> debugProxy is a HTTP/S hosted proxy server that lets you interact with the traffic passing through it, using a web based dashboard.
So, when I use your proxy you can see and store my http and https traffic (assuming I install the certificate in my device). Furthermore, all the traffic from the my pc to your proxy is also transmitted unencrypted so everyone who sits between my device and your proxy can see my traffic as well.
While this interface looks really cool and it is probably feature rich, I will pass using it because of those privacy concerns. If anyone is interested in a local http(s) proxy, check out mitmproxy[0] which is open source, runs locally and is easy to install (I’m not affiliated with them, i use use mitmproxy occasionally when Reverse Engineering am API).
> So, when I use your proxy you can see and store my http and https traffic (assuming I install the certificate in my device).
Yes. Requests more than 20 minutes old are permanently deleted.
> Furthermore, all the traffic from the my pc to your proxy is also transmitted unencrypted so everyone who sits between my device and your proxy can see my traffic as well.
No, if you make HTTPS requests they are tunneled over TLS.
> While this interface looks really cool and it is probably feature rich,
Thanks. It isn't feature rich though, it's quite minimal.
> If anyone is interested in a local http(a) proxy, check out mitmproxy[0] which is open source, runs locally and is easy to install (I’m not affiliated with them, i use use mitmproxy occasionally when Reverse Engineering am API).
mitmproxy is indeed great, in fact, this service is build on mitmproxy instances :)
> mitmproxy is indeed great, in fact, this service is build on mitmproxy instances :)
I can appreciate this. Pre-configured / zero config open source software as a service is a useful thing. Not everyone wants to install, configure, and deal with command line tools.
Are there tradeoffs? Sure. Would I personally make those tradeoffs? No. But I am sure some people will.
This is my thoughts too. I wouldn't think it is very useful to most mitmproxy/fiddler/charles power users.
But not having to install something, find your IP address, open your firewall etc, allows some users who don't want to do all this to start using a debugging proxy without having to. I'm not sure how many of these users exist though, we will see!
>So, when I use your proxy you can see and store my http and https traffic (assuming I install the certificate in my device)
Not just see and store, but obviously also tamper with if you want to be thorough in a risk statement.
For years I've done presentations and whatnot to top notch web developers where I've invited them to connect to my proxy in order to demonstrate security flaws - rarely asking them to install my root CA. No matter how many warnings and disclaimers I provide, I always see sensitive traffic through my proxy because someone always connects, despite my advisement against it, with the machine they use for work as opposed to a test VM. Further, weeks after a presentation, I'll still have people connecting through my proxy because they forgot to clear out the settings. Be very, very, very cautious about using this service and do so on a machine that's not configured with email or anything else you care about or will be in the future. Even if you don't install the root CA, there are enough serious flaws in enough non-browser clients (email, chat, and whatnot) as well as sites we tend to use frequently that you should consider that even proxy exposure of HTTP traffic could be a security issue.
This is a good comment and touches a lot of concerns I have with the service.
On debugProxy, username and password "sessions" are disabled after 20 minutes of inactivity. This was implemented, in part, to combat the issue of people forgetting they were still connected to the proxy.
Also, I don't want to, nor do I have a enough disk space to store things for long. So body data over 20 minutes old is periodically permanently removed. Header data lasts a bit longer, but is also periodically permanently removed.
This will not prevent users sending private credentials over the proxy, but it's hard to prevent that as you say, so hopefully this mitigates the problem a bit.
Of course you still have to trust the service, for some people that will be totally unacceptable, which is fine.
We built a similar proxy at https://wrapapi.com/proxy to allow users to record and replay network requests when turning webpages into an API. I think it's possible to have an end-to-end secure and never-written-to-disk pipeline, provided you trust the provider is doing what they're saying.
