We are excited to announce the release of mitmproxy 5.2! This release comes not only with a long list of improvements and bugfixes – 48 PRs from over 30 contributors – but also with the first fruits from this year’s Google Summer of Code: In this post we take a look the new and improved replacement features.
Editorial Note: Hi!
My name is Martin Plattner (@mplattner) and I’m this years' Google Summer of Code student for mitmproxy. My main task so far was the implementation of the new replacement addons that I describe below. It’s been a great experience already and I’m looking forward to the rest of the summer.
New Replacement UX
Replace addon was cumbersome to use: there was no way to specify where the replacements are applied, among other shortcomings.
We completely revised the current implementation and introduce four new addons that provide a unified user experience to perform replacements: ModifyBody, ModifyHeaders, MapRemote, and MapLocal.
ModifyBodyaddon applies replacements in the body of requests and responses. A simple rule like
/Hi/Helloreplaces all occurrences of
ModifyHeadersworks on headers: it can set, replace, or remove existing headers. For example,
|User-Agent|Wget/1.11.4sets the user agent header on all requests to impersonate wget. Common use-cases for this addon are to set cache or security headers for development and security research.
MapRemoteaddon transparently serves resources from an alternative remote location. The URL is rewritten before performing the request. mitmproxy then fetches the new resource and serves it instead of the original.
The last addon is
MapLocal, which maps remote resources to local files. For example, using the rule
|example.com/js|~/jsyou can redirect all requests to
example.com/js/*to the local directory
All addons use a configuration pattern of the form
The optional mitmproxy filter expression can be used to only target specific messages, for example only HTTP GET requests using
Time for an example. Let’s use
MapRemote to make browsing the web more fun:
DOG in the body of all pages and redirect all image requests to placedog.net.
mitmproxy --modify-body "/BBC/Dog" --map-remote "|^.+\.jpg$|https://placedog.net/640/480?random" --no-http2 # Full HTTP/2 redirects are coming soon!
More seriously, a real-world use case for developers would be to serve certain files from the dev environment while browsing the production environment, for example with a rule like
This should give you a glance of what you can do with the new replacement addons. We hope these new features are helpful and we’re happy to hear your feedback. For more details and examples please see the documentation.
Thanks to our great contributors there are many other notable changes:
- Add Filter message to mitmdump (@sarthak212)
- Display TCP flows at flow list (@Jessonsotoventura, @nikitastupin, @mhils)
- Colorize JSON Contentview (@sarthak212)
- Fix console crash when entering regex escape character in half-open string (@sarthak212)
- Integrate contentviews to TCP flow details (@nikitastupin)
- Added add-ons that enhance the performance of web application scanners (@anneborcherding)
- Increase WebSocket message timestamp precision (@JustAnotherArchivist)
- Fix HTTP reason value on HTTP/2 reponses (@rbdixon)
- mitmweb: support wslview to open a web browser (@G-Rath)
- Fix dev version detection with parent git repo (@JustAnotherArchivist)
- Restructure examples and supported addons (@mhils)
- Certificate generation: mark SAN as critical if no CN is set (@mhils)
- mitmweb: “New -> File” menu option has been renamed to “Clear All” (@yogeshojha)
- Add support for HTTP Trailers to the HTTP/2 protocol (@sanlengjingvv and @Kriechi)
- Fix certificate runtime error during expire cleanup (@gorogoroumaru)
- Fixed the DNS Rebind Protection for secure support of IPv6 addresses (@tunnelpr0)
- WebSockets: match the HTTP-WebSocket flow for the ~websocket filter (@Kriechi)
- Fix deadlock caused by the “replay.client.stop” command (@gorogoroumaru)
- Add new MapLocal addon to serve local files instead of remote resources (@mplattner and @mhils)
- Add minimal TCP interception and modification (@nikitastupin)
- Add new CheckSSLPinning addon to check SSL-Pinning on client (@su-vikas)
- Add a JSON dump script: write data into a file or send to an endpoint as JSON (@emedvedev)
- Fix console output formatting (@sarthak212)
- Add example for proxy authentication using selenium (@anneborcherding and @weichweich)