An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.

Overview

mitmproxy

Continuous Integration Status Coverage Status Latest Version Supported Python versions

mitmproxy is an interactive, SSL/TLS-capable intercepting proxy with a console interface for HTTP/1, HTTP/2, and WebSockets.

mitmdump is the command-line version of mitmproxy. Think tcpdump for HTTP.

mitmweb is a web-based interface for mitmproxy.

Installation

The installation instructions are here. If you want to install from source, see CONTRIBUTING.md.

Documentation & Help

General information, tutorials, and precompiled binaries can be found on the mitmproxy website.

mitmproxy.org

The documentation for mitmproxy is available on our website:

mitmproxy documentation stable mitmproxy documentation master

If you have questions on how to use mitmproxy, please ask them on StackOverflow!

StackOverflow: mitmproxy

Contributing

As an open source project, mitmproxy welcomes contributions of all forms.

Dev Guide

Also, please feel free to join our developer Slack!

Slack Developer Chat

Comments
  • poor interactive performance / hanging requests

    poor interactive performance / hanging requests

    i use mitmproxy for interactive browsing a lot. that is, i run an mitmdump instance continuously, and use it from multiple browsers on multiple computers.

    recently this started to be a rather frustrating experience. i suspect it's related to the new proxy core, or it could be related to debian upgrading to python 3.9? sadly it turned out non-trivial to roll this back.

    initially after mitmproxy startup, everything works smoothly, but then suddenly stalls, many requests hang for a very long time until mitmproxy returns a response. sometimes this starts almost immediately, sometimes after hours, it possibly recovers by itself, but usually i give up waiting and restart mitmproxy. (most times the requests seem to do finish, but only after many minutes.) this is probably most easily reproduced with resource-heavy sites, like facebook.com, openstreetmap.org, ...

    in netstat, i don't see mitmproxy having many connections to the destination servers open, so i suspect it's an internal limitation. ( i typically check with $ netstat -ntp | grep EST.*python | grep -v :8080 | awk '{print $5}' | sort | uniq -c | sort -n)

    my initial suspicion was that there is a limit on the number of concurrent connections, and that that pool is used up by connections that are in some invalid state and/or waiting for a timeout.

    i already found a per-connection.address] limit at https://github.com/mitmproxy/mitmproxy/blob/dc6c5f55cd25236e9469c24b85c8cafd29573281/mitmproxy/proxy/server.py#L84 and increased it significantly, but that did not lead to consistent improvements. (i also added a warning on if self.max_conns[command.connection.address].locked():, but it doesn't seem to trigger.)

    can you suggest what else i could do to diagnose this? is there another connection limit besides max_conns in proxy? is there existing code/facilities to introspect/dump the currently open incoming connections and their state? an option to log connection-level tracing info?

    System Information

    Paste the output of "mitmproxy --version" here.

    (venv) [email protected][~/mitmproxy]$ mitmproxy --version
    Mitmproxy: 7.0.0.dev (+332, commit aebc40c)
    Python:    3.9.1+
    OpenSSL:   OpenSSL 1.1.1i  8 Dec 2020
    Platform:  Linux-5.8.0-1-amd64-x86_64-with-glibc2.31
    
    kind/triage 
    opened by r00t- 64
  • Move to Python 3

    Move to Python 3

    Creating this as a catch-all ticket to elicit some discussion of Python3 support, which has become something of an FAQ.

    We're going to have to make the jump to Python3 at some point. All our dependencies (last time I checked) were Python 3-ready, so in theory we could make the leap. If we do it, we would do Python 3-only - I don't think there's a benefit to trying to maintain Python 2/3 Frankenstein that gives us the worst of both worlds.

    This leaves us with two issues. First, there's a legacy concern - quite a few people use libmproxy to build things, and I know that I personally would probably have a few weeks of work ahead of me just in converting existing related projects over.

    The second thing has to do with Python 3 and its treatment of Unicode/strings. Mitmproxy is "special", in the sense that it deals with loosely typed, untrusted and possibly intentionally corrupted data flows. It's a boundary layer between a weird world where string encodings can't be assumed, and the higher levels like the UI and so forth, where Python 3 forces us to have unicode. In this sense, it's similar to other programs that deal with on-the-wire data, like web frameworks (though our problem is even worse). Have a look at Armin Ronacher's experience with Python 3 Unicode and Flask/Jinja2/etc.:

    http://lucumr.pocoo.org/2014/1/5/unicode-in-2-and-3/

    http://lucumr.pocoo.org/2014/5/12/everything-about-unicode/

    I know that this has frustrated some people working on similar programs enough that they've moved away from Python altogether....

