alufers/mitmproxy2swagger: Automagically reverse-engineer REST APIs via capturing traffic

2025-01-02 03:08:00
github.com

video.mp4

A tool for automatically converting mitmproxy captures to OpenAPI 3.0 specifications. This means that you can automatically reverse-engineer REST APIs by just running the apps and capturing the traffic.

🆕 NEW!

Added support for processing HAR exported from the browser DevTools. See Usage – HAR for more details.

First you will need python3 and pip3.

$ pip install mitmproxy2swagger
# ... or ...
$ pip3 install mitmproxy2swagger
# ... or ...
$ git clone git@github.com:alufers/mitmproxy2swagger.git
$ cd mitmproxy2swagger
$ docker build -t mitmproxy2swagger .

Then clone the repo and run mitmproxy2swagger as per examples below.

To create a specification by inspecting HTTP traffic you will need to:

Capture the traffic by using the mitmproxy tool. I personally recommend using mitmweb, which is a web interface built-in to mitmproxy.
```
$ mitmweb
Web server listening at http://127.0.0.1:8081/
Proxy server listening at http://*:9999
...
```
IMPORTANT

To configure your client to use the proxy exposed by mitm proxy, please consult the mitmproxy documentation for more information.
Save the traffic to a flow file.

In mitmweb you can do this by using the “File” menu and selecting “Save”:
Run the first pass of mitmproxy2swagger:
```
$ mitmproxy2swagger -i path_to_mitmptoxy_flow> -o path_to_output_schema> -p api_prefix>
# ... or ...
$ docker run -it -v $PWD:/app mitmproxy2swagger mitmproxy2swagger -i path_to_mitmptoxy_flow> -o path_to_output_schema> -p api_prefix>
```
Please note that you can use an existing schema, in which case the existing schema will be extended with the new data. You can also run it a few times with different flow captures, the captured data will be safely merged.

is the base url of the API you wish to reverse-engineer. You will need to obtain it by observing the requests being made in mitmproxy.

For example if an app has made requests like these:
```
https://api.example.com/v1/login
https://api.example.com/v1/users/2
https://api.example.com/v1/users/2/profile
```
The likely prefix is https://api.example.com/v1.

Running the first pass should have created a section in the schema file like this:

x-path-templates:
  # Remove the ignore: prefix to generate an endpoint with its URL
  # Lines that are closer to the top take precedence, the matching is greedy
  - ignore:/addresses
  - ignore:/basket
  - ignore:/basket/add
  - ignore:/basket/checkouts
  - ignore:/basket/coupons/attach/{id}
  - ignore:/basket/coupons/attach/104754

You should edit the schema file with a text editor and remove the ignore: prefix from the paths you wish to be generated. You can also adjust the parameters appearing in the paths.

Run the second pass of mitmproxy2swagger:
```
$ mitmproxy2swagger -i path_to_mitmptoxy_flow> -o path_to_output_schema> -p api_prefix> [--examples]
# ... or ...
$ docker run -it -v $PWD:/app mitmproxy2swagger mitmproxy2swagger -i path_to_mitmptoxy_flow> -o path_to_output_schema> -p api_prefix> [--examples]
```
Run the command a second time (with the same schema file). It will pick up the edited lines and generate endpoint descriptions.

Please note that mitmproxy2swagger will not overwrite existing endpoint descriptions, if you want to overwrite them, you can delete them before running the second pass.

Passing --examples will add example data to requests and responses. Take caution when using this option, as it may add sensitive data (tokens, passwords, personal information etc.) to the schema.
Passing --headers will add headers data to requests and responses. Take caution when using this option, as it may add sensitive data (tokens, passwords, personal information etc.) to the schema.

Capture and export the traffic from the browser DevTools.

In the browser DevTools, go to the Network tab and click the “Export HAR” button.
Continue the same way you would do with the mitmproxy dump. mitmproxy2swagger will automatically detect the HAR file and process it.

See the examples. You will find a generated schema there and an html file with the generated documentation (via redoc-cli).

See the generated html file here.

Development and contributing

This project uses:

To install the dependencies:

Run linters:

pre-commit run --all-files

Install pre-commit hooks:

Run tests:

Run tests with coverage:

poetry run pytest --cov=mitmproxy2swagger

MIT

Source Link

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Start your free Amazon Prime trial
today and unlock unlimited streaming and more!

Support Techcratic

If you find value in Techcratic’s insights and articles, consider supporting us with Bitcoin. Your support helps me, as a solo operator, continue delivering high-quality content while managing all the technical aspects, from server maintenance to blog writing, future updates, and improvements. Support Innovation! Thank you.

Bitcoin Address:

bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge

Please verify this address before sending funds.