We actually use https://github.com/python-hyper/hyper-h2 to implement mitmproxy's HTTP/2 support and have our own HTTP/2 mini-stack for fuzzing that (which is also exposed in pathod).
Many thanks to you, cortesi, and the rest of the team.
I hope this doesn't mean that the command-line interface is going to become a second-class interface? The CLI is what originally attracted me to mitmproxy. Having CLI keyboard shortcuts helped me immediately speed up my workflow faster than I was ever able to customize ZAP or Burp.
I love mitmproxy and use it for all my web application pentests. The flexibility is amazing, and allows me to quickly adapt, or write a rewrite rule or plugin, in any situation. Regex rules for limits and intercepts are amazing too.
The console interface will always remain a first-class interface. We plan to bring mitmweb up to feature parity with the console, after which we'll make sure that neither tool has capabilities the other doesn't. I'm super excited about the new possibilities the web interface opens up for the project (watch this space), but the command-line tool is wired into my fingers. :)
That's interesting to me. Can you describe your Burp workflow, and how you accomplish the same things in mitmproxy?
One of the things we're doing this year for our clients is selling them on the idea of doing basic security integration testing as part of their normal dev process, which might involve these companies buying copies of Burp for their team. But I could probably be convinced that mitmproxy would work just as well.
(I am, for what it's worth, extremely familiar with Burp, but only casually acquainted with mitmproxy).
> (I am, for what it's worth, extremely familiar with Burp, but only casually acquainted with mitmproxy).
You may be disappointed, since I am the opposite. I use burp in rare cases now, since I've been using mitmproxy for so long.
>That's interesting to me. Can you describe your Burp workflow, and how you accomplish the same things in mitmproxy?
You may also be disappointed on how my methodology might differ. I work for a shop that performs grey-box (authenticated) web application tests that focus on manual comprehensive coverage. So my work flow goes something like this:
- Manually walk the entire authenticated application, or designated portion. Populating all areas and using all application functionality.
- Analyze mitmproxy logs to identify all application entry points, and other OWASP areas of interest. (mitmproxy's "Limit" feature makes this fast and easy)
- Manually Test every endpoint, or other item, by duplicating the request, editing, and resending.
This is pretty basic, so I'm sure you see how this could be done with burp's repeater and intruder, which were the main areas I used.
In mitmproxy you can easily duplicate a flow, edit it, and resend it. Then, based on the response, resend it again. That's what I do for API testing, for web application testing it is usually closer to:
- Stage requests in Hackbar on Firefox and send the request, which goes through mitmproxy.
- Use Mitmproxy for fine-tuning anything, watching the details, and scripting the tedious.
> One of the things we're doing this year for our clients is selling them on the idea of doing basic security integration testing as part of their normal dev process, which might involve these companies buying copies of Burp for their team. But I could probably be convinced that mitmproxy would work just as well.
My basic common work flow is probably not very helpful in this case, but I think mitmproxy could still be very helpful to you. You probably know that mitmproxy can replay a series of requests, and has a great scripting API. I think these two features could be used together to meet a lot of your needs. Let me tell you about some of my experiences:
In some cases a customer just can't get their fix quite right, so I will need to repeatedly perform a series of tedious steps to retest an issue. So, I automate the process by using mitmproxy to save a file of the steps involved in testing the vulnerability. This may be something like:
Then, I can pass this to mitmdump to be replayed, with sticky-cookies enabled, and I just watch the output to make sure the output is correct.
As far as scripting goes, you may be interested in cases where I wanted to quickly test every input parameter for input validation of a list of characters. The script I wrote would be run on every request I made to the site I was testing, if it was a post request it would do the following:
- Duplicate the request for every POST parameter in the request
- Inject the list of characters in to the post parameter
- Run/Replay the new request
Hopefully you can make sense of my examples. I think by replaying request, or writing simple testing scripts, you could automate a lot of the basic security integration testing.
The beautiful thing about mitmproxy is that it has a simple, powerful, scriptable, core. By using the powerful building-blocks it's provided I can make it do whatever I want it to do. But, it may require a little python scripting.
Let me know if want additional attempts at clarification.
For what it's worth, the approach you take with web applications is pretty much the same as the one used by all the high-end software security firms (certainly Matasano, iSEC, Leviathan, and Bishop Fox). Out on a limb, I'd say every consultant at every one of those firms gets a copy of Burp.
The walk/filter/replay workflow you're talking about is one Burp is built around --- that's the Proxy History, "Send To Repeater", and "Repeater" features.
Regarding software teams at startups: I totally buy that mitmproxy is more scriptable than Burp (it doesn't hurt that most of the people we're working with in 2017 are Python shops). But I used Intruder a lot when testing, and I'm not sure I'd want to lose that; I think there's a lot of value in the sort of but not quite random fuzzing Burp is good at doing, for serendipity finds.
