Don't forget mitmdump. It is a great way to log sessions and chain to other proxies at the same time.

Also, mitmdump is one of the best and fastest ways to get ahold of web requests with Python to modify it on the fly.

http://docs.mitmproxy.org/en/stable/mitmdump.html

I have been using mitmproxy over Burp for day to day web app hacking these days. But we still use Burp scanner for lots of chores. I almost always chain through both to then go back in and use Burp features missing in mitmproxy (exploring site contents, etc.). But those are edge cases mostly needed for professional use and not for tinkering.

I don't understand how this can be faster or more friendly than using Burp.

Would you mind sharing an example flow?

I just like working in terminal. Some things I can do faster in mitmproxy (filtering with lots of constraints, shooting response or request data to a pipe). It has a mutt like interface so if mutt seems fast and intuitive then mitmproxy will feel similar. I have spent a lot of years thrashing around in the Burp GUI and mostly I don't need all the features all the time :)

Things that are a few clicks in Burp are a few terse keystrokes or key presses in mitmproxy. IDK, give it a shot and see if it makes sense . Most of our team just sticks with Burp FWIW.

It's not just a console, it also has a web based interface: http://docs.mitmproxy.org/en/stable/mitmweb.html

I'd say, it's not just a web based interface, it also is a console.

This tool recently helped me troubleshoot a bug I was facing and unable to solve due to the lack of Safari's development tools. Here's a link for anyone interested: http://eapen.in/mitmproxy-for-troubleshooting/

one of the best tools for reverse engineering mobile apps. I'm just having problems when certificate pinning is enabled. Does anyone have an idea (or even a solution) how to deal with that?

Even without certificate pinning, starting with Android 7, you must decompile the app to allow user provided certificates. Or use an xposed module if you have a rooted device.

See this mitmproxy bug: https://github.com/mitmproxy/mitmproxy/issues/2054

And this tool is nice to automate decompiling, adding the line in the manifest to be able to use user-installed certificates, and recompiling: https://github.com/levyitay/AddSecurityExceptionAndroid

Also, if the app uses Google signin, you have to be rooted, because play services uses the package manager to check the app signer before giving the app a token.

Just wait until they go full 'treacherous computing' and turn on remote attestation using TPMs.

Remote attestations already exist with SafetyNet, but don't use TPMs (IIRC). TPMs are interesting because they allow local attestations; and it's happening already, for some use cases: https://android-developers.googleblog.com/2017/09/keystore-k...

wow... thanks for the link. I need to keep a closer eye on the platform, apparently.

Same here, mitmproxy was always the goto tool, but many apps now use certificate pinning, which stops it cold.

I was recently wishing for a "Jailbroken Mobile Testing Tool", similar to Sauce Labs or BrowserStack but with jailbroken mobiles -- i.e. a cloud-based service allowing you to remotely control a mobile phone through a web interface. Would that be interesting to have?

This service would allow you to load an app from the App Store / Google Play, and then interact with it while logging all network connections (in tcpdump/wireshark/HAR/etc. format). The controlled mobiles would be jailbroken and have tools like SSL kill switch (as mentioned by @bitexploder in another comment) installed by default.

(Going further: the same tool would allow you to download the phone's storage as a zip archive for further analysis)

It's been a while, but when I have been reversing android apps with certificate pinning in the past, I had the most luck with decompiling the apk with apktool, removing the certificate pinning in the samli bytecode, then recompiling and signing the apk again.

For iOS, I know there are jailbreak cydia tweaks that try to disable certificate pinning, but I have no experience with this.

For iOS, you can try to install SSL Killswitch on a jailbroken iPhone (https://github.com/nabla-c0d3/ssl-kill-switch2)

A custom Xposed module should work for Android, and Cydia Substrate could work for iOS.

I'd also love to know if there's a solution for this problem!

There is. It depends on the mobile OS and device.

We deal with this routinely. Solutions tend to vary.

On iOS just use SSL kill switch (if you are jailbroken). If you are not jailbroken you don't have a lot of options. On Android there are some well documented approaches. Usually decompiling the app and adding to the local app's cert store will work and then rearchive and sign it.

Function hooking key network calls can work as well. It is pretty much required that if you want to do serious tinkering or assessment you need a jailbroken or rooted device. This can be a significant effort investment, but once done is generally reliable.

what kind of problems?

