[Owasp-proxy] Interceptor

Martin Holst Swende martin at swende.se
Sun May 23 19:11:55 EDT 2010 

Hi, 

I have published my proxy-UI on
http://martin.swende.se/hgwebdir.cgi/hatkit_proxy/ . It is still a bit
unpolished here and there, but it works and has these features:

* White/blacklisting. Anything 'passed' is treated by the proxy
(database, logging and intercept),anything not passed is streamed.
    * Whitelisting of domains (e.g "sun.com, ru" => java.sun.com, and
evil.ru passes)
    * Whitelisting of networks ("10.0.2.2/14, 192.160.*")
    * Blacklisting of resources  (default:
"^[^?;!]*\\.(png|jpg|jpeg|gif|ico)$" )
* Interceptor
* Syntax highlightning (jflex-based)
    * Http traffic
    * 2-phases, the content type determines which lexer is used after
http. Currently only form data and html" implemented, but I plan to add
json and xml aswell.
* MongoDB storage (not required)
    * Stores http traffic into a MongoDB database. I selected it because
it is flexible (no fixed table definitions) and very fun (can perform
javascript dynamically inside the db and has great aggregation
functionality).

I call it the HATKit proxy, not to hide that it really is based on the
Owasp Proxy, but just because this proxy is a minor part of a suite I
call the HATkit (Http Analyser Toolkit), which is a python framework to
play with the data once it is stored in the MongoDB. That part is not
yet mature enough to show to the general public, though.

The interceptor does not show both requests and responses
simultaneously, pending on how the previous discussions previously turn
out (about returning a handle). It is really only for developers as of
yet, since the owasp proxy needs a couple of modifications for it to run
(but those are quite apparent) and it is not packaged as a jar-file. So,
anyone NOT familiar with Owasp Proxy and Eclipse should wait a bit
longer before diving in... To set it up, configure it as an eclipse
project with Owasp proxy as a required project on the build path. Other
than that, there are no dependencies other than the mongodb-jarfile
which is in the libs-folder, but you don't have to install a mongodb to
run it if you don't want to capture the traffic.

I appreciate any feedback. Also, Rogan, if you want to incorporate any
bits into the Owasp proxy itself (e.g the whitelist/blacklist stuff in
MultiplexingHttpRequestHandler), I'd be honored.

Regards,
Martin

More information about the Owasp-proxy-project mailing list