Don't forget mitmdump. It is a great way to log sessions and chain to other proxies at the same time.<p>Also, mitmdump is one of the best and fastest ways to get ahold of web requests with Python to modify it on the fly.<p><a href="http://docs.mitmproxy.org/en/stable/mitmdump.html" rel="nofollow">http://docs.mitmproxy.org/en/stable/mitmdump.html</a><p>I have been using mitmproxy over Burp for day to day web app hacking these days. But we still use Burp scanner for lots of chores. I almost always chain through both to then go back in and use Burp features missing in mitmproxy (exploring site contents, etc.). But those are edge cases mostly needed for professional use and not for tinkering.
It's not just a console, it also has a web based interface: <a href="http://docs.mitmproxy.org/en/stable/mitmweb.html" rel="nofollow">http://docs.mitmproxy.org/en/stable/mitmweb.html</a>
This tool recently helped me troubleshoot a bug I was facing and unable to solve due to the lack of Safari's development tools. Here's a link for anyone interested: <a href="http://eapen.in/mitmproxy-for-troubleshooting/" rel="nofollow">http://eapen.in/mitmproxy-for-troubleshooting/</a>
one of the best tools for reverse engineering mobile apps.
I'm just having problems when certificate pinning is enabled. Does anyone have an idea (or even a solution) how to deal with that?
Just what I was looking for.<p>All I wanted to do was change a request header for one host.<p>After ~15 minutes I now have a transparent MITM https proxy - and I didn't even have to google the openssl command.<p>Edit: Also, the documentation is excellent as the software.
This tool has really helped me on several occasions with a wide variety of issues up and down the stack. Even with debugging web apps because while the chrome Dev tools are awesome they (at least at the time as far as I know) didn't expose the initial headers/network exchange for certain types of auth like NTLM.
Although I don't contribute to it anymore, I worked on a similar project that seems to have some continued activity:<p><a href="https://github.com/lightbody/browsermob-proxy" rel="nofollow">https://github.com/lightbody/browsermob-proxy</a><p>It's Java-based and forked out from some old MITM code from Selenium. It has a bunch of APIs for manipulating traffic, tweaking DNS resolution, rewriting content, etc. Just passing along in case anyone is looking for alternatives.
Beware that it listens on all interfaces by default:<p><a href="https://github.com/mitmproxy/mitmproxy/issues/1293" rel="nofollow">https://github.com/mitmproxy/mitmproxy/issues/1293</a><p>I learned this the hard way. If you run a proxy on an unfirewalled machine with public IPv4, it's going to be abused <i>really</i> fast. :-(
Many previous discussions:<p><a href="https://hn.algolia.com/?query=mitmproxy&sort=byPopularity&prefix=false&page=0&dateRange=all&type=story" rel="nofollow">https://hn.algolia.com/?query=mitmproxy&sort=byPopularity&pr...</a>
I was just looking for something like this. Googling led me to Charles proxy, which seems a pretty capable tool, and I'm growing fond of it though the Java UI is jarringly ugly.<p>Does anyone have any experience with charles vs mitmproxy?
I love mitmproxy, super easy to use (and to install an interception certificate) and the scripting support makes it very useful for pentesting iOS app traffic etc where I can't easily modify the client
I've been using mitmproxy to inspect HTTPS traffic. Are there any Chrome/Wireshark configurations to allow me to inspect HTTPS with Wirshark?