agentsecops/api-mitmproxy
skills/appsec/api-mitmproxy/SKILL.md
Interactive HTTPS proxy for API security testing with traffic interception, modification, and replay capabilities. Supports HTTP/1, HTTP/2, HTTP/3, WebSockets, and TLS-protected protocols. Includes Python scripting API for automation and multiple interfaces (console, web, CLI). Use when: (1) Intercepting and analyzing API traffic for security testing, (2) Modifying HTTP/HTTPS requests and responses to test API behavior, (3) Recording and replaying API traffic for testing, (4) Debugging mobile app or thick client API communications, (5) Automating API security tests with Python scripts, (6) Exporting traffic in HAR format for analysis.
$ install --global
skillsauthnpx skillsauth add agentsecops/secopsagentkit api-mitmproxyInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 30, 2026, 4:55 PM55.9s5 files scanned
SKILL.md
- name:
- api-mitmproxy
- description:
- >
- version:
- 0.1.0
- maintainer:
- SirAppSec
- category:
- appsec
- tags:
- [api-testing, proxy, https, intercepting-proxy, traffic-analysis, mitmproxy, har-export, websockets]
- frameworks:
- [OWASP]
- python:
- >=3.9
- tools:
- [mitmproxy, mitmweb, mitmdump]
- - https:
- //docs.mitmproxy.org/
mitmproxy API Security Testing
Overview
mitmproxy is an interactive, TLS-capable intercepting HTTP proxy for penetration testers and developers. It enables real-time inspection, modification, and replay of HTTP/HTTPS traffic including APIs, mobile apps, and thick clients. With support for HTTP/1, HTTP/2, HTTP/3, and WebSockets, mitmproxy provides comprehensive coverage for modern API security testing.
Interfaces
mitmproxy - Interactive console interface with keyboard navigation mitmweb - Web-based GUI for visual traffic inspection mitmdump - Command-line tool for automated traffic capture and scripting
Quick Start
Install and run mitmproxy:
# Install via pip
pip install mitmproxy
# Start interactive console proxy
mitmproxy
# Start web interface (default: http://127.0.0.1:8081)
mitmweb
# Start command-line proxy with output
mitmdump -w traffic.flow
Configure client to use proxy (default: localhost:8080)
Core Workflows
Workflow 1: Interactive API Traffic Inspection
For manual API security testing and analysis:
- Start mitmproxy or mitmweb:
# Console interface mitmproxy --mode regular --listen-host 0.0.0.0 --listen-port 8080 # Or web interface mitmweb --mode regular --listen-host 0.0.0.0 --listen-port 8080 - Configure target application to use proxy (HTTP: localhost:8080)
- Install mitmproxy CA certificate on client device
- Trigger API requests from the application
- Intercept and inspect requests/responses in mitmproxy
- Modify requests to test:
- Authentication bypass attempts
- Authorization flaws (IDOR, privilege escalation)
- Input validation (SQLi, XSS, command injection)
- Business logic vulnerabilities
- Save flows for documentation and reporting
Workflow 2: Mobile App API Security Testing
Progress: [ ] 1. Install mitmproxy CA certificate on mobile device [ ] 2. Configure device WiFi to use mitmproxy as proxy [ ] 3. Start mitmweb for visual traffic inspection [ ] 4. Launch mobile app and exercise all features [ ] 5. Review API endpoints, authentication mechanisms, data flows [ ] 6. Test for common API vulnerabilities (OWASP API Top 10) [ ] 7. Export traffic as HAR for further analysis [ ] 8. Document findings with request/response examples
Work through each step systematically. Check off completed items.
