mitmproxy API Security Testing
Overview
mitmproxy is an interactive, TLS-capable intercepting HTTP proxy for penetration testers and developers. It enables real-time inspection, modification, and replay of HTTP/HTTPS traffic including APIs, mobile apps, and thick clients. With support for HTTP/1, HTTP/2, HTTP/3, and WebSockets, mitmproxy provides comprehensive coverage for modern API security testing.
Interfaces
mitmproxy - Interactive console interface with keyboard navigation mitmweb - Web-based GUI for visual traffic inspection mitmdump - Command-line tool for automated traffic capture and scripting
Quick Start
Install and run mitmproxy:
# Install via pip pip install mitmproxy # Start interactive console proxy mitmproxy # Start web interface (default: http://127.0.0.1:8081) mitmweb # Start command-line proxy with output mitmdump -w traffic.flow
Configure client to use proxy (default: localhost:8080)
Core Workflows
Workflow 1: Interactive API Traffic Inspection
For manual API security testing and analysis:
- •Start mitmproxy or mitmweb:
bash
# Console interface mitmproxy --mode regular --listen-host 0.0.0.0 --listen-port 8080 # Or web interface mitmweb --mode regular --listen-host 0.0.0.0 --listen-port 8080
- •Configure target application to use proxy (HTTP: localhost:8080)
- •Install mitmproxy CA certificate on client device
- •Trigger API requests from the application
- •Intercept and inspect requests/responses in mitmproxy
- •Modify requests to test:
- •Authentication bypass attempts
- •Authorization flaws (IDOR, privilege escalation)
- •Input validation (SQLi, XSS, command injection)
- •Business logic vulnerabilities
- •Save flows for documentation and reporting
Workflow 2: Mobile App API Security Testing
Progress: [ ] 1. Install mitmproxy CA certificate on mobile device [ ] 2. Configure device WiFi to use mitmproxy as proxy [ ] 3. Start mitmweb for visual traffic inspection [ ] 4. Launch mobile app and exercise all features [ ] 5. Review API endpoints, authentication mechanisms, data flows [ ] 6. Test for common API vulnerabilities (OWASP API Top 10) [ ] 7. Export traffic as HAR for further analysis [ ] 8. Document findings with request/response examples
Work through each step systematically. Check off completed items.
Workflow 3: Automated API Traffic Recording
For capturing and analyzing API traffic at scale:
- •Start mitmdump with flow capture:
bash
mitmdump -w api-traffic.flow --mode regular
- •Run automated tests or manual app interaction
- •Stop mitmdump (Ctrl+C) to save flows
- •Replay captured traffic:
bash
# Replay to server mitmdump -nc -r api-traffic.flow # Replay with modifications via script mitmdump -s replay-script.py -r api-traffic.flow
- •Export to HAR format for analysis:
bash
# Using Python API python3 -c "from mitmproxy.io import FlowReader; from mitmproxy.tools.dump import DumpMaster; import sys; [print(flow.request.url) for flow in FlowReader(open('api-traffic.flow', 'rb')).stream()]"
Workflow 4: Python Scripting for API Testing
For automated security testing with custom logic:
- •Create Python addon script (
api-test.py):pythonfrom mitmproxy import http class APISecurityTester: def request(self, flow: http.HTTPFlow) -> None: # Modify requests on-the-fly if "api.example.com" in flow.request.pretty_url: # Test for authorization bypass flow.request.headers["X-User-ID"] = "1" def response(self, flow: http.HTTPFlow) -> None: # Analyze responses if flow.response.status_code == 200: if "admin" in flow.response.text: print(f"[!] Potential privilege escalation: {flow.request.url}") addons = [APISecurityTester()] - •Run mitmproxy with script:
bash
mitmproxy -s api-test.py # Or for automation mitmdump -s api-test.py -w results.flow
- •Review automated findings and captured traffic
- •Export results for reporting
Workflow 5: SSL/TLS Certificate Pinning Bypass
For testing mobile apps with certificate pinning:
- •Install mitmproxy CA certificate on device
- •Use certificate unpinning tools or framework modifications:
- •Android: Frida script for SSL unpinning
- •iOS: SSL Kill Switch or similar tools
- •Configure app traffic through mitmproxy
- •Alternatively, use reverse proxy mode:
bash
mitmproxy --mode reverse:https://api.example.com --listen-host 0.0.0.0 --listen-port 443
- •Modify /etc/hosts to redirect API domain to mitmproxy
- •Intercept and analyze traffic normally
Operating Modes
mitmproxy supports multiple deployment modes:
Regular Proxy Mode (default):
mitmproxy --mode regular --listen-port 8080
Client configures proxy settings explicitly.