The secure pipeline we ended up using involves:
1. Having a HTTPS endpoint for the proxy
2. Forwarding the captures to you immediately via listening WebSocket instances
Note that because the server upon receiving a request can immediately push it to WebSockets instead of relying on polling, no storage is needed
WrapAPI looks neat. Thanks for posting the link, I couldn't find any similar services when we started building debugProxy, although I assumed some must exist.
This is side project I have been working on with a friend. It's a pretty niche service, so it isn't easy finding people to try it. I'm really interested to hear what you think, for better or worse :) I'm also happy to answer any questions.
You can run a web server on iOS, and you don’t need special entitlements to do so. Depending on how you implement it, you may have problems keeping it alive while the app is in the background, however.
Thanks for the link. I couldn't find any services offering this when we started building debugProxy. It's good to see there might be a viable business model here :)
Hi John, thanks for the offer. I might take you up on that and email you in coming days.
I learned of Runscope some time after I started building this, it looks very interesting.
I too have doubts a proxy service like debugproxy will be very successful as it is, mostly because using it is still very difficult and in some cases not possible on various devices (buggy proxy implementations on early iPhones, Android 7 not allowing root certificates to be added etc..)
I figured there are some other cool things you can do with a proxy though that might be interesting. For example getting remote debugging working smoothly by injecting a script into HTML pages sent through the proxy. Or going the other way and proxy existing websites through a sub-domain of debugproxy.com, which I used to do to demonstrate changes to clients websites.
I'll see what feedback I get in the coming weeks and decide what to do, if anything, from there.
Great execution, I had the same idea a while ago after playing with mitmproxy. My concern would be that people would tentative towards using it as you can tamper with requests on the server which they don't have control of.
Thanks! I figured (most) people were pretty fast and loose with their security these days, so that wasn't my concern. I've found the problem is that it still isn't easy to use, you still need to configure a proxy with credentials and install a root certificate to proxy HTTPS traffic. Lots of vistors to debugproxy today, not that many requests through proxy.
With mitmproxy you can do almost everything you can do with debugProxy and a lot more.
The main benefit is you don't need to install anything. Also you can proxy requests from clients outside your local network (if you are behind a NAT router, for example).
You may be a little optimistic here. Just because the technology exists does not mean everyone uses it.
I use a MITM proxy to reverse engineer my IoT apps all the time (a lot of them don't provide public APIs but I want to use them from my controller app). I have not once ran into one that used pinning.
Is that a fact or assumption? Do you have a source?
That's not a jab at you I am legitimately interested in reading it if you have a source.
I have literally not found one I cared about doing a MitM exploit on that actually did it. Granted I haven't tried social networks because my interest lies mostly in apps that don't have public APIs and most social Networks have APIs.
I won't say who they are because this is not the right venue but I can say for certain that neither my bank or my alarm company uses pinning.
From personal experience reverse-engineering apps: whatsapp, facebook, twitter, skype, uber, snapchat, instagram - all pinned. The trend is definitely there, more and more apps adopt certificate pinning.
This is true for the app store top 10, but from what I've seen not much out of that.
In practical terms, the bigger problem is Android 8, which does not trust user-added CAs for app traffic (https://github.com/mitmproxy/mitmproxy/issues/2054#issuecomm...). It's a really odd move by Google against privacy researchers.
This will prevent decryption. In cases where you are debugging your own modern SSL pinned apps, you can add the debugproxy root certificate in development / testing builds.
So, when I use your proxy you can see and store my http and https traffic (assuming I install the certificate in my device). Furthermore, all the traffic from the my pc to your proxy is also transmitted unencrypted so everyone who sits between my device and your proxy can see my traffic as well.
While this interface looks really cool and it is probably feature rich, I will pass using it because of those privacy concerns. If anyone is interested in a local http(s) proxy, check out mitmproxy[0] which is open source, runs locally and is easy to install (I’m not affiliated with them, i use use mitmproxy occasionally when Reverse Engineering am API).
[0]: https://mitmproxy.org