Workflow 3: Automated API Traffic Recording
For capturing and analyzing API traffic at scale:
- Start mitmdump with flow capture:
mitmdump -w api-traffic.flow --mode regular - Run automated tests or manual app interaction
- Stop mitmdump (Ctrl+C) to save flows
- Replay captured traffic:
# Replay to server mitmdump -nc -r api-traffic.flow # Replay with modifications via script mitmdump -s replay-script.py -r api-traffic.flow - Export to HAR format for analysis:
# Using Python API python3 -c "from mitmproxy.io import FlowReader; from mitmproxy.tools.dump import DumpMaster; import sys; [print(flow.request.url) for flow in FlowReader(open('api-traffic.flow', 'rb')).stream()]"
Workflow 4: Python Scripting for API Testing
For automated security testing with custom logic:
- Create Python addon script (
api-test.py):from mitmproxy import http class APISecurityTester: def request(self, flow: http.HTTPFlow) -> None: # Modify requests on-the-fly if "api.example.com" in flow.request.pretty_url: # Test for authorization bypass flow.request.headers["X-User-ID"] = "1" def response(self, flow: http.HTTPFlow) -> None: # Analyze responses if flow.response.status_code == 200: if "admin" in flow.response.text: print(f"[!] Potential privilege escalation: {flow.request.url}") addons = [APISecurityTester()] - Run mitmproxy with script:
mitmproxy -s api-test.py # Or for automation mitmdump -s api-test.py -w results.flow - Review automated findings and captured traffic
- Export results for reporting
Workflow 5: SSL/TLS Certificate Pinning Bypass
For testing mobile apps with certificate pinning:
- Install mitmproxy CA certificate on device
- Use certificate unpinning tools or framework modifications:
- Android: Frida script for SSL unpinning
- iOS: SSL Kill Switch or similar tools
- Configure app traffic through mitmproxy
- Alternatively, use reverse proxy mode:
mitmproxy --mode reverse:https://api.example.com --listen-host 0.0.0.0 --listen-port 443 - Modify /etc/hosts to redirect API domain to mitmproxy
- Intercept and analyze traffic normally
Operating Modes
mitmproxy supports multiple deployment modes:
Regular Proxy Mode (default):
mitmproxy --mode regular --listen-port 8080
Client configures proxy settings explicitly.
Transparent Proxy Mode (invisible to client):
mitmproxy --mode transparent --listen-port 8080
Requires iptables/pf rules to redirect traffic.
Reverse Proxy Mode (sits in front of server):
mitmproxy --mode reverse:https://api.example.com --listen-port 443
mitmproxy acts as the server endpoint.
Upstream Proxy Mode (chain proxies):
mitmproxy --mode upstream:http://corporate-proxy:8080
Routes traffic through another proxy.
Certificate Installation
Install mitmproxy CA certificate for HTTPS interception:
Browser/Desktop:
- Start mitmproxy and configure proxy settings
- Visit http://mitm.it
- Download certificate for your platform
- Install in system/browser certificate store
Android:
- Push certificate to device:
adb push ~/.mitmproxy/mitmproxy-ca-cert.cer /sdcard/ - Settings → Security → Install from SD card
- Select mitmproxy certificate
iOS:
- Email certificate or host on web server
- Install profile on device
- Settings → General → About → Certificate Trust Settings
- Enable trust for mitmproxy certificate
Common Patterns
Pattern 1: API Authentication Testing
Test authentication mechanisms and token handling:
# auth-test.py
from mitmproxy import http
class AuthTester:
def __init__(self):
self.tokens = []
def request(self, flow: http.HTTPFlow):
# Capture auth tokens
if "authorization" in flow.request.headers:
token = flow.request.headers["authorization"]
if token not in self.tokens:
self.tokens.append(token)
print(f"[+] Captured token: {token[:20]}...")
