Stories with Tag Proxy

• Show HN: Zxc – Rust TLS proxy with tmux and Vim as UI, BurpSuite alternative

  permalink

  Posted: 2025-04-03 12:41:10

  Verbose tl;dr

  Zxc is a Rust-based TLS proxy designed as a Burp Suite alternative, featuring a unique terminal-based UI built with tmux and Vim. It aims to provide a streamlined and efficient intercepting proxy experience within a familiar text-based environment, leveraging the power and customizability of Vim for editing HTTP requests and responses. Zxc intercepts and displays TLS traffic, allowing users to inspect and modify it directly within their terminal workflow. This approach prioritizes speed and a minimalist, keyboard-centric workflow for security professionals comfortable with tmux and Vim.

  This Hacker News post introduces "zxc," an open-source TLS proxy written in Rust. It aims to be a more streamlined and performant alternative to tools like Burp Suite, specifically targeting users who prefer a terminal-based workflow. Unlike traditional graphical intercepting proxies, zxc utilizes tmux for its window management and Vim as its primary interface for interacting with HTTP requests and responses. This approach eschews the complexities and potential performance overhead of a GUI, offering a lightweight and potentially faster experience.

  The project leverages the Rust programming language for its performance characteristics and memory safety, which are crucial for handling potentially malicious network traffic. The integration with tmux allows for a multi-pane layout within the terminal, presumably enabling simultaneous views of intercepted requests, responses, and potentially other relevant information. Vim serves as the core interaction point, allowing users to directly edit HTTP requests and responses within a familiar text editor environment. This presumably includes the ability to modify headers, body content, and other parameters before forwarding the request or returning the response.

  Zxc appears to be targeted toward security professionals and developers who are comfortable working within a terminal environment and prefer the efficiency and customizability offered by tools like tmux and Vim. While it aims to provide similar functionality to established intercepting proxies, its unique UI differentiates it and potentially offers a more efficient workflow for those accustomed to a terminal-based approach. The Rust implementation suggests a focus on performance and stability, which are important considerations for a tool dealing with potentially sensitive network data. The project is open-source and available on GitHub, encouraging community contributions and further development.

  • Rust
  • TLS
  • Proxy
  • Tmux
  • vim
  • BurpSuite
  • Security
  • networking
  • Penetration Testing
  • hacking
  • command-line
  • terminal
  • Open Source
  • cli
  • network security
  • Cybersecurity

  Summary of Comments ( 5 )
  https://news.ycombinator.com/item?id=43568771

  Verbose tl;dr

  Hacker News users generally expressed interest in zxc, praising its novel approach to TLS interception and debugging. Several commenters appreciated the use of familiar tools like tmux and vim for the UI, finding it a refreshing alternative to more complex, dedicated tools like Burp Suite. Some raised concerns about performance and scalability compared to established solutions, while others questioned the practical benefits over existing, feature-rich alternatives. A few commenters expressed a desire for additional features like WebSocket support. Overall, the project was seen as an intriguing experiment with potential, though some skepticism remained regarding its real-world viability and competitiveness.

  The Hacker News post about ZXC, a Rust TLS proxy with a tmux and Vim UI presented as a Burp Suite alternative, generated a moderate amount of discussion with a mix of interest and skepticism.

  Several commenters expressed intrigue at the project's novel approach to using familiar tools like tmux and Vim for a task typically handled by dedicated GUI applications. They saw potential in leveraging the power and flexibility of these tools for intercepting and manipulating network traffic. Some expressed interest in trying it out and appreciated the developer sharing their work.

  However, a recurring theme among the comments was skepticism about the practicality and usability of ZXC compared to established tools like Burp Suite. Commenters pointed out the steep learning curve associated with tmux and Vim, particularly for users unfamiliar with those tools. They questioned whether the benefits of using these tools outweigh the added complexity and potentially slower workflow compared to a purpose-built GUI application.

  Some commenters raised concerns about the efficiency of navigating and manipulating complex requests and responses within a text-based interface. They argued that a visual representation, as provided by Burp Suite, is often crucial for understanding and modifying data effectively. The ability to quickly identify and manipulate specific elements within requests and responses, potentially using point-and-click interactions, was highlighted as a key advantage of GUI tools.

  The discussion also touched upon the potential benefits of using Rust for this type of application, with commenters acknowledging the language's performance and memory safety characteristics. However, this did not entirely offset the concerns about the UI/UX choices.

  Overall, the comments reveal a mixed reception to ZXC. While some appreciate the ingenuity and potential of using tmux and Vim for this task, many remain unconvinced about its practical usability compared to established GUI-based alternatives. The comments suggest that while the project is interesting from a technical perspective, it might face challenges in gaining widespread adoption due to its reliance on tools with a steeper learning curve and potentially less efficient workflows for this specific use case.

