Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 77 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,14 +1,88 @@
# pypproxy

MITM HTTP/HTTPS proxy for inspecting and modifying traffic.
MITM HTTP/HTTPS proxy for inspecting, modifying, and testing traffic from browsers and mobile apps.

[![CI](https://github.com/ykus4/pypproxy/actions/workflows/ci.yml/badge.svg)](https://github.com/ykus4/pypproxy/actions/workflows/ci.yml)
[![PyPI](https://img.shields.io/pypi/v/pypproxy)](https://pypi.org/project/pypproxy/)
[![Python](https://img.shields.io/pypi/pyversions/pypproxy)](https://pypi.org/project/pypproxy/)

```bash
pip install pypproxy
pypproxy # GUI mode → http://localhost:8081
pypproxy --mode cui # terminal UI
pypproxy # GUI mode → http://localhost:8081
pypproxy --mode cui # Terminal UI
```

See the **[docs](https://ykus4.github.io/pypproxy/)** for setup, CA installation, and feature guides.

## Features

| Category | Features |
|----------|---------|
| **Proxy** | HTTP/HTTPS MITM, WebSocket, gRPC, MQTT, HTTP/2 |
| **UI** | Sidebar navigation, dark/light mode, real-time traffic table |
| **Intercept** | Manual request review, edit headers/body, forward or drop |
| **Rules** | Block / modify / redirect by host, path, method, header, body (regex) |
| **Decode** | Auto-detect gzip/brotli, JSON, XML, JWT, Base64, multipart, Protobuf, MessagePack, CBOR |
| **Replay** | One-click replay, parallel fuzzing, Resender tab with full editor |
| **Bulk Sender** | Payload list mode + race condition test |
| **Diff** | Unified diff between any two captured entries |
| **A/B Test** | Send same request to two hosts, compare responses |
| **Macro** | Chain requests with `{{variable}}` substitution and response extraction |
| **GraphQL** | Auto-detect, introspection, schema tree, query editor |
| **OpenAPI** | Auto-generate OpenAPI 3.0 spec from captured traffic |
| **Code Gen** | Export as curl / Python requests / JavaScript fetch / HTTPie |
| **Analytics** | Per-host stats, P95/P99 latency, status distribution |
| **Security** | JWT checker, header checker, token randomness, int overflow, CORS, SSRF, redirect, IDOR |
| **Frida** | SSL pinning bypass scripts, script injection, device management |
| **Sessions** | Group entries into named sessions with persistence |
| **Report** | Export HTML or Markdown report with findings |
| **Import/Export** | HAR, paxy JSON, OpenAPI, rules |
| **Full-text search** | SQLite FTS5 across all captured traffic |
| **Scope** | Capture only in-scope hosts |
| **DNS spoofing** | Built-in DNS server with domain override |
| **Scripts** | Python `on_request` / `on_response` hooks |
| **Plugins** | Drop `.py` files into `~/.pypproxy/plugins/` |

## Quick start

```bash
# Install
pip install pypproxy

# Start (GUI mode)
pypproxy

# Install CA certificate (macOS)
sudo security add-trusted-cert -d -r trustRoot \
-k /Library/Keychains/System.keychain ~/.paxy/ca-cert.pem

# Set system proxy (macOS)
networksetup -setwebproxy Wi-Fi 127.0.0.1 8080
networksetup -setsecurewebproxy Wi-Fi 127.0.0.1 8080
```

Open **http://localhost:8081** — traffic appears in real time.

## Optional: Frida integration

```bash
pip install 'pypproxy[frida]'
```

Enables one-click SSL pinning bypass and script injection from the Frida tab.

## CLI flags

```
--mode gui (default) or cui
--port Proxy port (default 8080)
--ui-port Web UI port (default 8081)
--config Path to YAML config file
--script Path to Python script file
--ca-dir CA cert directory (default ~/.paxy)
--no-db Disable SQLite persistence
```

## License

MIT
2 changes: 1 addition & 1 deletion docs/configuration.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Configuration

paxy can be configured via CLI flags or a YAML file. CLI flags take precedence over the config file.
pypproxy can be configured via CLI flags or a YAML file. CLI flags take precedence over the config file.

## YAML config file

Expand Down
66 changes: 31 additions & 35 deletions docs/getting-started.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,24 @@
## Requirements

- Python 3.11+
- [uv](https://docs.astral.sh/uv/)
- [uv](https://docs.astral.sh/uv/) (recommended) or pip

## Installation

### From PyPI

```bash
pip install pypproxy
```

### With Frida support

```bash
pip install 'pypproxy[frida]'
```

### From source

```bash
git clone https://github.com/ykus4/pypproxy
cd pypproxy
Expand All @@ -18,38 +32,30 @@ uv sync
### GUI mode (default)

```bash
uv run python main.py
# or
make gui
pypproxy
```

Open `http://localhost:8081` in your browser to see the traffic viewer.
Open `http://localhost:8081` in your browser.

### CUI mode

```bash
uv run python main.py --mode cui
# or
make cui
pypproxy --mode cui
```

A real-time traffic table renders directly in the terminal.

## Startup output