Transparent Proxy Mode (invisible to client):
mitmproxy --mode transparent --listen-port 8080
Requires iptables/pf rules to redirect traffic.
Reverse Proxy Mode (sits in front of server):
mitmproxy --mode reverse:https://api.example.com --listen-port 443
mitmproxy acts as the server endpoint.
Upstream Proxy Mode (chain proxies):
mitmproxy --mode upstream:http://corporate-proxy:8080
Routes traffic through another proxy.
Certificate Installation
Install mitmproxy CA certificate for HTTPS interception:
Browser/Desktop:
- •Start mitmproxy and configure proxy settings
- •Visit http://mitm.it
- •Download certificate for your platform
- •Install in system/browser certificate store
Android:
- •Push certificate to device:
adb push ~/.mitmproxy/mitmproxy-ca-cert.cer /sdcard/ - •Settings → Security → Install from SD card
- •Select mitmproxy certificate
iOS:
- •Email certificate or host on web server
- •Install profile on device
- •Settings → General → About → Certificate Trust Settings
- •Enable trust for mitmproxy certificate
Common Patterns
Pattern 1: API Authentication Testing
Test authentication mechanisms and token handling:
# auth-test.py
from mitmproxy import http
class AuthTester:
def __init__(self):
self.tokens = []
def request(self, flow: http.HTTPFlow):
# Capture auth tokens
if "authorization" in flow.request.headers:
token = flow.request.headers["authorization"]
if token not in self.tokens:
self.tokens.append(token)
print(f"[+] Captured token: {token[:20]}...")
# Test for missing authentication
if "api.example.com" in flow.request.url:
flow.request.headers.pop("authorization", None)
print(f"[*] Testing unauthenticated: {flow.request.path}")
addons = [AuthTester()]
Pattern 2: API Parameter Fuzzing
Fuzz API parameters for injection vulnerabilities:
# fuzz-params.py
from mitmproxy import http
class ParamFuzzer:
def request(self, flow: http.HTTPFlow):
if flow.request.method == "POST" and "api.example.com" in flow.request.url:
# Clone and modify request
original_body = flow.request.text
payloads = ["' OR '1'='1", "<script>alert(1)</script>", "../../../etc/passwd"]
for payload in payloads:
# Modify parameters and test
# (Implementation depends on content-type)
print(f"[*] Testing payload: {payload}")
addons = [ParamFuzzer()]
Pattern 3: GraphQL API Testing
Inspect and test GraphQL APIs:
# graphql-test.py
from mitmproxy import http
import json
class GraphQLTester:
def request(self, flow: http.HTTPFlow):
if "/graphql" in flow.request.path:
try:
data = json.loads(flow.request.text)
query = data.get("query", "")
print(f"[+] GraphQL Query:\n{query}")
# Test for introspection
if "__schema" not in query:
introspection = {"query": "{__schema{types{name}}}"}
print(f"[*] Testing introspection")
except:
pass
addons = [GraphQLTester()]
Pattern 4: HAR Export for Analysis
Export traffic as HTTP Archive for analysis:
# Export flows to HAR format
mitmdump -s export-har.py -r captured-traffic.flow
# export-har.py
from mitmproxy import http, ctx
import json
class HARExporter:
def done(self):
har_entries = []
# Build HAR structure
# (Simplified - use mitmproxy's built-in HAR addon)
ctx.log.info(f"Exported {len(har_entries)} entries")
addons = [HARExporter()]
Or use built-in addon:
mitmdump --set hardump=./traffic.har
Security Considerations
- •Sensitive Data Handling: Captured traffic may contain credentials, tokens, PII. Encrypt and secure stored flows. Never commit flow files to version control
- •Access Control: Restrict access to mitmproxy instance. Use authentication for mitmweb (--web-user/--web-password flags)
- •Audit Logging: Log all intercepted traffic and modifications for security auditing and compliance
- •Compliance: Ensure proper authorization before intercepting production traffic. Comply with GDPR, PCI-DSS for sensitive data
- •Safe Defaults: Use isolated testing environments. Avoid intercepting production traffic without explicit authorization
