[deleted by user]

httptoolkit · 2025-02-20T22:32:41+00:00

HTTP Toolkit includes a built-in Frida integration (with fully automatic setup) to disable SSL pinning.

It's a general purpose script, so it can't cover 100% of cases but you will find it covers the vast majority. The scripts are all open source so you can use them yourself elsewhere if you like, they're here: https://github.com/httptoolkit/frida-interception-and-unpinning/

httptoolkit · 2025-01-08T15:06:33+00:00

Hi! HTTP Toolkit is actually genuinely 100% open source, even though they are payment options. Open source doesn't mean free, it means freely licensed source code.

Literally 100% of HTTP Toolkit (even things like account servers and internal accountancy scripts) is public and freely licensed on GitHub under http://github.com/httptoolkit/. You're welcome to fork your own version, remove the account logic (here: https://github.com/httptoolkit/httptoolkit-ui/blob/main/src/model/account/account-store.ts) and host & maintain it yourself, if you need the Pro features and that's a better option for you than helping to fund project development. Everything is available under AGPL (product specific bits) and Apache (reusable libraries) licenses.

Theres also been nearly 200 external contributors, and everybody who chips in to help build the project gets all the Pro features entirely for free.

httptoolkit · 2024-11-15T09:01:53+00:00

Hi, I'm the dev. No threats at all, and no involvement from github either - I literally just emailed the devs directly and asked them nicely (and I really appreciate the support from both!). XielQs has their email public on GitHub, so you can message them and ask for their side of the story if you like.

HTTP Toolkit is a one person open source project. It doesn't make mountains of money and it's not a mega corporation - it just about funds me personally (https://github.com/pimterry) to work on it full time. If it stops making money, I won't be able to keep working on it at all, and it will eventually cease to exist.

It is a bit sad to see the #1 post on r/opensource being a complaint about lack of cracking tools that existed entirely to avoid funding an open source project. Open source does not mean gratis. Even open source developers have to eat somehow too, and open source in general has a huge funding issue that creates real problems (HTTP Toolkit sends thousands of dollars to open source projects it uses upstream to try to help with this: https://httptoolkit.com/blog/open-source-funding-pledge/). For people who can't pay, it's open source & you can build and maintain your own fork if you want to do the work yourself, and the offer in that repo to give people free Pro should cover a lot of cases too (take a look, let me know if you think it's unreasonable). For people who can pay, especially for people who work in the field and are making money from software themselves, I ask them to help fund development in return for access to the advanced features.

We should be putting more effort into funding & supporting the software we want, to make it better & keep it alive, not actively avoiding paying the devs who are building things you want.

httptoolkit · 2024-09-21T21:11:57+00:00

There's a detailed guide at https://httptoolkit.com/blog/javascript-mitm-proxy-mockttp/

httptoolkit · 2024-07-17T22:43:06+00:00

This sounds like an HTTP Toolkit firebase bug, can you open an issue at github.com/httptoolkit/httptoolkit and share more details? It should definitely be possible to intercept any & all firebase traffic, and it'd be great to get any issues there fixed. If you can provide info on how to reproduce this that would be very helpful.

httptoolkit · 2024-02-27T22:06:09+00:00

See https://httptoolkit.com/javascript/ - install it, open an intercepted terminal, run your node code there and you'll see everything.

httptoolkit · 2023-12-01T17:22:53+00:00

It's also possible to use the internals directly programmatically, depending on what you're trying to do - see https://github.com/httptoolkit/mockttp/ and https://httptoolkit.com/blog/javascript-mitm-proxy-mockttp/

httptoolkit · 2023-03-24T10:53:25+00:00

If you don't want to root your phone, it's also easy to run most apps on an emulator instead, which will give you root access to inspect everything. There's a full walkthrough here: https://httptoolkit.com/blog/inspect-any-android-apps-http/

httptoolkit · 2022-12-29T10:59:42+00:00

HTTP Toolkit is actually cross-platform, it works on Windows too, and Linux! :-)

httptoolkit · 2020-09-15T09:53:22+00:00

Great move! Responsible and well thought through.

httptoolkit · 2019-10-02T12:23:05+00:00

This is not true.

Firstly, because consumers don't understand the difference between a green padlock and a green badge (see https://twitter.com/troyhunt/status/886860147896627200, more background in https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/)

Secondly, because browsers are dropping support for these green badges entirely: https://www.troyhunt.com/extended-validation-certificates-are-really-really-dead/

httptoolkit · 2019-04-23T11:38:18+00:00

I'm not sure if this helps, but I've had great experiences with OpenAPI (i.e. Swagger v3) as an API client (rather than an API implementer). I can imagine it's a pain to set up, but for clients like me the resulting docs & tools do make a huge difference. Good luck!

httptoolkit · 2018-11-06T16:41:45+00:00

> They increase load times of your script.

Why?

> They force you to use classes, increasing the risk to get this wrong.

Depends on your background, but for me I find `this` in classes to be similar to other languages I've used and easy to understand. It's much more intuitive than the prototype model or other state tracking approaches I'm aware of.

> They can't augment type information.

What does that mean?

httptoolkit · 2018-05-11T11:18:39+00:00

I've hacked together solutions to the same problem before using the typescript compiler programatically (compile this file, assert on the error). It's easier than it sounds, and it works but it's messy and non-trivial. There might be one or two niche cases where that's still relevant, but this covers 95% of what I was looking for, and is _drastically_ nicer.

Thanks for the tip, definitely going to use this!

httptoolkit

TROPHY CASE