Certificate Pinning (in apps) stops mitmproxy from proxying traffic to the servers you're mostly interested in proxying... see:

http://docs.mitmproxy.org/en/stable/certinstall.html#certifi...

Just what I was looking for.

All I wanted to do was change a request header for one host.

After ~15 minutes I now have a transparent MITM https proxy - and I didn't even have to google the openssl command.

Edit: Also, the documentation is excellent as the software.

This tool has really helped me on several occasions with a wide variety of issues up and down the stack. Even with debugging web apps because while the chrome Dev tools are awesome they (at least at the time as far as I know) didn't expose the initial headers/network exchange for certain types of auth like NTLM.

Mitmproxy is nice, but I think dev tools have become alot better, I discovered that because my standard work horse Chrome+Wireshark is very fincky with SSL:

    SSLKEYLOGFILE=$HOME/ssl_crt_dbg google-chrome --user-data-dir=TEMPUSER

Then you configure wireshark SSL decoding with with pre master key file as "ssl_crt_dbg", it fails too often for me.

Now days I use remote-debugging and Python a lot:

  $ google-chrome --remote-debugging-port=9222

  import PyChromeDevTools
  chrome = PyChromeDevTools.ChromeInterface(host="localhost", port=9222)
  chrome.Network.enable()
  while True:
     print chrome.wait_message(timeout=0.1)

But the simplicity of a Mitmproxy is almost as great as wireshark.

Can you explain more what you're doing with the python code?

Oh my gosh... don't get me started on NTLM. Chrome Network Tools doesn't expose it at all, so the proxy was a lifesaver in our case.

We've shifted to using https://github.com/joeferner/node-http-mitm-proxy as a part of WrapAPI Proxy (https://wrapapi.com/proxy), which is a zero-install proxy in the style of mitmproxy and Charles.

The node proxy is really great in that it's fully extensible, allows you to generate certificates, and filter/save the kinds of traffic you get to simple JSON structures. We've found it to be a huge boon in development, but it's clearly inspired by mitmproxy (which predates node), so credit where it's due.

https://docs.mitmproxy.org/en/latest/mitmproxy.html Nice TLS work

Although I don't contribute to it anymore, I worked on a similar project that seems to have some continued activity:

https://github.com/lightbody/browsermob-proxy

It's Java-based and forked out from some old MITM code from Selenium. It has a bunch of APIs for manipulating traffic, tweaking DNS resolution, rewriting content, etc. Just passing along in case anyone is looking for alternatives.

Beware that it listens on all interfaces by default:

https://github.com/mitmproxy/mitmproxy/issues/1293

I learned this the hard way. If you run a proxy on an unfirewalled machine with public IPv4, it's going to be abused really fast. :-(

Mitmproxy works pretty well for HTTPS - but it doesn't seem to generate HTTPS certs as well as Fiddler does

Mitmproxy dev here - please feel free to file a bug on GitHub if you have a reproducible example where we fail. :)

Many previous discussions:

https://hn.algolia.com/?query=mitmproxy&sort=byPopularity&pr...

I was just looking for something like this. Googling led me to Charles proxy, which seems a pretty capable tool, and I'm growing fond of it though the Java UI is jarringly ugly.

Does anyone have any experience with charles vs mitmproxy?

I love mitmproxy, super easy to use (and to install an interception certificate) and the scripting support makes it very useful for pentesting iOS app traffic etc where I can't easily modify the client

how do disable certificate pinning on iOS?

Haven't had to as the apps I targeted weren't using it. Can't think of an obvious way without rooting the device though...

That is because there isn't a good solution. You can get away with repackaging an IPA and hand modifying the binary depending on how they are performing the pinning, but it is always going to be time consuming to do it this way. If you are serious about tinkering you pretty much need a jailbroken device, which is getting harder to maintain by the year.

I've been using mitmproxy to inspect HTTPS traffic. Are there any Chrome/Wireshark configurations to allow me to inspect HTTPS with Wirshark?

Mitmproxy is amazing! And you can get it easily in macOS with brew. Highly recommended

I love Mitmproxy and how easy it is to use! One of my favorite pentesting tools!

mitmproxy is great for iOS and Android pen testing. A must have tool.