The release of the Mitmproxy 11 project is presented. It develops tools for intercepting traffic inside connections established via HTTPS, with the ability to inspect, modify and replay traffic. The main purpose of Mitmproxy is to organize traffic monitoring in corporate systems and diagnose problems, for example, identifying hidden network activity of applications. The source code of the project is written in Python and distributed under the MIT license.
To analyze HTTPS traffic, Mitmproxy is placed on a transit node, where it intercepts client requests and translates them into requests sent from itself to the target serverMitmproxy establishes a regular HTTPS connection with the server requested during the client session, and establishes a dummy connection with the client on behalf of the target server using a fake SSL certificate generated for the client on the fly. Traffic received from the client is forwarded to the target server, and the received responses are relayed back to the client.
Several methods are supported for redirecting traffic via mitmproxy, such as specifying the mitmproxy address as an HTTP proxy in the browser settings, working as a SOCKS5 proxy, using it as a reverse proxy in front of the HTTP server, and organizing transparent forwarding using packet filter rules or routing wrapping. In order to prevent the fake certificate used when connecting to the client from causing the browser to display warnings about connection security issues, the user is offered to install the mitmproxy root certificate in the system, which can be done either manually or by opening a special mitm.it host in the browser.
Mitmproxy supports HTTP/2, HTTP/3, Websockets, normalization of the order of packets in a stream, connection of handler scripts for modifying traffic on the fly, saving requests for further replay, generation TLS certificates For intercepted sessions, modification time header cleanup to disable client-side caching, reverse proxy mode for redirecting traffic to the server, block lists for filtering specific requests, selective request redirection (including local file response), and content and header modification based on regular expressions. For traffic analysis, a command-line utility similar to tcpdump, mitmdump, and a web interface, mitmweb, are available.
The key improvement in the new version is full support for the HTTP/3 protocol, which uses the QUIC (Quick UDP Internet Connections) protocol as a transport for HTTP/2 (QUIC is an add-on to the UDP protocol that supports multiplexing of multiple connections and provides encryption methods equivalent to TLS/SSL). Mitmproxy for HTTP/3 can be used as both transparent traffic interception and as a reverse proxy. Work with HTTP/3 interception has been tested in Firefox, Chrome and various versions of cURL.
Other notable changes in the new branch are related to improved DNS support in the context of placing records in DNS for HTTPS and ECH (Encrypted Client Hello). The new version adds support for querying DNS records other than A/AAAA (for example, in ECH, information about the public encryption key is transmitted in HTTPSSVC DNS records). A mode for cleaning ECH keys from HTTPS records in DNS has been added. For working with DNS, a transition has been made to the Hickory library, written in Rust and developed by the Let's Encrypt project. DNS-over-TCP support has been added. An option has been implemented to disable processing of settings from /etc/hosts.
Source: opennet.ru
