Skip to content

Top New Best Ask Show Jobs

Show HN: A proxy service for debugging HTTP/S traffic | Better HN

Show HN: A proxy service for debugging HTTP/S traffic (opens in new tab)

(debugproxy.com)

75 pointstarnacious_8y ago40 comments

40 comments

Matt3o12_8y ago

> debugProxy is a HTTP/S hosted proxy server that lets you interact with the traffic passing through it, using a web based dashboard.

So, when I use your proxy you can see and store my http and https traffic (assuming I install the certificate in my device). Furthermore, all the traffic from the my pc to your proxy is also transmitted unencrypted so everyone who sits between my device and your proxy can see my traffic as well.

While this interface looks really cool and it is probably feature rich, I will pass using it because of those privacy concerns. If anyone is interested in a local http(s) proxy, check out mitmproxy[0] which is open source, runs locally and is easy to install (I’m not affiliated with them, i use use mitmproxy occasionally when Reverse Engineering am API).

[0]: https://mitmproxy.org

tarnacious_OP8y ago

> So, when I use your proxy you can see and store my http and https traffic (assuming I install the certificate in my device).

Yes. Requests more than 20 minutes old are permanently deleted.

> Furthermore, all the traffic from the my pc to your proxy is also transmitted unencrypted so everyone who sits between my device and your proxy can see my traffic as well.

No, if you make HTTPS requests they are tunneled over TLS.

> While this interface looks really cool and it is probably feature rich,

Thanks. It isn't feature rich though, it's quite minimal.

> If anyone is interested in a local http(a) proxy, check out mitmproxy[0] which is open source, runs locally and is easy to install (I’m not affiliated with them, i use use mitmproxy occasionally when Reverse Engineering am API).

mitmproxy is indeed great, in fact, this service is build on mitmproxy instances :)

throwaway2016a8y ago

> mitmproxy is indeed great, in fact, this service is build on mitmproxy instances :)

I can appreciate this. Pre-configured / zero config open source software as a service is a useful thing. Not everyone wants to install, configure, and deal with command line tools.

Are there tradeoffs? Sure. Would I personally make those tradeoffs? No. But I am sure some people will.

patcheudor8y ago

>So, when I use your proxy you can see and store my http and https traffic (assuming I install the certificate in my device)

Not just see and store, but obviously also tamper with if you want to be thorough in a risk statement.

For years I've done presentations and whatnot to top notch web developers where I've invited them to connect to my proxy in order to demonstrate security flaws - rarely asking them to install my root CA. No matter how many warnings and disclaimers I provide, I always see sensitive traffic through my proxy because someone always connects, despite my advisement against it, with the machine they use for work as opposed to a test VM. Further, weeks after a presentation, I'll still have people connecting through my proxy because they forgot to clear out the settings. Be very, very, very cautious about using this service and do so on a machine that's not configured with email or anything else you care about or will be in the future. Even if you don't install the root CA, there are enough serious flaws in enough non-browser clients (email, chat, and whatnot) as well as sites we tend to use frequently that you should consider that even proxy exposure of HTTP traffic could be a security issue.

tarnacious_OP8y ago

This is a good comment and touches a lot of concerns I have with the service.

On debugProxy, username and password "sessions" are disabled after 20 minutes of inactivity. This was implemented, in part, to combat the issue of people forgetting they were still connected to the proxy.

Also, I don't want to, nor do I have a enough disk space to store things for long. So body data over 20 minutes old is periodically permanently removed. Header data lasts a bit longer, but is also periodically permanently removed.

This will not prevent users sending private credentials over the proxy, but it's hard to prevent that as you say, so hopefully this mitigates the problem a bit.

Of course you still have to trust the service, for some people that will be totally unacceptable, which is fine.

madeofpalk8y ago

Also consider Charles, which is pretty nifty https://www.charlesproxy.com

thatsheelpatel8y ago

Don't forget about Surge: https://nssurge.com

We built a similar proxy at https://wrapapi.com/proxy to allow users to record and replay network requests when turning webpages into an API. I think it's possible to have an end-to-end secure and never-written-to-disk pipeline, provided you trust the provider is doing what they're saying.

