Back to Details

ghost-proxy

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Reaper MITM Proxy

Reaper MITM代理

Reaper is a CLI-based MITM HTTPS proxy for application security testing. It intercepts, logs, and allows inspection of HTTP/HTTPS traffic flowing through it. Use it to capture live request/response pairs for security validation.
Reaper是一款基于CLI的MITM HTTPS代理,用于应用安全测试。它会拦截、记录并允许检查流经它的HTTP/HTTPS流量。使用它可以捕获实时的请求/响应对以进行安全验证。

Prerequisites

前提条件

Before using any reaper command, make sure the latest version of the binary is installed:
bash
curl -sfL https://raw.githubusercontent.com/ghostsecurity/reaper/main/scripts/install.sh | bash
All 
reaper
commands in this document should be invoked as 
~/.ghost/bin/reaper
unless 
~/.ghost/bin
is on 
PATH
.
使用任何reaper命令之前,请确保已安装最新版本的二进制文件:
bash
curl -sfL https://raw.githubusercontent.com/ghostsecurity/reaper/main/scripts/install.sh | bash
本文档中的所有
reaper
命令都应使用
~/.ghost/bin/reaper
调用,除非
~/.ghost/bin
已添加到
PATH
中。

Quick Reference

快速参考

CommandPurpose
reaper start --domains example.com
Start proxy (foreground)
reaper start --domains example.com -d
Start proxy (daemon)
reaper logs
Show recent captured entries
reaper search --method POST --path /api/*
Search captured traffic
reaper get <id>
Show full request + response
reaper req <id>
Show raw HTTP request only
reaper res <id>
Show raw HTTP response only
reaper stop
Stop the daemon
命令用途
reaper start --domains example.com
启动代理(前台模式)
reaper start --domains example.com -d
启动代理(守护进程模式)
reaper logs
显示最近捕获的条目
reaper search --method POST --path /api/*
搜索已捕获的流量
reaper get <id>
显示完整的请求+响应
reaper req <id>
仅显示原始HTTP请求
reaper res <id>
仅显示原始HTTP响应
reaper stop
停止守护进程

Starting the Proxy

启动代理

Start reaper scoped to the target domain(s). At least one 
--domains
or 
--hosts
flag is required.
bash
undefined
启动限定于目标域名的reaper代理。至少需要一个
--domains
--hosts
参数。
bash
undefined

Intercept all traffic to example.com and its subdomains

拦截所有发往example.com及其子域名的流量

reaper start --domains example.com
reaper start --domains example.com

Multiple domains

多个域名

reaper start --domains example.com,api.internal.co
reaper start --domains example.com,api.internal.co

Exact hostname matching

精确主机名匹配

reaper start --hosts api.example.com
reaper start --hosts api.example.com

Both domain suffix and exact host matching

同时使用域名后缀和精确主机匹配

reaper start --domains example.com --hosts special.internal.co
reaper start --domains example.com --hosts special.internal.co

Custom port (default: 8443)

自定义端口(默认:8443)

reaper start --domains example.com --port 9090
reaper start --domains example.com --port 9090

Run as background daemon

以后台守护进程运行

reaper start --domains example.com -d

**Scope behavior**:
- `--domains`: Suffix match. `example.com` matches `example.com`, `api.example.com`, `sub.api.example.com`
- `--hosts`: Exact match. `api.example.com` matches only `api.example.com`
- Traffic outside scope passes through transparently without logging
reaper start --domains example.com -d

**范围行为**:
- `--domains`: 后缀匹配。`example.com`会匹配`example.com`、`api.example.com`、`sub.api.example.com`
- `--hosts`: 精确匹配。`api.example.com`仅匹配`api.example.com`
- 超出范围的流量会透明传递,不会被记录

Routing Traffic Through the Proxy

将流量路由到代理

Configure the HTTP client to use the proxy. The default listen address is 
localhost:8443
.
bash
undefined
配置HTTP客户端以使用该代理。默认监听地址为
localhost:8443
bash
undefined

curl

curl命令

curl -x http://localhost:8443 -k https://api.example.com/endpoint
curl -x http://localhost:8443 -k https://api.example.com/endpoint

Environment variables (works with many tools)

环境变量(适用于许多工具)

export http_proxy=http://localhost:8443 export https_proxy=http://localhost:8443
export http_proxy=http://localhost:8443 export https_proxy=http://localhost:8443

Python requests

Python requests库

import requests requests.get("https://api.example.com/endpoint", proxies={"http": "http://localhost:8443", "https": "http://localhost:8443"}, verify=False)