```
paxy MITM proxy
pypproxy MITM proxy
proxy : 0.0.0.0:8080
UI : http://0.0.0.0:8081
CA : /Users/you/.paxy/ca-cert.pem
Install the CA cert in your browser/device to avoid TLS warnings.
DB : /Users/you/.paxy/pypproxy.db
```

On first run, `~/.paxy/ca-cert.pem` and `~/.paxy/ca-key.pem` are generated automatically.

## Installing the CA certificate

To intercept HTTPS traffic, install the generated CA certificate as a trusted root on every device you want to inspect.
## Install the CA certificate

### macOS (system-wide)

Expand All @@ -69,43 +75,33 @@ sudo security add-trusted-cert -d -r trustRoot \
1. Transfer `ca-cert.pem` to the device
2. **Settings** → **Security** → **Install from storage**

!!! note
Android 7+ apps targeting API 24+ do not trust user-installed CAs by default.
Add a `network_security_config.xml` to the target app, or use a rooted device.

### iOS

1. Send the certificate to the device via email or HTTP
2. Open the attachment — iOS prompts to install a profile
3. **Settings** → **General** → **VPN & Device Management** → install the profile
1. Send the certificate via email or AirDrop
2. Open it — iOS prompts to install a profile
3. **Settings** → **General** → **VPN & Device Management** → install
4. **Settings** → **General** → **About** → **Certificate Trust Settings** → enable full trust

## Configuring the proxy
## Configure the proxy

### macOS (system proxy)
### macOS

```bash
networksetup -setwebproxy Wi-Fi 127.0.0.1 8080
networksetup -setsecurewebproxy Wi-Fi 127.0.0.1 8080
```

To disable:

```bash
# To disable:
networksetup -setwebproxystate Wi-Fi off
networksetup -setsecurewebproxystate Wi-Fi off
```

### Android
### Android / iOS

**Settings** → **Wi-Fi** → long-press your network → **Modify** → **Advanced** → **Proxy: Manual**
**Settings** → **Wi-Fi** → your network → **Proxy: Manual**

- Host: your machine's IP (e.g. `192.168.1.10`)
- Port: `8080`

### iOS

**Settings** → **Wi-Fi** → tap the info icon → **Configure Proxy: Manual**
## Open the UI

- Server: your machine's IP
- Port: `8080`
Navigate to `http://localhost:8081`. Switch between **dark and light mode** using the ☀ button in the toolbar.
30 changes: 18 additions & 12 deletions docs/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ layout: home
hero:
name: pypproxy
text: MITM Proxy
tagline: Intercept, inspect, and modify HTTP/HTTPS traffic from browsers and mobile apps. Written in Python.
tagline: Intercept, inspect, modify, and test HTTP/HTTPS traffic from browsers and mobile apps. Written in Python.
actions:
- theme: brand
text: Get Started
Expand All @@ -16,20 +16,26 @@ hero:
features:
- icon: 🔐
title: HTTPS Interception
details: Dynamically generate per-host certificates signed by a local CA. Terminate TLS and read every request and response in plain text.
details: Dynamically generate per-host certificates. Decrypt and read every request and response including HTTPS.
- icon: 🖥️
title: GUI Mode
details: Browser-based UI built with NiceGUI. Traffic streams in real time. Filter, inspect, and replay without leaving the page.
- icon: ⌨️
title: CUI Mode
details: Terminal UI built with rich. Works over SSH and in CI environments with no browser required.
title: Modern UI
details: Sidebar navigation with dark/light mode toggle. Real-time traffic list, filter expressions, multi-format body decode.
- icon: ⚙️
title: Rule Engine
details: Block, modify, or redirect traffic by matching host, path, method, header, or body. Full regex support.
- icon: 📝
title: Python Scripting
details: Define on_request / on_response hooks in plain Python. No DSL to learn — the full standard library is available.
details: Block, modify, or redirect traffic by host, path, method, header, or body. Full regex support.
- icon: 🔄
title: Replay & Fuzzing
details: Resend any captured request with one click. Increase count to fire hundreds of parallel requests for load testing or fuzzing.
details: One-click replay. Resender with full editor. Bulk Sender for parallel payloads. Macro runner for chained requests.
- icon: 🔬
title: Security Testing
details: JWT checker, CORS/SSRF/redirect/IDOR checks, active scan (XSS/SQLi/CMDi), security header audit.
- icon: 📱
title: Frida Integration
details: SSL pinning bypass scripts for iOS and Android. One-click script injection with real-time console output.
- icon: 📊
title: Analytics & Reports
details: Per-host stats, P95/P99 latency. Export HTML/Markdown reports. OpenAPI spec auto-generation.
- icon: 🔌
title: Protocol Support
details: HTTP/2, WebSocket, gRPC, MQTT, GraphQL — all intercepted and decoded. Protobuf/MessagePack/CBOR support.
---
6 changes: 3 additions & 3 deletions docs/protocols.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

## GraphQL

paxy automatically detects GraphQL requests and provides dedicated tooling.
pypproxy automatically detects GraphQL requests and provides dedicated tooling.

### Detection

Expand Down Expand Up @@ -41,7 +41,7 @@ Shows the operation type (query/mutation/subscription), operation name, and top-
| `DELETE /api/graphql/schema/{host}` | Remove cached schema |
| `POST /api/graphql/replay` | Re-send with modified query/variables |

### Modifier utilities (`paxy.graphql.modifier`)
### Modifier utilities (pypproxy.graphql.modifier)

```python
from pypproxy.graphql.modifier import set_variable, build_query, build_mutation
Expand Down Expand Up @@ -78,7 +78,7 @@ Enable `WSInterceptManager` to pause individual frames for manual review, simila
## gRPC

gRPC uses HTTP/2 over TLS with a 5-byte length-prefix framing.
paxy detects it via the `Content-Type: application/grpc` header.
pypproxy detects it via the `Content-Type: application/grpc` header.

The body view selector in the detail panel offers **Protobuf** mode for wire-type heuristic decoding (no schema needed).

Expand Down
Loading