The secure pipeline we ended up using involves:

1. Having a HTTPS endpoint for the proxy

2. Forwarding the captures to you immediately via listening WebSocket instances

Note that because the server upon receiving a request can immediately push it to WebSockets instead of relying on polling, no storage is needed

tarnacious_OP8y ago

WrapAPI looks neat. Thanks for posting the link, I couldn't find any similar services when we started building debugProxy, although I assumed some must exist.

tarnacious_OP8y ago

Hi HN,

This is side project I have been working on with a friend. It's a pretty niche service, so it isn't easy finding people to try it. I'm really interested to hear what you think, for better or worse :) I'm also happy to answer any questions.

mhils8y ago

Congrats on the launch and thanks for using mitmproxy! :-)

aggregator-ios8y ago

For those of you looking for a fully native experience or don’t want to deal with a command line, checkout Peek: https://peek.tools

Just a few highlights:

- Fully native iOS app

- You can intercept traffic from any device and your data stays in Peek

- Intercept traffic from other iOS apps on the same device, so you don’t need a Mac or a 2nd iOS device

- Modify requests and responses as they come in

Disclaimer: I am the creator. Would love to hear your feedback here or support@peek.tools

nnd8y ago

How does it work? AFAIK you can't run a local webserver on iOS without a jailbreak.

What's the benefit compared a traditional network setup with a MITM proxy?

IMcD238y ago

You can run a web server on iOS, and you don’t need special entitlements to do so. Depending on how you implement it, you may have problems keeping it alive while the app is in the background, however.

steveharman8y ago

These guys never seem to get a mention when this subject surfaces. So I'll address that:. https://cloudmiddleman.com

Been using them for a couple of years, excellent support and new features keep on coming to their already slick web UI.

tarnacious_OP8y ago

Thanks for the link. I couldn't find any services offering this when we started building debugProxy. It's good to see there might be a viable business model here :)

johns8y ago

There might be, but our experiences running our original product[0] are contrary to that. Happy to chat about it if you’d like.

[0]: https://www.runscope.com/docs/debugging

nnd8y ago

Great execution, I had the same idea a while ago after playing with mitmproxy. My concern would be that people would tentative towards using it as you can tamper with requests on the server which they don't have control of.

tarnacious_OP8y ago

Thanks! I figured (most) people were pretty fast and loose with their security these days, so that wasn't my concern. I've found the problem is that it still isn't easy to use, you still need to configure a proxy with credentials and install a root certificate to proxy HTTPS traffic. Lots of vistors to debugproxy today, not that many requests through proxy.

bencevans8y ago

Interface looks cool but what benefits are there over using mitmproxy?

tarnacious_OP8y ago

> Interface looks cool

Thanks, glad you think so :)

> what benefits are there over using mitmproxy?

With mitmproxy you can do almost everything you can do with debugProxy and a lot more.

The main benefit is you don't need to install anything. Also you can proxy requests from clients outside your local network (if you are behind a NAT router, for example).

fori1to108y ago

You cannot install this thing locally?

I thought this would be something that would run in my own machine.

tarnacious_OP8y ago

As others have suggested mitmproxy[1] is great for this.

https://mitmproxy.org/

Any advantages over mitmproxy?

whathaschanged8y ago

How is this better than Charles or Fiddler?

tarnacious_OP8y ago

It's not "better". It's a hosted alternative.

gressquel8y ago

Moderns app use SSL pinning, same with big websites using HSTS. So this won't really decrypt HTTPS traffic

throwaway2016a8y ago

You may be a little optimistic here. Just because the technology exists does not mean everyone uses it.

I use a MITM proxy to reverse engineer my IoT apps all the time (a lot of them don't provide public APIs but I want to use them from my controller app). I have not once ran into one that used pinning.

nnd8y ago

Most of the popular consumer apps use SSL pinning these days.

tarnacious_OP8y ago

This will prevent decryption. In cases where you are debugging your own modern SSL pinned apps, you can add the debugproxy root certificate in development / testing builds.

detaro8y ago

HPKP (which I assume you meant when saying HSTS) in browsers does not apply if you add a CA manually, exactly to allow HTTPS interception.

j / k navigate · click thread line to collapse