Embedding Web Apps in MITMProxy Scripts

Presented at BSidesLV 2015, Aug. 5, 2015, 3:30 p.m. (25 minutes).

MITMProxy is a popular open source Python-based HTTP(S) interception proxy. The developers have recently added a web-based front-end to supplement the existing ncurses console GUI. This talk will focus on work that I have done to bring a plugin architecture to the web front-end, allowing existing and new MITMProxy scripts to be configured and triggered through the browser. Two types of plugins have been added: view-only transformations, and "action" transformations with options affecting the data traveling across the wire. This gives MITMProxy users more capabilities in terms of manipulating and visualizing intercepted HTTP(S) traffic, using application or domain-specific plugins. I will show how this plugin architecture can be used in practice via an example of cheating at a popular mobile word puzzle game. There will also be a brief discussion of other interesting plugins and next steps.

Presenters:

  • Chris Czub
    Chris Czub is a Security Researcher at Duo Security, an Ann Arbor, Michigan-based start-up focused on two-factor authentication and account security. With a career spanning a decade, he has worked in various roles from software engineer to tech lead at start-ups and IT companies in SE Michigan. He has seen security in practice at small and medium-sized organizations and worked on various aspects of security, such as secure coding, application security auditing, endpoint security, network monitoring, malware analysis, security advisory oversight and threat intelligence. Chris earned his bachelor's degree in Computer Science from Oakland University. He has been a nearly lifelong resident of SE Michigan and a participant in both local and worldwide security and IT communities.

Links: