Xepor, a web routing framework for reverse engineers and security researchers.
Project description
Xepor
Xepor (pronounced /ˈzɛfə/, zephyr) is a web routing framework for reverse engineers and security researchers. It provides a Flask-like API for hackers to intercept and modify HTTP requests and/or HTTP responses in a human-friendly coding style.
This project is meant to be used with mitmproxy. Users write scripts with xepor, and run the script inside mitmproxy with mitmproxy -s your-script.py.
If you want to step from PoC to production, from demo(e.g. http-reply-from-proxy.py, http-trailers.py, http-stream-modify.py) to something you could take out with your WiFi Pineapple, then Xepor is for you!
Features
- Code everything with
@api.route(), just like Flask! Write everything in one script and noif..elseany more. - Handle multiple URL routes, even multiple hosts in one
InterceptedAPIinstance. - For each route, you can choose to modify the request before connecting to server (or even return a fake response without connection to upstream), or modify the response before forwarding to user.
- Blacklist mode or whitelist mode. Only allow URL endpoints defined in scripts to connect to upstream, blocking everything else (in specific domains) with HTTP 404. Suitable for transparent proxying.
- Human readable URL path definition and matching powered by parse
- Host remapping. define rules to redirect to genuine upstream from your fake hosts. Regex matching is supported. Best for SSL stripping and server-side license cracking!
- Plus all the bests from mitmproxy! ALL operation modes (
mitmproxy/mitmweb+regular/transparent/socks5/reverse:SPEC/upstream:SPEC) are fully supported.
Use Case
- Evil AP and phishing through MITM.
- Sniffing traffic from target device by iptables + transparent proxy, modify the payload with xepor on the fly.
- Cracking cloud-based software license. See examples/krisp/ as an example.
- Write a complicated web crawler in ~100 lines of code. See examples/polyv_scrapper/ as an example.
- ... and many more.
SSL stripping is NOT provided by this project.
Installation
pip install xepor
Quick start
Take the script from examples/httpbin as an example.
mitmweb -s example/httpbin/httpbin.py
Set your Browser HTTP Proxy to http://127.0.0.1:8080, and access the web interface at http://127.0.0.1:8081/.
Send a GET request from http://httpbin.org/#/HTTP_Methods/get_get , Then you could see the modification made by Xepor in mitmweb interface, browser dev tools or Wireshark.
The httpbin.py do two things.
- When user access http://httpbin.org/get, inject a query string parameter
payload=evil_paraminside HTTP request. - When user access http://httpbin.org/basic-auth/xx/xx/ (we just pretend we don't know the password), sniff
Authorizationheaders from HTTP requests and print the password to the attacker.
Just what mitmproxy always does, but with code written in xepor way.
# https://github.com/xepor/xepor-examples/tree/main/httpbin/httpbin.py
from mitmproxy.http import HTTPFlow
from xepor import InterceptedAPI, RouteType
HOST_HTTPBIN = "httpbin.org"
api = InterceptedAPI(HOST_HTTPBIN)
@api.route("/get")
def change_your_request(flow: HTTPFlow):
"""
Modify URL query param.
Test at:
http://httpbin.org/#/HTTP_Methods/get_get
"""
flow.request.query["payload"] = "evil_param"
@api.route("/basic-auth/{usr}/{pwd}", rtype=RouteType.RESPONSE)
def capture_auth(flow: HTTPFlow, usr=None, pwd=None):
"""
Sniffing password.
Test at:
http://httpbin.org/#/Auth/get_basic_auth__user___passwd_
"""
print(
f"auth @ {usr} + {pwd}:",
f"Captured {'successful' if flow.response.status_code < 300 else 'unsuccessful'} login:",
flow.request.headers.get("Authorization", ""),
)
addons = [api]
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
