mitmproxy is an interactive proxy to monitor and manipulate HTTP and HTTPS traffic.

In the F5 Advanced WAF (AWAF) course, mitmproxy serves as a powerful tool for analyzing and modifying web traffic and simulating attack scenarios to test and strengthen security measures.

This section shows how to use mitmproxy to intercept and analyze communication between clients and web application.

Table of Contents

Download, Install and Configure mitmproxy

To begin using mitmproxy, start by downloading and installing the latest version from the mitmproxy official website.

Once installed, navigate to the “bin” directory within the installation folder (C:\Program Files\mitmproxy\bin) to access the executable files. mitmproxy offers two interfaces: the command-line interface (CLI) version, `mitmproxy.exe`, and the web interface version, `mitmweb.exe`.

Although the web interface provides a graphical user interface for ease of use, I had some performance issues experience. As a result, I prefer using the CLI version, `mitmproxy.exe` during the course.

execute mitmproxy
execute mitmproxy

configure windows proxy to route traffic through mitmproxy

Then we need to change windows proxy setting so that the traffic is routed through the proxy.

change windows proxy to mitmproxy
change windows proxy to mitmproxy

To confirm that your traffic is correctly routed through the proxy, navigate to “http://mitm.it” in your web browser. If the page loads successfully, this indicates that the proxy is functioning as intended.

check if traffic goes through proxy and install mitmproxy certificate as a trusted certificate
check if traffic goes through proxy and install mitmproxy certificate as a trusted certificate

Next, proceed with download and installation of the mitmproxy certificate as a trusted certificate authority. This step is crucial for establishing a trusted connection.

install mitmproxy as trusted certificate
install mitmproxy as trusted certificate

route traffic to specific domain through mitmproxy

Actually it is not necessary but you can prepare a PAC file to ensure that only traffic directed to the vulnerable web applications are processed through the proxy server and other traffic is not affected.

In a summary:

  • I crafted a PAC file named “pac.js” and placed it in the Windows IIS root directory at “C:\inetpub\wwwroot”. Obviously windows IIS feature is already installed.

function FindProxyForURL(url, host) {
// If the hostname matches 'f5demo.com', use the proxy
if (shExpMatch(host, "*.f5demo.com")) {
return "PROXY 127.0.0.1:8080";
}
// Otherwise, connect directly without a proxy
return "DIRECT";
}
  • I registered the MIME Typeapplication/x-ns-proxy-autoconfig” within the MIME Types settings of the IIS default website.

add MIME Type x-ns-proxy-autoconfig within IIS default website
add MIME Type x-ns-proxy-autoconfig within IIS default website
  • I have configured the Windows proxy settings to utilize the PAC file, which can be accessed at “http://127.0.0.1/pac.js”.

configure Windows proxy settings to utilize PAC file
configure Windows proxy settings to utilize PAC file

Analyse traffic routing through mitmproxy

Once you’ve confirmed that your traffic is successfully passing through mitmproxy, you see many traffic over mitmproxy page. You may wish to narrow down the visibility of the traffic to a particular domain. This can be achieved by applying a filter within mitmproxy.

check mitmproxy page to check if traffic are going through proxy
check mitmproxy page to check if traffic are going through proxy

To filter the traffic, press the “f” key to bring up the filter input field. Then enter the filter expression “~u f5demo.com” to to display only the traffic associated with f5demo.com.

press f to filter displaying traffic
press f to filter displaying traffic

Then use the up and down arrow keys to move between traffic. Then when you press “enter” on any traffic, you can see the details of the traffic.

press left and right arrow keys to move between traffic and then press enter to check details of a specific traffic
press left and right arrow keys to move between traffic and then press enter to check details of a specific traffic

Inside the traffic, with right and left arrow key, you can move between header, response and detail to check request header, response header and details of traffic.

Within Traffic, you have the ability to examine various aspects of traffic. To do this, use the right and left arrow keys to switch between request header, response header and traffic details.

check traffic header and response and details
check traffic header and response and details

intercept and manipulate traffic routing through mitmproxy

A key feature of mitmproxy that we’ll frequently utilize in this course is its ability to intercept and alter network traffic. This includes modifying request and response headers, cookies, and other data elements I will demonstrate this now.

To demonstrate interception, let’s first log in to the vulnerable web application auction.f5demo.com that we prepared in the previous lesson. But before we click on “Your Control Panel”, we enable interception in mitmproxy.

login to the web application to be prepared for traffic interception
login to the web application to be prepared for traffic interception

To enable interception, we press “i”. To intercept traffic from a specific domain “f5demo.com”, use the filter “~u f5demo.com”.

press i to enable traffic interception
press i to enable traffic interception

Then, in your web browser, click on”Your Control Panel“. The page will not load because it has been intercepted by mitmproxy.

Switch back to the mitmproxy CLI environment. You’ll notice that the intercepted traffic is highlighted in red color to indicate its status.

intercepted traffic are displayed with red color
intercepted traffic are displayed with red color

Select the intercepted traffic entry and press”e“to edit it.

press e to edit traffic
press e to edit traffic

You will be prompted to select a section of the traffic to edit. Choose”query“to modify the URL query parameters.

choose which part of traffic to be edited
choose which part of traffic to be edited

To edit any field, press”enter“. This allows you to change the value of the selected field.

edit http query parameter
edit http query parameter

We have already logged into the web application as”username1“. We change the value to”username2“. Press”Esc“to confirm the new value. Press”Esc“again to exit the editing mode and return to the main mitmproxy interface.

edit traffic and apply the changes
edit traffic and apply the changes

To resume the session, press”a“multiple times until the intercepted traffic resumes.

resume intercepted traffic
resume intercepted traffic

Now if you revisit again your web browser, you see that the page is now open but instead of showing “username1” control panel, it shows the control panel associated with „username2“.

check web application tto see how traffic is intercepted
check web application tto see how traffic is intercepted
Back to: F5 BIG-IP AWAF (formerly ASM) > F5 AWAF Lab Topology Preperation

Leave a Reply

Your email address will not be published. Required fields are marked *


Post comment