    Where does this leave us? Well, clearly we clearly can't stay on Python2 in the longer term. The Python3 situation is pretty dire, but has very gradually been getting very slightly better. 3.4 included some improvements, and I think 3.5 will have a few more. The key issues are intrinsic to the language design, though, and will never go away.

    opened by cortesi 53
  • add transparent server mode based on WireGuard

    add transparent server mode based on WireGuard

    This is a draft for a transparent mode implementation based on WireGuard. I'm filing this "early" even though some things aren't finished yet, but I'm looking for feedback on whether things are generally looking "OK" or if some things should be done differently.

    New mode spec for a WireGuard mode:

    • simple and extensible key-value based settings syntax (in case more settings need to be specified in the future)
    • currently supported settings: listen_port to override the default WireGuard port (51820), name to override the default filename prefix for generated WireGuard configuration files (mitmproxy_wireguard), and peers to override the default number of peers (1) for which a configuration will be generated
    • unit tests to verify that the new mode spec is parsed correctly

    New WireGuard server mode implementation:

    • new implementation of WireGuardConnectionHandler (based on ProxyConnectionHandler but using mitmproxy_wireguard.TcpStream instead of `asyncio.StreamReader/StreamWriter)
    • new implementation of WireGuardInstance: based on TcpServerInstance / TransparentInstance for TCP, and UdpServerInstance for UDP (not hooked up yet, better support for UDP connections needs to be implemented in mitmproxy_wireguard first)
    • small adaptations for accepted types of reader / writer in ConnectionIO (might need to be refactored to be generic, and / or require further adaptations once mitmproxy_wireguard.UdpStream is ready for handling UDP packets)
    • not done yet: unit tests (maybe something similar to the test_transparent test in tests/mitmproxy/proxy/test_mode_servers.py?)

    What's not working yet:

    • TcpStream.get_extra_info("original_addr") is not implemented yet, but exposing the original destination in this manner should be relatively straightforward in mitmproxy_wireguard.
    • Running mitmdump --mode wireguard:[spec] correctly generates WireGuard configuration files with the given settings, but then crashes with invalid IP address syntax and I cannot find where this error message is coming from (grepping mitmproxy source code doesn't yield any hits for this string and relevant substrings of it).
    opened by decathorpe 44
  • Error: [('PEM routines', 'PEM_read_bio', 'no start line'), ('SSL routines', 'SSL_CTX_use_certificate_file', 'PEM lib')]

    Error: [('PEM routines', 'PEM_read_bio', 'no start line'), ('SSL routines', 'SSL_CTX_use_certificate_file', 'PEM lib')]

    just did git clone mitmproxy, but error is still here


    Error in processing of request from 46.72.191.27:52247 Traceback (most recent call last): File "/opt/python2.7/lib/python2.7/site-packages/netlib/tcp.py", line 353, in request_thread self.handle_connection(request, client_address) File "/opt/python2.7/lib/python2.7/site-packages/libmproxy/proxy.py", line 536, in handle_connection h.handle() File "/opt/python2.7/lib/python2.7/site-packages/libmproxy/proxy.py", line 191, in handle while self.handle_request(cc) and not cc.close: File "/opt/python2.7/lib/python2.7/site-packages/libmproxy/proxy.py", line 206, in handle_request request = self.read_request(cc) File "/opt/python2.7/lib/python2.7/site-packages/libmproxy/proxy.py", line 455, in read_request return self.read_request_proxy(client_conn) File "/opt/python2.7/lib/python2.7/site-packages/libmproxy/proxy.py", line 395, in read_request_proxy self.convert_to_ssl(dummycert, self.config.certfile or self.config.cacert, handle_sni=sni) File "/opt/python2.7/lib/python2.7/site-packages/netlib/tcp.py", line 290, in convert_to_ssl ctx.use_certificate_file(cert) Error: [('PEM routines', 'PEM_read_bio', 'no start line'), ('SSL routines', 'SSL_CTX_use_certificate_file', 'PEM lib')]


    runing libmproxy application on centos 5

    getting errors

    There's been a recent contributed patch that could be relevant to this. Could you please try a current git checkout, and see if you still see these problems?

