Use mitmproxy to force your app's API into your development environment

What is mitmproxy

mitmproxy is an HTTP proxy server for peeping and tampering with HTTP requests in the manner of Man in the Middle Attack. By installing the certificate generated by mitmproxy on the terminal, HTTPS communication can be handled in the same way.

For details on installing mitmproxy, etc., refer to the following articles.

What I want to do this time

Requests can be tampered with by mitmproxy by writing a Python script. This time, we will explain the procedure assuming the following cases.

It may be possible to solve the problem by automating the build and distribution for the development environment from the function branch. However, there may be times when such an environment is not ready. Also, even if there is such an environment, if you want to check while switching between multiple environments many times, it may be easier to tamper with the request rather than restarting multiple apps. ..

procedure

Install mitmproxy

Please refer to the above How to intercept or tamper with SSL communication of the actual iOS device by proxy.

Preparing a Python program for request tampering

What I want to do this time is "I want to change the request destination of the Web API made on the application to the development environment". In this case, you need to do two things:

  1. Tamper the host name of the TCP / IP request target
  2. Tamper with Host in the HTTP request header

The following Python program does this. Change the host name, etc. as necessary.

replace_host.py


def request(context, flow):
    #Original host name(Production environment)
    original = "example.com"
    #Host name after replacement(Development environment)
    replace  = "dev.example.com"

    if original in flow.request.host:
        if original in flow.request.headers["Host"]:
            #Request destination host name
            flow.request.host = replace
            #Host in HTTP request header
            flow.request.headers["Host"] = [replace]

The request header can be tampered with in the same way other than Host. It is important to note that flow.request.headers uses the header name as a key and the value contains an array of * strings *. In the HTTP header, multiple values can be set with the same key. (Set-Cookie etc.)

Start mitmproxy

Start while loading the prepared Python script.

$ mitmproxy -p 8080 -s replace_host.py

All you have to do now is debug your app with this proxy.

Bonus: Tamper with requests only in certain paths

In the previous program, tampering was performed on the condition that "only requests to a specific host". Furthermore, if you add the condition "in a specific path", it will be as follows.

replace_host.py


def request(context, flow):
    #Original host name(Production environment)
    original = "example.com"
    #Host name after replacement(Development environment)
    replace  = "dev.example.com"
    #Path to tamper with
    target_path = '/api/foo'

    if original in flow.request.host:
        if original in flow.request.headers["Host"]:
            #Only in a specific path
            if flow.request.path == target_path:
                #Request destination host name
                flow.request.host = replace
                #Host in HTTP request header
                flow.request.headers["Host"] = [replace]

This can be achieved by checking the value of flow.request.path. Here, the exact match by == is checked, but various applications such as targeting everything under a specific directory with a regular expression will be possible.

I thought it would be convenient if the official documentation of mitmproxy had a collection of recipes around here.

Recommended Posts

Use mitmproxy to force your app's API into your development environment
How to use Docker to containerize your application and how to use Docker Compose to run your application in a development environment
How to get into the python development environment with Vagrant
How to use jupyter notebook without polluting your environment with Docker
Prepare your first Python development environment
How to use OpenPose's Python API
How to use bing search api
[Python] How to use Typetalk API
Don't use your username and password to register with PyPI. Use API tokens
Add your own content view to mitmproxy
Download CloudWatch Logs logs to your local environment
How to use Pylint for PyQt5 apps
How to use tensorflow under docker environment
How to use GCP's Cloud Vision API
Flutter in Docker-How to build and use a Flutter development environment inside a Docker container