xepor v0.6 releases: web routing framework for reverse engineers and security researchers

haxxmap

Xepor

Xepor (pronounced /ˈzɛfə/, zephyr), is a web routing framework for reverse engineers and security researchers. It provides a Flask-like API for hackers to intercept and modify HTTP request and/or HTTP response in a human-friendly coding style.

This project is meant to be used with mitmproxy. User write scripts with xepor, and run the script inside mitmproxy with mitmproxy -s your-script.py.

If you want to step from PoC to production, from demo(e.g. http-reply-from-proxy.pyhttp-trailers.pyhttp-stream-modify.py) to something you could take out with your WiFi Pineapple, then Xepor is for you!

Features

  1. Code everything with @api.route(), just like Flask! Write everything in one script and no if..else any more.
  2. Handle multiple URL routes, even multiple hosts in one InterceptedAPI instance.
  3. For each route, you can choose to modify the request before connecting to a server (or even return a fake response without connection to upstream), or modify the response before forwarding to a user.
  4. Blacklist mode or whitelist mode. Only allow URL endpoints defined in scripts to connect to upstream, blocking everything else (in a specific domain) with HTTP 404. Suitable for transparent proxying.
  5. Human-readable URL path definition and matching powered by parse
  6. Host remapping. define rules to redirect to genuine upstream from your fake hosts. Regex matching is supported. Best for SSL stripping and server-side license cracking!
  7. Plus all the bests from mitmproxyALL operation modes ( mitmproxy / mitmweb + regular / transparent / socks5 / reverse:SPEC / upstream:SPEC) are fully supported.

Use Case

  1. Evil AP and phishing through MITM.
  2. Sniffing traffic from the specific device by iptables + transparent proxy, modify the payload with xepor on the fly.
  3. Cracking cloud-based software license. See examples/krisp/ as an example.
  4. Write complicated web crawler in ~100 lines of codes. See examples/polyv_scrapper/ as an example.
  5. … and many more.

SSL stripping is NOT provided by this project.

Changelog v0.6

  • Feature: Automatically set --set connection_strategy=lazy when Xepor scripts are loaded. No need to manually set the options any more 🥳
  • Feature: Add {func}xepor.InterceptedAPI.load API for configuration before start. Check the documentation for usage details.

Install & Use

Copyright (C) 2022 ttimasdf