    Also, please do report this kind of thing on the Github bug tracker. It makes it much easier to keep track of things.

    Regards,

    Aldo

    opened by dsultanr 41
  • When I input “mitproxy”in commands, it is show 'module' object has no attribute 'TLSv1_2_METHOD'

    When I input “mitproxy”in commands, it is show 'module' object has no attribute 'TLSv1_2_METHOD'

    ➜  ~  mitmproxy
    Traceback (most recent call last):
      File "/usr/local/bin/mitmproxy", line 9, in <module>
        load_entry_point('mitmproxy==0.13.1', 'console_scripts', 'mitmproxy')()
      File "/Library/Python/2.7/site-packages/distribute-0.6.28-py2.7.egg/pkg_resources.py", line 337, in load_entry_point
        return get_distribution(dist).load_entry_point(group, name)
      File "/Library/Python/2.7/site-packages/distribute-0.6.28-py2.7.egg/pkg_resources.py", line 2311, in load_entry_point
        return ep.load()
      File "/Library/Python/2.7/site-packages/distribute-0.6.28-py2.7.egg/pkg_resources.py", line 2017, in load
        entry = __import__(self.module_name, globals(),globals(), ['__name__'])
      File "/Library/Python/2.7/site-packages/libmproxy/main.py", line 7, in <module>
        from . import version, cmdline
      File "/Library/Python/2.7/site-packages/libmproxy/cmdline.py", line 6, in <module>
        from . import filt, utils, version
      File "/Library/Python/2.7/site-packages/libmproxy/filt.py", line 38, in <module>
        from .protocol.http import decoded
      File "/Library/Python/2.7/site-packages/libmproxy/protocol/__init__.py", line 1, in <module>
        from .primitives import *
      File "/Library/Python/2.7/site-packages/libmproxy/protocol/primitives.py", line 4, in <module>
        import netlib.tcp
      File "/Library/Python/2.7/site-packages/netlib/tcp.py", line 26, in <module>
        'TLSv1.2': SSL.TLSv1_2_METHOD,
    AttributeError: 'module' object has no attribute 'TLSv1_2_METHOD'
    
    opened by cryingDream94 37
  • Memory Leaks in Native Code

    Memory Leaks in Native Code

    Steps to reproduce the problem:
    1. Download and extract Linux binaries from https://github.com/mitmproxy/mitmproxy/releases/download/v4.0.1/mitmproxy-4.0.1-linux.tar.gz
    2. sudo ./mitmweb --web-iface 192.168.86.88 --web-port 8081 --showhost --listen-host 192.168.86.88 --listen-port 8080
    3. Generate load from an external device or from a local browser. I use MITMProxy to capture video traffic, which tears through memory rather quickly against an HLS stream like http://bitdash-a.akamaihd.net/content/sintel/hls/playlist.m3u8. You can install https://addons.mozilla.org/en-US/firefox/addon/native_hls_playback/ in Firefox to get the playback to happen natively.
    4. Watch the stream tear through your RAM with .ts fragments (this is expected - video is heavy).
    5. Clear the screen with MITMProxy --> New
    6. Watch the RAM usage - it won't go down, and will continue to rise when new fragments come in.
    Any other comments? What have you tried so far?
    • Occurs in Docker and running natively tested on both x86 and ARMv7
    • Reproduced in Ubuntu 18.04 LTS and Alpine 3.7 Linux.

    I'm wondering if there's a part of the Python API for MITMProxy that MITMWeb needs to add to the "New" instruction in the React code.

    System information

    Mitmproxy: 4.0.1 binary Python: 3.6.3 OpenSSL: OpenSSL 1.1.0h 27 Mar 2018 Platform: Linux-4.15.0-22-generic-x86_64-with-debian-buster-sid

    kind/bug 
    opened by ironsalsa 36
  • Use mitmproxy behind reverse proxy

    Use mitmproxy behind reverse proxy

    Problem Description

    I currently have mitmproxy running on port 2010. However, I want to also be able to access under a host name, like mitmproxy.test

    Proposal

    Access mitmproxy from https://$DOMAIN.$TLD

    Alternatives

    A clear and concise description of any alternative solutions or features you've considered.

