How MITMproxy has been slaying SSL Dragons presented at OWASP AppSecAsiaPac 2012

by Jim Cheetham,

Tags: Security

Summary : MITMproxy is an extensible HTTP/HTTPS interactive or programmable man-in-the-middle proxy, aimed at security researchers and web developers. This presentation introduces the project, and demonstrates how easy it is to use to intercept and modify HTTP traffic, even when carried over HTTPS.
It is of particular use in situations where you cannot install arbitrary software on the end-point, but you can install SSL certificates and configure a proxy; such as with mobile devices like iOS.
Recently there have been a number of high-profile publications revealing how mobile device application vendors have been transmitting inappropriate data back to their servers; MITMproxy has often been the tool used to discover these. You will see how this has been done, and also how MITMproxy can use straightforward Python code to extend your decoding abilities to collect cleartext despite ad-hoc obfuscation or even high-grade encryption.
MITMproxy is quick to use, easy to get started with, and capable of great things; it is a great tool in the arsenal of a web developer trying to debug what is happening inside an HTTPS connection, or of a security researcher trying to protect your privacy online.