Intercepting Proxy for Performing Web Application Security Testing: The Pappy Proxy

ID N0WHERE:76100
Type n0where
Reporter N0where
Modified 2016-09-06T16:55:24


Intercepting Proxy for Performing Web application security testing

The Pappy ( P roxy A ttack P roxy P rox Y ) Proxy is an intercepting proxy for performing web application security testing. Its features are often similar, or straight up rippoffs from Burp Suite . However, Burp Suite is neither open source nor a command line tool, thus making a proxy like Pappy inevitable. The project is still in its early stages, so there are bugs and only the bare minimum features, but it should be able to do some cool stuff soon


  • Command Line Interface

The command line interface allows you to focus on performing the test instead of breaking your train of thought by clicking around a GUI.

  • New Interface, Familiar Workflow

Pappy has the standard features of Burp Suite and supports a similar workflow to Burp Suite for manual testing. Map the site, find interesting requests, send them to repeater, and poke.

  • Response Streaming

Pappy will stream data to the browser as it gets it instead of waiting for the full response to be downloaded first. This makes browsing through Pappy feel much faster than browsing through other proxies.

  • Powerful History Search

Pappy has a very powerful history search. By applying multiple filters in a row, you can continuously remove requests you don’t need from view. For example, you can find POST requests without a CSRF header in only 2 commands!

  • Self-Contained Project Directory

Pappy keeps everything related to a project (including proxy settings) contained in one directory. This makes switching between projects a breeze.

  • Python Macros

When creating automated attacks, Pappy prefers Python. Pappy allows you to generate the boilerplate for attack scripts so that you only have to write a few lines to perform scripted attacks.

The Pappy Proxy


Pappy supports OS X and Linux (sorry Windows). Installation requires pip or some other command that can handle a with requirements. Once the requirements are installed, you can check that it installed correctly by running pappy -l to start the proxy.

$ git clone --recursive
$ cd pappy-proxy
$ pip install .


Pappy projects take up an entire directory. Any generated scripts, exported responses, etc. will be placed in the current directory so it’s good to give your project a directory of its own. To start a project, do something like:

$ mkdir test_project
$ cd test_project 
$ pappy
Copying default config to directory
Proxy is listening on port 8000
itsPappyTime> exit
$ ls
data.db      project_config.json

And that’s it! The proxy will by default be running on port 8000 and bound to localhost . You can modify the port/interface in config.json . You can list all your intercepted requests with ls , view a full request with vfq <reqid> or view a full response with vfs <reqid> . Right now, the only command to delete requests is filter_prune which deletes all the requests that aren’t in the current context (look at the sections on the context/filter strings for more information on that).

Lite Mode

If you don’t want to dirty up a directory, you can run Pappy in “lite” mode. Pappy will use the default configuration settings and will create a temporary data file in /tmp to use. When you quit, the file will be deleted. If you want to run Pappy in lite mode, run Pappy with either -l or --lite .


$ pappy -l
Temporary datafile is /tmp/tmpw4mGv2
Proxy is listening on port 8000
pappy> quit
Deleting temporary datafile

Intercepting Proxy for Performing Web application security testing: The Pappy Proxy

Intercepting Proxy for Performing Web application security testing: The Pappy Proxy Download