    Additional context

    Add any other context or screenshots about the proposal here.

    kind/feature 
    opened by DUOLabs333 34
  • mitmdump memory usage is always constantly growing

    mitmdump memory usage is always constantly growing

    (orignally mentioned in #4451 , but i don't think it's related to the issue discussed there and should get a separate ticket)

    Problem Description

    i use mitmdump for interactive browsing a lot. that is, i run an mitmdump instance continuously, and use it from multiple browsers on multiple computers.

    i find that mitmdump's memory usage constantly grows, it appears as if it allocates memory for any request/response data it processes and then never frees it. note that i would expect this behaviour from mitmproxy running interactively, as it displays all the data in the UI, but mitmdump should have no reason to keep flows in memory after writing them out.

    here's a typical mitmdump memory usage graph out of my monitoring stack: mitmdump_rss

    mitmdump memory usage appears as a sawtooth pattern, rising until it's terminated. the growth rate is currently typically around 500mb/hour, it was less in the past, when it got through a whole day with under 2gb, and is higher than the rate of data actually dumped (under 1gb/day). in this graph mitmdump is manually terminated a few times, because of debugging #4451, and by a daily restart at midnight. (i also run a script that terminates it if it exceeds 3gb, to avoid it taking down my system.)

    some very rare phases of non-growth (as seen in the graph above) are very unlikely related to zero traffic - thanks to websites constantly loading stuff in the background nowadays, and many browsers and tabs, it's unlikely that traffic is ever zero.

    i see some extremely rare occurences (at most once a week) of larger amounts of memory being allocated and freed again, in the expected pattern of allocating it to handle a request, and freeing it again after the request is finished.

    Steps to reproduce the behavior:

    1. run mitmdump for a longer period and use it, possibly with multiple browsers with a large number of tabs open
    2. observe memory usage

    System Information

    i think it has been the case ever since i started using mitmproxy, the above graph is of current git master. (running with --set proxy_debug -vvv, but it doesn't make a difference to the behaviour.)

    kind/triage 
    opened by r00t- 33
  • Command language

    Command language

    The aim of this ticket is to come up with an on-paper design for an extension to the mitmproxy command language, before @kajojify moves to implementation. This is a GSoC project, but anyone should feel free to contribute to the discussion.

    Context

    The most significant change to mitmproxy in the last few years has been the shift to a modular core. Under this system, functionality is implemented in completely self-contained addons. Users interact with addons (and by extension with mitmproxy itself) ONLY through commands and options. Commands have globally unique names, a set of typed arguments, and a single typed return value. The command language we're discussing here is strictly the textual language users use to invoke and combine these typed addon commands.

    At the moment, the command language is used in two places:

    • The interactive command prompt of the console app.
    • Console key bindings, where all user interaction occurs through commands bound to keys.

    In coming releases, the command language will be even more prominent:

    • There will be a new key binding configuration file for customizing key bindings. #2963
    • All tools will support commands passed on the command-line, to be run at startup and shutdown. See discussion in #2963.
    • We're considering a new primitive called Actions. These are compound commands, like key bindings, but not bound to keys. See discussion in #2718.
    • Mitmweb will need to expose commands in some form to users. We'll have to discuss how to do this without re-implementing parsing on the client side.

    Aims

    What we're trying to achieve here is a language that works at two extrema:

    • On the interactive prompt and the command-line, it has to be terse and minimal. Any extra keystroke here has to be very clearly motivated. The current expression for short commands is literally as simple as possible, and probably can't be improved.
    • For commands can be composed of multiple subcommands - we have examples of up to 4 combined commands in key bindings - the language has to be readable, clear and minimise error.

    We should also keep in mind that it is explicitly not an aim to replace Python. Complicated commands are best expressed as full addons written in Python. This means that I want to be cautious about flow control in the command language - it might never be needed at all. There is a separate discussion to be had about making cross-addon invocation of commands better from within Python.

    Current language

    Commands support a small number of predefined argument and return value types. For each type, we define a parser, which converts a textual representation given by the user to the underlying type, a tab completer for interactive use, and a validator that checks whether an arbitrary Python value is a valid value. We know the arity of all functions up-front (with the exception of varargs as the last argument to a command). That lets us have a complete parser with no grouping operators.

    Syntactically, the language is very simple. It consists of a list of possibly quoted strings that can either be command names or arguments (as interpreted through the appropriate type parser).

    The text representation of a type value can be expanded in complex ways. For instance, mitmproxy's core primitive is the flow, and the current language supports sophisticated ways to select flows from the current session on the command-line. Another example is the cuts mechanism, which will be much more prominent in future releases. This expressiveness is a critical feature that I would like to maintain.

