I used mitmproxy a few days ago, trying to compare my implementation of some API client. It feels lightweight, but getting started can be confusing. I used the command line, and I had difficulty finding the shortcuts.
Their homepage shows "brew install mitmproxy" front and center. Ok good. Installed. What's next? A 5-minute tutorial e.g. how to spy Tinder API can go a long way.
Thanks! This is something we're subconsciously aware of, but it's helpful to hear it as explicit feedback. :)
The first steps towards that were indeed OS-specific install instructions on our new website. We currently have a user survey (there's no telemetry in mitmproxy) to see what we should focus on for a 5-minute tutorial.
Edit: This causes the IP address to show up in the mitmproxy UI. I use mitm for iOS development, and having my IP visible is handy when setting up the phone to use a proxy.
I think MITM had the limitation that you could proxy only traffic from the different machine. Was/is it the case, or did I just get something wrong? Because if that's true Charles has an advantege there.
I haven't used mitm 3 yet, but had a fantastic experience with mitmproxy about a year and a half ago, incorporating mitmdump into a CLI tool for testing android apps. Discovered 'lnav' on that same project too, and came away feeling empowered and grateful for those 2 phenomenal tools.
Using mitmproxy as a reverse proxy from local development to our development servers. A few lines of code and we have authentication headers attached w/o having to manage them between projects.
Shameless plug: We are building a desktop proxy based on our streaming proxy module for node (node-proxify if you have time to check it out). Funny timing. We are doing a beta release next week (https://secapps.com/appbandit). You might hate the fact that this is yet another electron app but we are adding a tone of useful features which I am sure most people will find very useful in many different tasks. A cli version is also on its way.
This is super cool. I've used mitmproxy 2.0 in my project (http://world-of-bits.com) to create an offline approximation of the website. We were trying to create a digital environment for AI agents to learn to interact with the web. The proxy captures a good amount of HTTP traffic.
Is there an easy way to set latency for chosen responses? I guess it's possible using mitmdump with custom Python script, but maybe there is such a feature built-in?
You can also jump the right if statement during runtime, but yeah, you are still modifying the program's execution rather than something on the outside. That's the whole point of TLS: both parties know their connection is secure. So I'd say "no, there is no other way, other than by finding a vulnerability in TLS".
If the app uses the system TLS libraries for comparing certificates, you could just make the appropriate API always return "true". In-memory patching avoids affecting anything else.
Last time I did this, I had to reverse the binaries and remove the cert pinning code. There are a few examples of this around the place, but it can get fairly complex pretty quickly.
There are some Frida scripts running around for this purpose. However I don't have any personal experience with them, so I have no idea how reliable they work.
Is there any way to use this on .net applications I tried putting this in between a business logic and web tier but I couldn't get it to work. The things were compressed but I couldn't figure out how to enable decompression.
Decompression is usually done automatically, we also try to render some binary application-layer protocols (e.g. protobufs). If you feel that wasn't the case, please lodge an issue on GitHub. :)
Their homepage shows "brew install mitmproxy" front and center. Ok good. Installed. What's next? A 5-minute tutorial e.g. how to spy Tinder API can go a long way.