# Test for missing authentication
if "api.example.com" in flow.request.url:
flow.request.headers.pop("authorization", None)
print(f"[*] Testing unauthenticated: {flow.request.path}")
addons = [AuthTester()]
Pattern 2: API Parameter Fuzzing
Fuzz API parameters for injection vulnerabilities:
# fuzz-params.py
from mitmproxy import http
class ParamFuzzer:
def request(self, flow: http.HTTPFlow):
if flow.request.method == "POST" and "api.example.com" in flow.request.url:
# Clone and modify request
original_body = flow.request.text
payloads = ["' OR '1'='1", "<script>alert(1)</script>", "../../../etc/passwd"]
for payload in payloads:
# Modify parameters and test
# (Implementation depends on content-type)
print(f"[*] Testing payload: {payload}")
addons = [ParamFuzzer()]
Pattern 3: GraphQL API Testing
Inspect and test GraphQL APIs:
# graphql-test.py
from mitmproxy import http
import json
class GraphQLTester:
def request(self, flow: http.HTTPFlow):
if "/graphql" in flow.request.path:
try:
data = json.loads(flow.request.text)
query = data.get("query", "")
print(f"[+] GraphQL Query:\n{query}")
# Test for introspection
if "__schema" not in query:
introspection = {"query": "{__schema{types{name}}}"}
print(f"[*] Testing introspection")
except:
pass
addons = [GraphQLTester()]
Pattern 4: HAR Export for Analysis
Export traffic as HTTP Archive for analysis:
# Export flows to HAR format
mitmdump -s export-har.py -r captured-traffic.flow
# export-har.py
from mitmproxy import http, ctx
import json
class HARExporter:
def done(self):
har_entries = []
# Build HAR structure
# (Simplified - use mitmproxy's built-in HAR addon)
ctx.log.info(f"Exported {len(har_entries)} entries")
addons = [HARExporter()]
Or use built-in addon:
mitmdump --set hardump=./traffic.har
Security Considerations
- Sensitive Data Handling: Captured traffic may contain credentials, tokens, PII. Encrypt and secure stored flows. Never commit flow files to version control
- Access Control: Restrict access to mitmproxy instance. Use authentication for mitmweb (--web-user/--web-password flags)
- Audit Logging: Log all intercepted traffic and modifications for security auditing and compliance
- Compliance: Ensure proper authorization before intercepting production traffic. Comply with GDPR, PCI-DSS for sensitive data
- Safe Defaults: Use isolated testing environments. Avoid intercepting production traffic without explicit authorization
Integration Points
Penetration Testing Workflow
- Reconnaissance: Identify API endpoints via mitmproxy
- Authentication testing: Capture and analyze auth tokens
- Authorization testing: Modify user IDs, roles, permissions
- Input validation: Inject payloads to test for vulnerabilities
- Business logic: Test workflows for logical flaws
- Export findings as HAR for reporting
CI/CD Integration
Run automated API security tests:
# Run mitmdump with test script in CI
mitmdump -s api-security-tests.py --anticache -w test-results.flow &
PROXY_PID=$!
# Run API tests through proxy
export HTTP_PROXY=http://localhost:8080
export HTTPS_PROXY=http://localhost:8080
pytest tests/api_tests.py
# Stop proxy and analyze results
kill $PROXY_PID
python3 analyze-results.py test-results.flow
Mobile App Security Testing
Standard workflow for iOS/Android apps:
- Configure device to use mitmproxy
- Install CA certificate
- Bypass SSL pinning if needed
- Exercise app functionality
- Analyze API security (OWASP Mobile Top 10)
- Document API vulnerabilities
Advanced Features
Traffic Filtering
Filter displayed traffic by expression:
# Show only API calls
mitmproxy --view-filter '~d api.example.com'
# Show only POST requests
mitmproxy --view-filter '~m POST'
# Show responses with specific status
mitmproxy --view-filter '~c 401'
# Combine filters
mitmproxy --view-filter '~d api.example.com & ~m POST'
Request/Response Modification
Modify traffic using built-in mappers:
# Replace request headers
mitmproxy --modify-headers '/~u example/Authorization/Bearer fake-token'
# Replace response body
mitmproxy --modify-body '/~s & ~b "error"/success'
WebSocket Interception
Intercept and modify WebSocket traffic:
# websocket-test.py
from mitmproxy import websocket
class WebSocketTester:
def websocket_message(self, flow):
message = flow.messages[-1]
print(f"[+] WebSocket: {message.content[:100]}")
# Modify messages
if message.from_client:
message.content = message.content.replace(b"user", b"admin")
addons = [WebSocketTester()]
Troubleshooting
Issue: SSL Certificate Errors
Solution: Ensure mitmproxy CA certificate is properly installed and trusted:
# Verify certificate location
ls ~/.mitmproxy/
# Regenerate certificates if needed
rm -rf ~/.mitmproxy/
mitmproxy # Regenerates on startup