    Let's structure discussion around a set of examples that cover common use-cases. Below, I give a set of definitions in terms of the current language, along with a motivation and explanation. Please accompany concrete language suggestions with a similar table expressing the same examples, and any new ones you think are relevant.

    | Command | Description | | --- | --- | | view.remove @marked | Interactive. Remove all marked flows. | | replay.client "~h google.com" | Interactive. Replay all flows for host google.com. | | cut.save @all server_conn.address.host ~/hosts.csv | Complex interactive. Select the server host from all flows, and save to file. | | console.choose.cmd Format export.formats console.command export.file {choice} @focus | Complex key binding. This composes 4 commands - console.choose.cmd takes a prompt, a command to invoke to retrieve a set of options, and a command to invoke once the user has selected an option with a selected argument. A good example of something that is hard to parse in the current language, and which may in fact be hard in any variant. Anything much more complicated than this should be expressed in Python. |

    Implementation

    Implementations should maintain current usability features like tab expansion and syntax highlighting for partial commands. This means that parsers must be incremental. It also means that a parser needs to be reversible - we should be able to parse a command string, annotate it with syntax highlighting, and then recompose it on the command line for the user to continue editing. Please see the current implementation for how all of this works.

    We should aim to elaborate the language that's currently there step-by-step, rather than attempting a wholesale re-implementation. Please try to make proposals incremental, and tease separable ideas out into separate proposals.

    gsoc 
    opened by cortesi 33
  • twitter.com goes in timeout if HTTP2 is enabled

    twitter.com goes in timeout if HTTP2 is enabled

    Steps to reproduce the problem:
    1. Intercepting twitter.com with Firefox and Chrome -> timeout after ClientConnect Page never appears, with no error in logs

    Seen on SlackFor @cortesi, for him was working on Firefox but not Chrome

    Any other comments? What have you tried so far?

    Disabling HTTP2 works directly with --no-http2

    System information

    Mitmproxy version: 0.18.2 Python version: 3.5.2 Platform: Darwin-16.1.0-x86_64-i386-64bit SSL version: OpenSSL 1.0.2j 26 Sep 2016 Mac version: 10.12.1 ('', '', '') x86_64

    upstream area/protocols 
    opened by tomlabaude 30
  • tutorial addon to improve onboarding new users

    tutorial addon to improve onboarding new users

    Description

    Added a draft of the tutorial addon. To test the current state: start mitmproxy and open http://tutorial.mitm.it

    refs #3142

    Tasks

    • [x] Tutorial layout
    • [x] Sample voting app
    • [x] Tutorials: View flows / UI intro
    • [x] Tutorials: Interception / Modify
    • [x] Tutorials: Replay
    • [ ] Tutorials should be valid for mitmproxy and mitmweb
    • [ ] Add tests

    PR Checklist

    • [ ] I have updated tests where applicable.
    • [ ] I have added an entry to the CHANGELOG.
    gsoc 
    opened by mplattner 29
  • Ignored sites doesn't work as expected

    Ignored sites doesn't work as expected

    Problem Description

    I have 2 ios clients that connect through the proxy. I already installed the certs and everything works fine for the sites allowed. The issue is that on one of the two ios client (same configuration) facebook and tik tok app doesn't download data. I'm expect to works fine because is out of https inspection. If i try to check on logs, nothing there because is not in allowed host.

    mitmdump --allow-hosts google.

    Steps to reproduce the behavior:

    1. mitmdump --allow-hosts google.
    2. start ios facebook app or tik tok.
    3. The app doesn't work as expected

    System Information

    Paste the output of "mitmproxy --version" here.

    Mitmproxy: 6.0.2 Python: 3.10.7 OpenSSL: OpenSSL 3.0.5 5 Jul 2022 Platform: Linux-5.19.0-26-generic-x86_64-with-glibc2.36

    kind/triage 
    opened by mironalessandro 0
  • Undo/redo support for flow editing

    Undo/redo support for flow editing

    Problem Description

    When I'm pentesting an application with mitmproxy, I often perform a series of edits to a captured request. After each edit, I send the request and observe the result.

    Sometimes I reach a dead end and want to go back to a previous state in order to try out a different approach. But I've already made destructive modifications to the request, such as deleting headers.

    It would be nice if there was support for undoing my edits, so that I could easily roll back some of them.

