Hey HN,
I've been working on an intercepting proxy for penetration testing over the last few years in my spare time.<p>Some points of difference from the existing tools:<p>* The UIs are built using the native platform frameworks, meaning they look and behave like other applications on the desktop.<p>* It has a fully embedded and integrated Python scripting engine.<p>* It’s fully native meaning it’s nicer on system resources.<p>* It has a number of built in scripts to automate reconnaissance, content discovery, authorisation checks, etc.<p>* The core of it is open source.<p>I'm really keen to get any feedback!
Pākiki is a māori verb meaning to probe: <a href="https://maoridictionary.co.nz/search?keywords=pakiki" rel="nofollow noreferrer">https://maoridictionary.co.nz/search?keywords=pakiki</a><p>The macron (āēīōū) lengthens the vowel sound (Latin has this too) otherwise pronounce the vowels the same as Spanish. Lengthened vowels are harder for most American speakers to get right: <a href="https://youtu.be/tPi2jtU7Tl4?t=6m23" rel="nofollow noreferrer">https://youtu.be/tPi2jtU7Tl4?t=6m23</a> Vowel length matters in New Zealand (e.g. pronunciation of can't causes problems).<p>Perhaps could be added to the docs?
Love it, specially the python scripting engine.<p>Also, don't listen to those who say things like "soo, like Burp?" (the ones who do it to belittle the effort).<p>People used to say (and still do) Postman is "just a wrapper around curl", and I was like, "So is Operating systems, they're a wrapper around hardware, and C is a wrapper around assembly, and Python is a wrapper around "I don't want to manage memory, let's make a web app instead", What's your point?" lol
Postman is now worth couple of billions btw.<p>You're doing a great job - keep at it.
Ping me if you needed testers (I work in AppSec/Red teaming).
Hi there! Co-founder of Caido (<a href="https://caido.io" rel="nofollow noreferrer">https://caido.io</a>) here.<p>Glad to see more competition in the space, we also went the route of using an API (built in Rust). We decided to focus only on a web UI in vue.js I will look how you are storing data and all, we went the sqlite way to save on RAM.<p>Looks like we are both going after Burp, it's not going to be an easy ride for sure. What we found is it is very hard to make people in enterprise switch and the 100$/y pricing really isn't enough to build a serious business without enterprise clients at a higher price point.<p>Anyway, best of luck!
Hi, just wanted to say that I walked through this and it's really neat. I'm running it all through WSL on a reasonably powerful laptop (ASUS G14) and performance has been buttery so far. I especially want to commend you on the clear, simple-to-use UX and UI. This will definitely fill a niche for me at work if I have to use an underpowered jumpbox to test internal web applications.<p>One UX point: I may have missed this, but when I start an injection attack, it would be nice to see a real-time table of the output so that I can see which injections have been tried (kind of like how you can see it in Burp Suite with Logger++ or the sub-window that opens up when you start an Intruder attack). Totally respect a conscious choice to not go down this (potentially) resource-intensive 'view', but curious if that's on the roadmap. Right now I just get a spinning animation after I hit Run, and I don't see any output in the sidebar where it says "Scans will be shown here once they have started".<p>In all honesty, I probably will stick with Burp Suite for my bread-and-butter web app testing flow (also helps that my org pays for a Pro license), but I want to thank you for the effort put into this and the courage to explore a new modality (web app testing without a resource-heavy proxy tool like Burp).
I’m exactly the target market for this.<p>I won’t pay for subscriptionware. I switched from Premiere to Resolve just to avoid having to be someone’s MRR and I now pirate Lightroom pending its replacement.<p>It’s a terrible, user-hostile
model.<p>I don’t think developers should be entitled to payment in perpetuity for work they did once.
Requiring Sonoma seems... weird? It's still pretty much unstable for serious work. Especially if you build with GTK, not with native frameworks. Both Burp and Caido are much more lax, working on HS/EC.
Cool project!<p>I have one question though, how do you intercept TLS. Let’s say i would connect my phone to your proxy, and try to search something on the web. Wouldn't the connection not be trusted?
Looks good!<p>Cross platform native GUI and you are doing this all alone? Feels very ambitious.<p>Are you planning to go full time on this?<p>What kind of stack are you using?
Briefly reviewed your product. Seems like OWASP ZAP is your competition: <a href="https://www.zaproxy.org/" rel="nofollow noreferrer">https://www.zaproxy.org/</a><p>It runs entirely in the browser so it uses the browser "native" frameworks.