Issue: Mobile App Not Sending Traffic Through Proxy
Solution:
- Verify WiFi proxy configuration
- Check firewall rules aren't blocking proxy port
- Ensure mitmproxy is listening on correct interface (0.0.0.0)
- Test with browser first to verify proxy works
Issue: Certificate Pinning Blocking Interception
Solution: Use SSL unpinning tools:
# Android with Frida
frida -U -l universal-android-ssl-pinning-bypass.js -f com.example.app
# Or modify app to disable pinning (development builds)
Issue: Cannot Intercept HTTP/2 or HTTP/3
Solution: mitmproxy supports HTTP/2 by default. For HTTP/3:
# Enable HTTP/3 support (experimental)
mitmproxy --set http3=true
OWASP API Security Top 10 Testing
Use mitmproxy to test for OWASP API Security Top 10 vulnerabilities:
- API1: Broken Object Level Authorization - Modify object IDs in requests
- API2: Broken Authentication - Test token validation, session management
- API3: Broken Object Property Level Authorization - Test for mass assignment
- API4: Unrestricted Resource Consumption - Test rate limiting, pagination
- API5: Broken Function Level Authorization - Modify roles, escalate privileges
- API6: Unrestricted Access to Sensitive Business Flows - Test business logic
- API7: Server Side Request Forgery - Inject URLs in parameters
- API8: Security Misconfiguration - Check headers, CORS, error messages
- API9: Improper Inventory Management - Enumerate undocumented endpoints
- API10: Unsafe Consumption of APIs - Test third-party API integrations
References
- mitmproxy Documentation
- mitmproxy GitHub
- OWASP API Security Top 10
- mitmproxy Addon Examples
Related Skills
agentsecops/privesc-linpeas
testing
VerifiedTrustedCommunity
Linux privilege escalation enumeration and attack surface analysis using LinPEAS (Linux Privilege Escalation Awesome Script). Automates post-exploitation discovery of escalation vectors, misconfigurations, and credential exposure on Linux targets. Use when: (1) Enumerating privilege escalation vectors after initial access on a Linux system, (2) Identifying SUID/SGID binaries, sudo misconfigurations, and capability abuses, (3) Hunting for credentials in config files, history, and logs, (4) Detecting container breakout opportunities and writable service files, (5) Mapping kernel exploits and CVE exposure for a target system, (6) Conducting authorized CTF, red team, or penetration test post-exploitation phases.
110SKILL.mdUpdated Apr 16, 2026
agentsecops/ot-security-assessment
development
VerifiedTrustedCommunity
Operational Technology (OT) security assessment using a two-stage methodology: (1) Identification/Discovery of OT devices and protocols, and (2) Vulnerability Assessment using online sources and Metasploit. Use when: (1) Conducting authorized OT/ICS security assessments, (2) Identifying and enumerating OT protocols (Modbus, S7, IEC 104, DNP3, BACnet, EtherNet/IP), (3) Discovering industrial control devices and PLCs, (4) Assessing OT protocol vulnerabilities and security weaknesses, (5) Performing compliance scanning aligned with IEC 62443 standards, (6) Validating network segmentation and access controls in OT environments.
110SKILL.mdUpdated Apr 16, 2026
agentsecops/vuln-defectdojo
tools
VerifiedTrustedCommunity
Vulnerability management and findings aggregation using DefectDojo. Centralizes security findings from all SecOpsAgentKit scanners (Semgrep, Bandit, ZAP, Trivy, Grype, Gitleaks, Nuclei, Checkov, Horusec) into a unified platform with automatic deduplication, SLA tracking, risk-based prioritization, and compliance reporting. Use when: (1) Aggregating findings from multiple scanners across products and pipelines, (2) Tracking remediation status and SLA compliance against policy thresholds, (3) Deduplicating overlapping findings across security tools, (4) Generating vulnerability reports for compliance audits (SOC2, PCI-DSS, GDPR), (5) Managing security debt and vulnerability backlog across teams and applications.
110SKILL.mdUpdated Apr 16, 2026
agentsecops/pytm
tools
VerifiedTrustedCommunity
Python-based threat modeling using pytm library for programmatic STRIDE analysis, data flow diagram generation, and automated security threat identification. Use when: (1) Creating threat models programmatically using Python code, (2) Generating data flow diagrams (DFDs) with automatic STRIDE threat identification, (3) Integrating threat modeling into CI/CD pipelines and shift-left security practices, (4) Analyzing system architecture for security threats across trust boundaries, (5) Producing threat reports with STRIDE categories and mitigation recommendations, (6) Maintaining threat models as code for version control and automation.
82SKILL.mdUpdated Mar 27, 2026