MitmProxy2Swagger: Automagically reverse-engineer REST APIs

This is a nice tool. A game I liked to play announced end of service back in 2023. They gave enough notice to let me capture some logs from their cooridinator service.<p>I captured them in mitmproxy and ran those through this to help me identify all the endpoints and their general structure. (A few things were a misnomer, like the examples suggesting certain values were able to be floats when they could only be integers)<p>I was able to get a team together and we were able to stand up private servers as a result.

did i miss something or why are there TWO (2) &quot;magically reverse engineer REST APIs&quot; projects on the HN front page right now? is there some offline beef going on?<p>(screenshot in case this goes away <a href="https:&#x2F;&#x2F;x.com&#x2F;swyx&#x2F;status&#x2F;1874762725383188502" rel="nofollow">https:&#x2F;&#x2F;x.com&#x2F;swyx&#x2F;status&#x2F;1874762725383188502</a>)

Again, this is the very easy part of the reverse engineering API process that most tools can do, similar to API Parrot and the rest of them. This is not hard to do.<p>The hard part is that inevitably, all these internal APIs will just add aggressive CAPTCHAs, Device Check, fingerprinting, etc to prevent common drive by re&#x27;ing. Easy to add these on the defence side, and extremely difficult to bypass on the other side.<p>I can imagine all developer teams now upping their security with the combination of the above mentioned to prevent this.

I looked through this earlier today when I saw it mentioned in that thread about the closed source tool for the same purpose.<p>Having done a good bit of this type of reverse engineering the hard way over the years, it&#x27;s a very exciting find. I had been talking with my partner about building something similar for the past six months. How exciting to learn that it&#x27;s already out there and open source too!

I&#x27;ve used this tool in the past with success. Not perfect but it accelerates the work greatly if you can launch a mitm proxy quickly and are familiar with the tool.<p>I&#x27;ve been fighting lately with an API, though. It&#x27;s not very, let&#x27;s say, RESTy. It has only one endpoint, and the different &quot;sections&quot; of the API are defined in parameters, so MitmProxy2Swagger doesn&#x27;t detect them properly :(

I was wondering how it would take in graphql endpoints and convert it to swagger, since its just a single POST API with change in params. But thats more of a swagger issue than the tools. Has anyone dealt with this? Would be really helpful if you could share your ideas too :)

If only someone could automate[1] the clicking and navigating part by writing in plaintext something like &quot;Open airbnb and explore all the features as much as possible&quot; :)<p>1. <a href="https:&#x2F;&#x2F;github.com&#x2F;BandarLabs&#x2F;clickclickclick">https:&#x2F;&#x2F;github.com&#x2F;BandarLabs&#x2F;clickclickclick</a> - It does that and I am one of the authors.

perhaps a n00b question, but would this work, or is there something similar for apps, specifically android apps?

This is so cool. Thanks for sharing !

Obvious question: How to protect against this ?

Yeah - does this get nullabilities right?

Coool!

This is something that would be easy to do an ordinary job of, missing lots of edge cases and not making something thorough and complete.<p>A really professional and thorough job would be extremely time consuming and hard.