authorization header super
easy, etc. We use it at work quite a bit and go as far as documenting the APIs
for things with a paw file (you could get the same thing with a Swagger doc
and the swagger ui, and sometimes we do that as well).
[https://luckymarmot.com/paw](https://luckymarmot.com/paw) (I'm not affiliated
with them in any way beyond being a paying user grateful for a nice tool).

------
samhunta
Betwixt is amazing, you can use the familiar Chrome Dev Tools interface for
debugging web requests.

[https://github.com/kdzwinel/betwixt](https://github.com/kdzwinel/betwixt)

------
pizza
OWASP Zed Attack Proxy is a proxy for pentesting -
[https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Proje...](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project)

------
chris_wot
Charles saved my life last year. I had just been promoted to systems
administrator, but given no access to any systems. Like, no access to the IIS
server, and no access to the SQL Server instance!

That didn't stop them from expecting me to diagnose what was wrong with their
custom app. When I noticed that I also could submit test data to a test store
in the app on my iPhone (it was an exclusively mobile only app) I ran the app
through Charles and discovered that the app was spitting back a SQL Server
error - that the disk was full.

48 hours later and the so called database gurus in South Africa had fixed the
issue. I would be prevented Dom gaining access to these critical systems
throughout my time at that company.

------
exratione
If you make third party web applications, Javascript or whatnot to include on
someone else's page, then Charles or similar is a must-have when you have non-
technical and semi-technical people helping with customer issues. Almost
anyone can use Charles to make the simple assessments of a problem, root
cause, wolf-fencing, etc.

In the technical groups, Charles can usually be bettered for ease of use by
custom tools for specific use cases. It is pretty quick and easy to use the
proxy libraries in Node.js to throw together internal tools with a command
line interface, for example.

------
marvel_boy
mitmproxy is a fantastic tool and free. This is just marketing spam.

[https://mitmproxy.org](https://mitmproxy.org)

~~~
zodiakzz
>marketing spam

Why does team must-do-everything-in-the-terminal always come off as so
religiously provocative and desperate? Not everyone is obsessed with their
keyboard and feel like going through a huge learning curve to use basic tools,
most of us prefer utilizing the mouse and GUIs.

~~~
jchiu1106
The op didn't even mention mitmproxy is a terminal tool. You're being a little
too sensitive by automatically assuming this is a GUI vs terminal war.

People would have less problem if the submitted was an open source tool, GUI
or not.

P.S. Terminal application does have tremendous advantage when you work on a
headless server. I used mitmproxy and it's great. The ncurse'd interface isn't
harder to use than that of a GUI.

~~~
marvel_boy
Thanxs. Exactly what I thought. Anyway I'm not against Charles but better use
other channels to publitize a prized app.

------
nness
Use this religiously at work, fantastic tool.

~~~
jdavis703
Same. It's really great for reverse engineering the endpoints mobile
applications use.

~~~
SoulMan
any idea how to decode the HTTPS traffic ? Note the server and client is run
by us.

~~~
weitzj
You can install a self signed certificate by Charles on your device and trust
it. Then you can decrypt the traffic from your device using Charles as a
proxy. Really easy,really nice.

~~~
aplummer
To add, it's basically 1-click for the iOS simulator install, my favourite
feature

------
wallflower
Charles is one of those applications like Sublime Text that delivers value far
in excess of the purchase price.

Plus, the Charles icon on Mac is always an idiosyncratic delight to see in the
dock.

------
erikcw
I've been using it daily for years. Just wish it had some scripting capability
for rewriting requests etc. Perhaps Jython integration...

------
pino8
I prefer netfox!
[https://github.com/kasketis/netfox](https://github.com/kasketis/netfox)

------
factorialboy
Is anybody aware of alternatives? I'd like to compare before deciding which
one to embrace.

~~~
sleazebreeze
I am most familiar with Telerik's free product Fiddler. Looks like a similar
feature set to Charles.

[http://www.telerik.com/fiddler](http://www.telerik.com/fiddler)

~~~
spo81rty
On Windows at least, Fiddler has always been the tool of choice for this
amongst everyone I know too.

------
insomniacity
You can't use this to workaround pinned certificates right?

It's very powerful, but unfortunately it just caused the first mobile I tried
to misbehave, I'm assuming because the certificate was pinned.

------
update
Well, since this is up here: Does anyone else get an error in Firefox when
using Charles on sites that use HSTS?

I can't use Charles at all in Firefox.

------
haliou
Can someone please enumerate the advantages compared to, let's say Chrome dev
tools? Tried to google to no avail. Thanks in advance.

~~~
jecjec
Applications other than web browsers send and receive network traffic.

------
devniel
Great tool, I have used this to learn how some apps interact with theirs
corresponding back ends.

------
mateuszf
Looks like a nice tool, too expensive for me though.

~~~
lmkg
After the trial period is done, it doesn't stop working, it just becomes
nagware. All the functionality is there, but it will close itself after 30
minutes, and every once in a while will pause for five seconds to ask you to
buy a license.

I've used the nagware version at work while waiting for purchasing approval.
It's perfectly functional for the work I do, and only very slightly annoying.
YMMV depending on your needs (I never need it for more than ten minutes at a
time).

------
sarabad2021
Still doesn't render html?

------
po1nter
Why is this spam on the frontpage?

~~~
punnerud
Could be becaus I loved it and posted it to HN, and I wasn't the only one?

I prefer using MITMproxy/dump together with Node but this is a lot more
simpler tool to get your head around.

------
nojvek
Great tool. Don't like the marketing spam though. I'd like a scripting Api
though.