    Proposal

    Keep a history of all edits done to a particular flow. Implement undo/redo actions, so that edits can easily be rolled back. Example bindings: u/<C-r> for undo/redo, respectively, similar to vim.

    Alternatives

    A partial workaround for the missing functionality is to duplicate the flow before you start editing.

    However, this is cumbersome to do when you're doing complex tests for a single endpoint for a number of reasons.

    First, you always have to ensure you leave at least one pristine copy to be able to roll back to the starting state.

    Second, a single mistake can ruin a given copy, so that you have to start all over again.

    Finally, sometimes a request has to be heavily edited to bring it into a base state for testing something. If you then want to make several smaller modifications on top of this heavily edited base state, it's much easier to just be able to edit, send, u, edit, send, u, ... rather than having to prepare the request all over again from scratch.

    kind/feature 
    opened by dkasak 2
  • Added dark mode to the Web UI

    Added dark mode to the Web UI

    Description

    Added Dark mode for the web interface with minimum changes.

    • Added toggle to Options tab
    • Added darkreader package

    Related issue https://github.com/mitmproxy/mitmproxy/issues/3886

    Checklist

    • [x] I have updated tests where applicable.
    • [x] I have added an entry to the CHANGELOG.
    opened by devapro 1
  • An 'AttributeError' error is raised when attempting to inject a WebSocket payload

    An 'AttributeError' error is raised when attempting to inject a WebSocket payload

    Problem Description

    The following error is raised when trying to inject a payload to the client for a WebSocket flow:

    warn: [15:49:35.042] Cannot inject WebSocket messages into non-WebSocket flows.
    error: [15:49:35.043] Traceback (most recent call last):
    
      File "asyncio/events.py", line 80, in _run
      File "urwid/raw_display.py", line 416, in <lambda>
      File "urwid/raw_display.py", line 515, in parse_input
      File "urwid/main_loop.py", line 412, in _update
      File "urwid/main_loop.py", line 513, in process_input
      File "mitmproxy/tools/console/window.py", line 304, in keypress
      File "urwid/container.py", line 1123, in keypress
      File "mitmproxy/tools/console/statusbar.py", line 203, in keypress
      File "mitmproxy/tools/console/statusbar.py", line 145, in keypress
      File "mitmproxy/tools/console/statusbar.py", line 174, in prompt_execute
      File "mitmproxy/tools/console/statusbar.py", line 110, in execute_command
      File "mitmproxy/tools/console/commandexecutor.py", line 18, in __call__
      File "mitmproxy/command.py", line 285, in execute
      File "mitmproxy/command.py", line 273, in call_strings
      File "mitmproxy/command.py", line 144, in call
      File "mitmproxy/command.py", line 315, in wrapper
      File "mitmproxy/addons/proxyserver.py", line 293, in inject_websocket
      File "mitmproxy/addons/proxyserver.py", line 273, in inject_event
    
    AttributeError: 'str' object has no attribute 'client_conn'
    

    Steps to reproduce the behavior:

    1. Try executing the following command, whilst focused on a flow: inject.websocket @focus true 'something' true

    System Information

    Mitmproxy: 9.0.1 binary
    Python:    3.11.0
    OpenSSL:   OpenSSL 3.0.7 1 Nov 2022
    Platform:  Linux-5.15.0-56-generic-x86_64-with-glibc2.35
    
    kind/bug area/console 
    opened by MaDKaTZe 2
  • Using mitmproxy with username/password and

    Using mitmproxy with username/password and "any auth" timeouts.

    Problem Description

    Using mitmproxy with username/password and "any auth" fails with a timeout.

    Steps to reproduce the behavior:

    1. Start mitmproxy (i.e docker container and setup authentication (i.e with "username:password")
    # docker run -it -p 8080:8080 -p 8081:8081 mitmproxy/mitmproxy mitmweb --web-host 0.0.0.0
    