Integration Points
Penetration Testing Workflow
- •Reconnaissance: Identify API endpoints via mitmproxy
- •Authentication testing: Capture and analyze auth tokens
- •Authorization testing: Modify user IDs, roles, permissions
- •Input validation: Inject payloads to test for vulnerabilities
- •Business logic: Test workflows for logical flaws
- •Export findings as HAR for reporting
CI/CD Integration
Run automated API security tests:
# Run mitmdump with test script in CI mitmdump -s api-security-tests.py --anticache -w test-results.flow & PROXY_PID=$! # Run API tests through proxy export HTTP_PROXY=http://localhost:8080 export HTTPS_PROXY=http://localhost:8080 pytest tests/api_tests.py # Stop proxy and analyze results kill $PROXY_PID python3 analyze-results.py test-results.flow
Mobile App Security Testing
Standard workflow for iOS/Android apps:
- •Configure device to use mitmproxy
- •Install CA certificate
- •Bypass SSL pinning if needed
- •Exercise app functionality
- •Analyze API security (OWASP Mobile Top 10)
- •Document API vulnerabilities
Advanced Features
Traffic Filtering
Filter displayed traffic by expression:
# Show only API calls mitmproxy --view-filter '~d api.example.com' # Show only POST requests mitmproxy --view-filter '~m POST' # Show responses with specific status mitmproxy --view-filter '~c 401' # Combine filters mitmproxy --view-filter '~d api.example.com & ~m POST'
Request/Response Modification
Modify traffic using built-in mappers:
# Replace request headers mitmproxy --modify-headers '/~u example/Authorization/Bearer fake-token' # Replace response body mitmproxy --modify-body '/~s & ~b "error"/success'
WebSocket Interception
Intercept and modify WebSocket traffic:
# websocket-test.py
from mitmproxy import websocket
class WebSocketTester:
def websocket_message(self, flow):
message = flow.messages[-1]
print(f"[+] WebSocket: {message.content[:100]}")
# Modify messages
if message.from_client:
message.content = message.content.replace(b"user", b"admin")
addons = [WebSocketTester()]
Troubleshooting
Issue: SSL Certificate Errors
Solution: Ensure mitmproxy CA certificate is properly installed and trusted:
# Verify certificate location ls ~/.mitmproxy/ # Regenerate certificates if needed rm -rf ~/.mitmproxy/ mitmproxy # Regenerates on startup
Issue: Mobile App Not Sending Traffic Through Proxy
Solution:
- •Verify WiFi proxy configuration
- •Check firewall rules aren't blocking proxy port
- •Ensure mitmproxy is listening on correct interface (0.0.0.0)
- •Test with browser first to verify proxy works
Issue: Certificate Pinning Blocking Interception
Solution: Use SSL unpinning tools:
# Android with Frida frida -U -l universal-android-ssl-pinning-bypass.js -f com.example.app # Or modify app to disable pinning (development builds)
Issue: Cannot Intercept HTTP/2 or HTTP/3
Solution: mitmproxy supports HTTP/2 by default. For HTTP/3:
# Enable HTTP/3 support (experimental) mitmproxy --set http3=true
OWASP API Security Top 10 Testing
Use mitmproxy to test for OWASP API Security Top 10 vulnerabilities:
- •API1: Broken Object Level Authorization - Modify object IDs in requests
- •API2: Broken Authentication - Test token validation, session management
- •API3: Broken Object Property Level Authorization - Test for mass assignment
- •API4: Unrestricted Resource Consumption - Test rate limiting, pagination
- •API5: Broken Function Level Authorization - Modify roles, escalate privileges
- •API6: Unrestricted Access to Sensitive Business Flows - Test business logic
- •API7: Server Side Request Forgery - Inject URLs in parameters
- •API8: Security Misconfiguration - Check headers, CORS, error messages
- •API9: Improper Inventory Management - Enumerate undocumented endpoints
- •API10: Unsafe Consumption of APIs - Test third-party API integrations