The `-k` / `verify=False` flag is needed because reaper generates its own CA certificate at startup for MITM TLS interception.
import requests requests.get("https://api.example.com/endpoint", proxies={"http": "http://localhost:8443", "https": "http://localhost:8443"}, verify=False)

需要使用`-k` / `verify=False`参数,因为reaper在启动时会生成自己的CA证书用于MITM TLS拦截。

Viewing Captured Traffic

查看已捕获的流量

Recent Entries

最近条目

bash
undefined
bash
undefined

Show last 50 entries (default)

显示最后50条条目(默认)

reaper logs
reaper logs

Show last 200 entries

显示最后200条条目

reaper logs -n 200

Output columns: `ID`, `METHOD`, `HOST`, `PATH`, `STATUS`, `MS`, `REQ` (request body size), `RES` (response body size).
reaper logs -n 200

输出列:`ID`、`METHOD`、`HOST`、`PATH`、`STATUS`、`MS`、`REQ`(请求体大小)、`RES`(响应体大小)。

Searching

搜索

bash
undefined
bash
undefined

By HTTP method

按HTTP方法搜索

reaper search --method POST
reaper search --method POST

By host (supports * wildcard)

按主机搜索(支持*通配符)

reaper search --host *.api.example.com
reaper search --host *.api.example.com

By domain suffix

按域名后缀搜索

reaper search --domains example.com
reaper search --domains example.com

By path prefix (supports * wildcard)

按路径前缀搜索(支持*通配符)

reaper search --path /api/v3/transfer
reaper search --path /api/v3/transfer

By status code

按状态码搜索

reaper search --status 200
reaper search --status 200

Combined filters

组合筛选条件

reaper search --method POST --path /api/v3/* --status 200 -n 50
undefined
reaper search --method POST --path /api/v3/* --status 200 -n 50
undefined

Inspecting Individual Entries

检查单个条目

bash
undefined
bash
undefined

Full request and response (raw HTTP)

完整的请求和响应(原始HTTP格式)

reaper get 42
reaper get 42

Request only

仅查看请求

reaper req 42
reaper req 42

Response only

仅查看响应

reaper res 42

Output is raw HTTP/1.1 format including headers and body, suitable for analysis or replay.
reaper res 42

输出为原始HTTP/1.1格式,包含头部和正文,适合分析或重放。

Stopping the Proxy

停止代理

bash
reaper stop
bash
reaper stop

Common Workflows

常见工作流程

Validate a Security Finding

验证安全漏洞

When used with the 
validate
skill (may need to collaborate with the user to setup the test environment):
  1. Start reaper scoped to the application domain
  2. Verify traffic is being captured by running 
    reaper logs
    — at least one entry should appear after routing a test request through the proxy
  3. If no entries appear, verify proxy settings and domain scope match the target
  4. Authenticate (or ask the user to authenticate) as a normal user and exercise the vulnerable endpoint legitimately
  5. Search for the captured request to understand the expected request format
  6. Craft and send a malicious request that exercises the exploit described in the finding
  7. Inspect the response to determine if the exploit succeeded
  8. Use 
    reaper get <id>
    to capture the full request/response as evidence
validate
技能配合使用时(可能需要与用户协作设置测试环境):
  1. 启动限定于应用域名的reaper代理
  2. 通过运行
    reaper logs
    验证流量是否被捕获——将测试请求路由到代理后,应至少显示一条条目
  3. 如果没有条目显示,验证代理设置和域名范围是否与目标匹配
  4. 以普通用户身份认证(或让用户进行认证),并合法地触发存在漏洞的端点
  5. 搜索已捕获的请求,以了解预期的请求格式
  6. 构造并发送恶意请求,以验证漏洞描述中的利用方式
  7. 检查响应以确定漏洞利用是否成功
  8. 使用
    reaper get <id>
    捕获完整的请求/响应作为证据

Data Storage

数据存储

All data is stored in 
~/.reaper/
:
  • reaper.db
    - SQLite database with captured entries
  • reaper.sock
    - Unix socket for CLI-to-daemon IPC
  • reaper.pid
    - Daemon process ID
The CA certificate is generated fresh in memory on each start and is not persisted.
所有数据都存储在
~/.reaper/
目录下:
  • reaper.db
    - 存储已捕获条目的SQLite数据库
  • reaper.sock
    - 用于CLI与守护进程通信的Unix套接字
  • reaper.pid
    - 守护进程的进程ID
CA证书会在每次启动时在内存中重新生成,不会被持久化存储。