    Now set "username:password" in the mitmweb gui for proxy authentication

    1. Using curl with curl -v -x http://proxy:8080 --proxy-anyauth https://upstream -U username:password
    # curl -v -x http://127.0.0.1:8080 --proxy-anyauth https://www.google.de -U username:password
    *   Trying 127.0.0.1:8080...
    * Connected to localhost (127.0.0.1) port 8080 (#0)
    * allocate connect buffer
    * Establish HTTP proxy tunnel to www.google.de:443
    > CONNECT www.google.de:443 HTTP/1.1
    > Host: www.google.de:443
    > User-Agent: curl/7.83.1
    > Proxy-Connection: Keep-Alive
    >
    < HTTP/1.1 407 Proxy Authentication Required
    < Proxy-Authenticate: Basic realm="mitmproxy"
    < content-length: 129
    <
    * Ignore 129 bytes of response-body
    * Establish HTTP proxy tunnel to www.google.de:443
    * Proxy auth using Basic with user 'username'
    > CONNECT www.google.de:443 HTTP/1.1
    > Host: www.google.de:443
    > Proxy-Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
    > User-Agent: curl/7.83.1
    > Proxy-Connection: Keep-Alive
    >
    * Operation timed out after 1005 milliseconds with 0 bytes received
    * CONNECT phase completed
    * Closing connection 0
    

    it seems that mitmproxy does ignore the 2nd CONNECT after its 407 response

    output of the mitmproxy log:

    [07:19:32.889][172.17.0.1:50652] client connect
    [07:19:33.886][172.17.0.1:50652] client disconnect
    

    When using a squid proxy (i.e with TheBoroer/docker-squid-basic-auth)

    docker run -e SQUID_USERNAME=username -e SQUID_PASSWORD=password -p 8080:3128 boro/squid-basic-auth
    

    I get

    # curl -v -k -x http://localhost:8080 --proxy-anyauth https://www.google.de -U username:password
    *   Trying 127.0.0.1:8080...
    * Connected to localhost (127.0.0.1) port 8080 (#0)
    * allocate connect buffer
    * Establish HTTP proxy tunnel to www.google.de:443
    > CONNECT www.google.de:443 HTTP/1.1
    > Host: www.google.de:443
    > User-Agent: curl/7.83.1
    > Proxy-Connection: Keep-Alive
    >
    < HTTP/1.1 407 Proxy Authentication Required
    < Server: squid/3.5.12
    < Mime-Version: 1.0
    < Date: Wed, 30 Nov 2022 07:49:47 GMT
    < Content-Type: text/html;charset=utf-8
    < Content-Length: 3540
    < X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
    < Vary: Accept-Language
    < Content-Language: en
    < Proxy-Authenticate: Basic realm="Access restricted"
    < X-Cache: MISS from 9b6cf0b978a5
    < X-Cache-Lookup: NONE from 9b6cf0b978a5:3128
    < Via: 1.1 9b6cf0b978a5 (squid/3.5.12)
    < Connection: keep-alive
    <
    * Ignore 3540 bytes of response-body
    * Establish HTTP proxy tunnel to www.google.de:443
    * Proxy auth using Basic with user 'username'
    > CONNECT www.google.de:443 HTTP/1.1
    > Host: www.google.de:443
    > Proxy-Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
    > User-Agent: curl/7.83.1
    > Proxy-Connection: Keep-Alive
    >
    < HTTP/1.1 200 Connection established
    <
    * Proxy replied 200 to CONNECT request
    * CONNECT phase completed
    * schannel: disabled automatic use of client certificate
    * ALPN: offers http/1.1
    * ALPN: server accepted http/1.1
    > GET / HTTP/1.1
    > Host: www.google.de
    > User-Agent: curl/7.83.1
    > Accept: */*
    >
    < HTTP/1.1 200 OK
    ... (google web page output stripped)
    

    System Information

    Mitmproxy: 9.0.1 Python: 3.11.0 OpenSSL: OpenSSL 3.0.7 1 Nov 2022 Platform: Linux-5.10.102.1-microsoft-standard-WSL2-x86_64-with-glibc2.31

    kind/bug area/protocols 
    opened by Flow86 1
Releases(9.0.1)
Travel through time in your tests.

time-machine Travel through time in your tests. A quick example: import datetime as dt

Adam Johnson 373 Dec 27, 2022
A twitter bot that simply replies with a beautiful screenshot of the tweet, powered by poet.so

Poet this! Replies with a beautiful screenshot of the tweet, powered by poet.so Installation git clone https://github.com/dhravya/poet-this.git cd po

Dhravya Shah 30 Dec 04, 2022
Automated Security Testing For REST API's

Astra REST API penetration testing is complex due to continuous changes in existing APIs and newly added APIs. Astra can be used by security engineers

Flipkart Incubator 2.1k Dec 31, 2022
GitHub action for AppSweep Mobile Application Security Testing

GitHub action for AppSweep can be used to continuously integrate app scanning using AppSweep into your Android app build process

Guardsquare 14 Oct 06, 2022
Python Webscraping using Selenium

Web Scraping with Python and Selenium The code shows how to do web scraping using Python and Selenium. We use as data the https://sbot.org.br/localize

Luís Miguel Massih Pereira 1 Dec 01, 2021
Hypothesis is a powerful, flexible, and easy to use library for property-based testing.

