The Pappy ( P roxy A ttack P roxy P rox Y ) Proxy is an intercepting proxy for performing web application security testing. Its features are often similar, or straight up rippoffs from Burp Suite . However, Burp Suite is neither open source nor a command line tool, thus making a proxy like Pappy inevitable. The project is still in its early stages, so there are bugs and only the bare minimum features, but it should be able to do some cool stuff soon
The command line interface allows you to focus on performing the test instead of breaking your train of thought by clicking around a GUI.
Pappy has the standard features of Burp Suite and supports a similar workflow to Burp Suite for manual testing. Map the site, find interesting requests, send them to repeater, and poke.
Pappy will stream data to the browser as it gets it instead of waiting for the full response to be downloaded first. This makes browsing through Pappy feel much faster than browsing through other proxies.
Pappy has a very powerful history search. By applying multiple filters in a row, you can continuously remove requests you don’t need from view. For example, you can find POST requests without a CSRF header in only 2 commands!
Pappy keeps everything related to a project (including proxy settings) contained in one directory. This makes switching between projects a breeze.
When creating automated attacks, Pappy prefers Python. Pappy allows you to generate the boilerplate for attack scripts so that you only have to write a few lines to perform scripted attacks.
Pappy supports OS X and Linux (sorry Windows). Installation requires
pip or some other command that can handle a
setup.py with requirements. Once the requirements are installed, you can check that it installed correctly by running
pappy -l to start the proxy.
$ git clone --recursive https://github.com/roglew/pappy-proxy.git $ cd pappy-proxy $ pip install .
Pappy projects take up an entire directory. Any generated scripts, exported responses, etc. will be placed in the current directory so it’s good to give your project a directory of its own. To start a project, do something like:
$ mkdir test_project $ cd test_project $ pappy Copying default config to directory Proxy is listening on port 8000 itsPappyTime> exit $ ls data.db project_config.json $
And that’s it! The proxy will by default be running on port 8000 and bound to localhost . You can modify the port/interface in
config.json . You can list all your intercepted requests with
ls , view a full request with
vfq <reqid> or view a full response with
vfs <reqid> . Right now, the only command to delete requests is
filter_prune which deletes all the requests that aren’t in the current context (look at the sections on the context/filter strings for more information on that).
If you don’t want to dirty up a directory, you can run Pappy in “lite” mode. Pappy will use the default configuration settings and will create a temporary data file in
/tmp to use. When you quit, the file will be deleted. If you want to run Pappy in lite mode, run Pappy with either
$ pappy -l Temporary datafile is /tmp/tmpw4mGv2 Proxy is listening on port 8000 pappy> quit Deleting temporary datafile $