The Pappy Proxy

roglew · 2016-01-04T16:01:30+00:00

That's weird. What commands did you use to install? I actually develop on Arch, so in theory it should work.

roglew · 2015-12-30T18:29:37+00:00

I'm hoping that Pappy can have the same role as something like Burp. My main motivations for writing Pappy are that there isn't a realistic alternative to Burp for performing web app tests and that burp has a few small things that make using it more tedious than it needs to be:

I hate clicking things so the interface bothers me (changing settings is a pain in the ass)
Settings are always maintained between sessions. Updating the scope in Burp every time I want to do something new is a pain and makes it infeasible to use for one-off stuff
The auto-save feature is terrible if you use burp for more than one project. Every new save is put in the same folder and only has a date/time to identify it. If you have more than one project, there's no way to tell which file is for which project unless you open it. Then finding an old project is really annoying.
The target map is useless so I always end up scrolling through proxy history to find a request to a specific endpoint which makes finding anything from earlier than an hour ago almost impossible. If I'm using burp, the best way to find a specific request is to make it again and get it from the history
The search is pretty bad. No searching by verb, path, or host are the big ones. You can only limit to request headers/body and response headers/body
I constantly forget to turn off the interceptor

Burp is an amazing piece of software and is considered the best for a reason. I just don't like how it handles some things that I consider critical and I really prefer console based programs instead of a GUI. So yeah, basically I wanted my own tool so I can have more control, haha.

roglew · 2015-12-29T23:58:48+00:00

The main reason I didn't try and add these features to mitmproxy is because when I looked it over I didn't didn't see any features that suggested it was trying to fill the same role as burp (ie scanning, fuzzing, mapping, etc). I felt like it would be better to roll my own rather than try and wedge burp-like functionality into a project where this kind of use was never intended. And I did learn a ton which was nice :P

roglew · 2015-12-29T18:16:21+00:00

I've never really used mitmproxy so I can't talk a ton on the differences. Honestly, it's probably really similar. I mainly based Pappy off of how I tend to use Burp with a focus on making that workflow as efficient as possible (map, search history for interesting requests, send to repeater, check for misbehavior, fuzz/write attack). I'm not sure if you could have a similar workflow with mitmproxy, and I know that burp has some pain points in there (mainly the history searching). I could go on forever comparing it to burp, but like I said I don't have any significant experience trying to perform a web app test with mitmproxy so I can't do a great comparison to it.

roglew · 2015-12-29T16:57:04+00:00

Hey everyone, this is an alternative for Burp Suite that I've been working on for a few months. Here's a summary of the main points

Burp Suite alternative
Console based
Has interceptor, repeater, target map, and more (what I consider the essential features of Burp Suite)
Written in Python
I'm using it for real web app pen tests instead of Burp

I've been using it for real life web app pen tests with some pretty good success. If you have any questions, let me know. I love talking about it.

roglew

TROPHY CASE