Hypothesis Hypothesis is a family of testing libraries which let you write tests parametrized by a source of examples. A Hypothesis implementation the

Hypothesis 6.4k Jan 05, 2023
WIP SAT benchmarking tooling, written with only my personal use in mind.

SAT Benchmarking Some early work in progress tooling for running benchmarks and keeping track of the results when working on SAT solvers and related t

Jannis Harder 1 Dec 26, 2021
Load and performance benchmark tool

Yandex Tank Yandextank has been moved to Python 3. Latest stable release for Python 2 here. Yandex.Tank is an extensible open source load testing tool

Yandex 2.2k Jan 03, 2023
This is a pytest plugin, that enables you to test your code that relies on a running MongoDB database

This is a pytest plugin, that enables you to test your code that relies on a running MongoDB database. It allows you to specify fixtures for MongoDB process and client.

Clearcode 19 Oct 21, 2022
Sixpack is a language-agnostic a/b-testing framework

Sixpack Sixpack is a framework to enable A/B testing across multiple programming languages. It does this by exposing a simple API for client libraries

1.7k Dec 24, 2022
Testing Calculations in Python, using OOP (Object-Oriented Programming)

Testing Calculations in Python, using OOP (Object-Oriented Programming) Create environment with venv python3 -m venv venv Activate environment . venv

William Koller 1 Nov 11, 2021
Test utility for validating OpenAPI documentation

DRF OpenAPI Tester This is a test utility to validate DRF Test Responses against OpenAPI 2 and 3 schema. It has built-in support for: OpenAPI 2/3 yaml

snok 103 Dec 21, 2022
d4rk Ghost is all in one hacking framework For red team Pentesting

d4rk ghost is all in one Hacking framework For red team Pentesting it contains all modules , information_gathering exploitation + vulnerability scanning + ddos attacks with 12 methods + proxy scraper

d4rk sh4d0w 15 Dec 15, 2022
Photostudio是一款能进行自动化检测网页存活并实时给网页拍照的工具,通过调用Fofa/Zoomeye/360qua/shodan等 Api快速准确查询资产并进行网页截图,从而实施进一步的信息筛查。

Photostudio-红队快速爬取网页快照工具 一、简介: 正如其名:这是一款能进行自动化检测,实时给网页拍照的工具 信息收集要求所收集到的信息要真实可靠。 当然,这个原则是信息收集工作的最基本的要求。为达到这样的要求,信息收集者就必须对收集到的信息反复核实,不断检验,力求把误差减少到最低限度。我

s7ck Team 41 Dec 11, 2022
Pymox - open source mock object framework for Python

Pymox is an open source mock object framework for Python. First Steps Installation Tutorial Documentation http://pymox.readthedocs.io/en/latest/index.

Ivan Rocha 7 Feb 02, 2022
The (Python-based) mining software required for the Game Boy mining project.

ntgbtminer - Game Boy edition This is a version of ntgbtminer that works with the Game Boy bitcoin miner. ntgbtminer ntgbtminer is a no thrills getblo

Ghidra Ninja 31 Nov 04, 2022
Just a small test with lists in cython

Test for lists in cython Algorithm create a list of 10^4 lists each with 10^4 floats values (namely: 0.1) - 2 nested for iterate each list and compute

Federico Simonetta 32 Jul 23, 2022
A friendly wrapper for modern SQLAlchemy and Alembic

A friendly wrapper for modern SQLAlchemy (v1.4 or later) and Alembic. Documentation: https://jpsca.github.io/sqla-wrapper/ Includes: A SQLAlchemy wrap

Juan-Pablo Scaletti 129 Nov 28, 2022
Spam the buzzer and upgrade automatically - Selenium

CookieClicker Usage: Let's check your chrome navigator version : Consequently, you have to : download the right chromedriver in the follow link : http

Iliam Amara 1 Nov 22, 2021
Pytest plugin for testing the idempotency of a function.

pytest-idempotent Pytest plugin for testing the idempotency of a function. Usage pip install pytest-idempotent Documentation Suppose we had the follo

Tyler Yep 3 Dec 14, 2022