CapFuzz (Depreciated, use: https://github.com/MobSF/httptools)
Yet another https proxy to capture and fuzz web apis. Tailor made for fuzzing Mobile App APIs & web services with a scriptable interface. CapFuzz is built on top of mitmproxy
$ git clone https://github.com/MobSF/CapFuzz.git
$ cd CapFuzz
$ python setup.py install
$ capfuzz
usage: capfuzz [-h] [-m MODE] [-p PORT] [-n NAME]
optional arguments:
-h, --help show this help message and exit
-m MODE, --mode MODE Supported modes
1. capture: Capture requests.
2. fuzz: Run Fuzzing Server.
3. runfuzz: Fuzz on captured requests with default configuration.
4. intercept: Intercept and tamper the flow in live.
-p PORT, --port PORT Proxy Port
-n NAME, --name NAME Project Name
- Capture -
capfuz -m capture
- Starts HTTPS proxy at
1337
by default. - Install Root CA cert available under
capfuzz/ca
to browser or system.
- Starts HTTPS proxy at
- Intercept -
capfuz -m intercept
- To Fiddle with request and response in live.
- Use:
capfuzz/core/interceptor.py
(The location will be relative to where capfuzz is installed)
- Fuzz UI -
capfuzz -m fuzz
- Starts the Fuzzer Web UI for configuration and fuzzing:
https://0.0.0.0:1337
- Starts the Fuzzer Web UI for configuration and fuzzing:
- Fuzz -
capfuzz -m runfuzz
- Fuzz from command line.