Download to read offline
Uploaded byVishal Vyas
mitmproxy.org
mitmproxy is an interactive console application for intercepting, inspecting, modifying, and replaying web traffic, especially useful in mobile application development. It can be configured as a proxy and requires the installation of a custom SSL certificate for HTTPS traffic decryption. Alternatives to mitmproxy include paid tools like Charles and Fiddler, with additional resources and contact information provided for further assistance.
mitmproxy.org
- 1. mitmproxy.org An interactive consoleprogram that allows traffic flows to be intercepted, inspected, modified and replayed. -Vishal Vyas
- 2. Me? Into mobile applicationdevelopment for 6 years Developed mobile advertising SDKs (Android and iOS)
- 3. Me? Working with aStartup from past 6 months Developed mobile advertising SDKs (Android and iOS) and I am NOT a HACKER :?
- 4. A basic mobileapplication Web Server Web Services Database Mobile Device Local Database (cached data) Application PLAIN TEXT, JSON, XML ...
- 5. Man in theMiddle Attack?
- 6. What is mitmproxy? WebServer Web Services Databas e Mobile Device Local Databa se Application My Laptop running MITMproxy
- 7. An SSL-capable man-in-the-middleproxy Generic pentest/debug tool Interactive, console based intercept & modify Extensible – invoke Python modules What is mitmproxy?
- 8. How to …? MITMproxy is not an attack tool! Configure it as a proxy Import the CA Root cert Run as interactive console app Or 'mitmdump' - Think tcpdump for HTTP
- 9. To get started Install pipinstall mitmproxy See the installation instructions for more
- 10. Start MITM proxy vishal@vishal:~$sudo mitmproxy -b 192.168.1.108 -p 8080 --no-upstream-cert -b ADDR, --bind-address ADDR Address to bind proxy to -p PORT, --port PORT Proxy service port --no-upstream-cert Don't connect to upstream server to look up certificate details
- 11.
- 12. Configure Proxy Proxy Settings Toautomate this step BUT! No support for Android Marshmallow
- 13. Download and Add Certificate CustomSSL certificate that allows mitmproxy to decrypt the HTTPS traffic.
- 14.
- 15.
- 16. 3G/4G connections? :( BUT! Youstill can use your nifty hotspot feature! What you need is: a device with a 3G/4G connection the development device your laptop
- 17. How we usedmitmproxy for QA testing? For mobile operator targeting Spoofing operator name(s) in the HTTP request to check if server response
- 18.
- 19. www.hashbinary.com HashBinary Software Development ServicesCompany Mobile Application Development Consulting
- 20. Thank You! Slides https://goo.gl/TJHQ4I References https://medium.com/@rotxed/how-to-debug-http-s-traffic-on-android-7fbe5d2a34#.ozotqeton https://www.owasp.org/images/7/73/SlayingDragons-ccbysa30nz.pdf https://github.com/mitmproxy/mitmproxy/tree/master/examples Have anyquestions? Email : vishalvyas.k@gmail.com Twitter : @veshalvyas