I tried to use mitmproxy to fiddle around with ad requests a while back and found it really hard to get good performance from it. All I wanted to do was find all responses that looked like XML (regardless of headers) and do some simple replacements. Even after fiddling with settings to make it not buffer large responses it was still slow enough that it really affected my general web browsing through it. I ended up using Fiddler instead, and found the performance much better right out of the gate. Which is unfortunate since I can't really share Fiddler scripts with people on osx/linux.
Its written in Python so performance will never be its strong point. Your regex might have been too greedy or you were throwing an entire network at it?
I was running it on my laptop, MITMing only my own browsing.
I was using something like "<?xml" in body to check for xml, then do a few additional checks, so unless the string in operator sucks perf wise I don't think there was much to do.
I'm not expecting miracles, just reporting what I experienced. Maybe some form of multiprocess architecture would help alleviate these issues, maybe running it via Jython would have been better, I don't really know much about Python performance.
Why the sudden bump to a 1.0 version number? And why the planned jump to 2.0 in February? (I'd really like to see that blog post you're alluding to. :)
It probably has to do with psychology more than anything. My mental model of this sort of development (if you'll permit me to be a bit florid) is of an eternal pilgrimage of small incremental improvements, without any fixed destination or many real landmarks along the way. The TODO list for mitmproxy has never grown shorter (and never will), so I just never reached a point where declaring a 1.0 was obviously right. I realise this is eccentric, doesn't reflect the maturity of the project, and is probably not the way my co-maintainers think about this, hence the change.
For much the same reason, I'd like to de-emphasise major version increments as flag-fall events. Incrementing the major version inline with our development cadence makes sense from that perspective.
Mitmproxy is a great tool for debugging web applications at a low level, particularly security related issues. Even for a n00b like myself the CLI was easy to use, but I'm happy to see a web interface as well. Keep up the good work!
Nice but, I'd pay money for built in SAZ support. Maybe just exposing the web interface to colleagues might be sufficient, but generally if they can't open it in Fiddler, it may have never happened, even if I provide complete instructions for opening the flow.
(And I've spent a nontrivial amount of time to make the SAZ post processor thing to work but after spending an hour or two trying to get compatible versions and python's environment setup, I gave up, installed a Windows VM and made a Fiddler capture...)
edit: Now I feel guilty for a feature request in an announcement post. Thank you for mitmproxy! It's definitely something I use weekly and I very much appreciate the support that Maximilian has given me in various GitHub issues, Slack, etc.
Something we'll be focusing on in the next release cycle is much better export and import to/from other formats. We already have pretty good HAR support, and that's going to get much better soon. I don't know if the SAZ format is well-documented... but Fiddler is an excellent tool and we'd like to be able to work alongside it. I'd certainly merge SAZ support if, say, I woke up tomorrow morning to a PR implementing it.
Kind of a non-starter for me, as this is a headless cloud VM with more RAM and CPU than any PC I've ever owned. If I were to actually install X, Xrdp, etc... I'm not in a better situation than simply using Windows in the first place.
And I suppose it's been long enough since trying Fiddler for Linux that I should reserve my experiences from last time around. I've gotten pretty used to mitmproxy. Seems to be the defacto, goto tool for HTTP captures on Linux.
I have used mitmproxy for performing web application pentest for years.
If you want something to create/intercept/edit/tamper/replay requests, this is your tool. If you want to script any of those things, this is still your tool.
However, burp comes with a lot of bells and whistles that don't make a lot of sense to build in to mitmproxy, but you can script yourself. For example, there is no intruder, spider, or scanner tool. But, they have an easy to use interface to write scripts that will be run on every request you make, or individual requests.
Or, you can just pass all mitmproxy traffic out to burp and get the best of both worlds.
I found burps active scanning feature in the pro version insanely valuable. So far it has found blind SQL injections, numerous xss vulns, command injection and even XXE. I think it's very hard to script such a comprehensive feature into mitmproxy (that is burp pro with collaborator servers).
Still if you're comparing the free version of burp with mitmproxy they do seem very similar. I wouldn't know for sure since I've never used mitmproxy.
I wouldn't bother with the free version of Burp. If that's where you're at, use Fiddler or mitmproxy.
For software developers doing routine integration-test security checks, I think there's probably a lot of value in the scanner. For professional testers, though, I think the scanner does more harm than good: if it's routinely spotting things you don't spot manually, you should revise your technique.
It's getting there, and if you hate Burp's Java UI and mostly use Burp solely to capture and manually edit requests, it might be an acceptable substitute.
I don't think pathoc/pathos are really close to what the Burp "Intruder" fuzzer does (and I'm not in love with Intruder either). A lot of people also rely on Burp's spider, for which there's no mitmproxy analog. Obviously, there's Burp's scanner, but I think scanners are a bad idea and wouldn't count this against mitmproxy.
Not sure if this answers your question: You can download our precompiled standalone binaries from https://github.com/mitmproxy/mitmproxy/releases/, run the mitmweb executable and your browser should open.
https://github.com/mitmproxy/mitmproxy/tree/master/pathod
https://github.com/mitmproxy/mitmproxy/blob/master/mitmproxy...
The whole package very well written. I'll definitely read through it and add it to my list of repos people should scan if they work with python.