• I-cant-believe-its-not-webusb: Hacking around lack of WebUSB support in Firefox

  permalink

  Posted: 2025-03-14 08:36:08

  Verbose tl;dr

  This project demonstrates a workaround for Firefox's lack of WebUSB support by leveraging its native messaging capabilities. A small native application acts as a bridge, receiving commands from a web page via native messaging and interacting directly with USB devices. The web page communicates with this intermediary application using a custom, WebUSB-like JavaScript API, effectively emulating WebUSB functionality within Firefox. This allows web developers to write code that interacts with USB devices in a consistent manner across browsers, handling the Firefox difference behind the scenes.

  This GitHub project, "I-can't-believe-it's-not-WebUSB," addresses the frustration of Firefox users who want to interact with USB devices directly from web pages but are hampered by the browser's lack of WebUSB support. The project implements a workaround, not a true implementation of WebUSB, by leveraging Firefox's existing support for the serial API. Essentially, it acts as a bridge between a web page and a connected USB device.

  The core functionality revolves around a native messaging host application. This small program, written in Python, runs outside the browser and has direct access to the system's USB devices. On the web page side, a JavaScript library communicates with this native host using the browser's native messaging capabilities. When a web page needs to interact with a USB device, the JavaScript library formats the request and sends it as a message to the native host.

  The native host receives this message, parses the requested action, and then uses the pyusb library in Python to carry out the interaction with the specified USB device. The result of this interaction, whether it's data read from the device or a confirmation of a write operation, is then packaged into a response message and sent back to the JavaScript library in the browser. The library then makes this data available to the web page.

  This setup effectively circumvents the absence of WebUSB in Firefox. While it doesn't offer the same level of integration or security as a native WebUSB implementation, it provides a functional alternative for developers who need to access USB devices from Firefox. The project focuses specifically on USB CDC-ACM devices (Communication Device Class - Abstract Control Model), which are commonly used for serial communication, essentially treating the USB device as a virtual serial port. Therefore, its applicability is primarily for devices that use this communication standard. The reliance on a separate native host application adds a layer of complexity compared to the seamless experience offered by WebUSB in supporting browsers, but provides a practical, albeit somewhat cumbersome, solution for interacting with USB devices from Firefox.

  • WebUSB
  • Firefox
  • hacking
  • Workaround
  • USB
  • browser compatibility
  • javascript
  • Web Development
  • Serial Communication
  • Device Access
  • UserSpace Driver
  • Proxy

  Summary of Comments ( 98 )
  https://news.ycombinator.com/item?id=43360642

  Verbose tl;dr

  Hacker News commenters generally expressed frustration with Firefox's lack of WebUSB support, echoing the author's sentiments. Some pointed out that the Mozilla Developer Network (MDN) documentation misleadingly suggests WebUSB is supported, while others shared workarounds and alternative solutions, including using Chrome or a native messaging host. A few commenters questioned the security implications of granting websites access to USB devices, highlighting potential vulnerabilities. The complexity of adding WebUSB support in Firefox was also discussed, citing issues like sandboxing and driver interaction as potential roadblocks. One commenter offered a personal anecdote about the challenges of debugging WebUSB issues due to inconsistent browser implementations.

  The Hacker News post "I-cant-believe-its-not-webusb: Hacking around lack of WebUSB support in Firefox" has generated a moderate discussion with several insightful comments focusing on the workaround presented, the complexities of WebUSB implementation, and potential security concerns.

  One commenter points out the inherent irony and difficulty of making this kind of workaround secure. They highlight the potential for abuse if a malicious webpage could hijack the native messaging host, essentially defeating the purpose of the security sandbox. This comment raises a critical issue with the approach, suggesting that despite the cleverness, the security implications might outweigh the benefits.

  Another user discusses the intricacies of WebUSB support and speculates on the reasons behind Firefox's decision not to fully implement it. They mention that WebUSB requires significant effort to implement securely and maintain, possibly posing challenges for browser vendors. They also touch upon the limitations of the workaround, particularly regarding access to isochronous endpoints which are crucial for certain USB devices like audio interfaces. This comment offers valuable context for understanding the technical hurdles involved in WebUSB implementation.

  A different comment highlights the lack of detailed error messages in WebUSB, making debugging difficult for developers. This practical observation emphasizes the challenges faced by those working with WebUSB and hoping to integrate it into their applications.

  One commenter also explores alternative approaches for cross-browser USB device access. They suggest WebHID and Web Serial as potentially viable options depending on the specific use case, offering practical alternatives to WebUSB.

  Finally, a participant expresses their support for projects like this that attempt to bridge the gap in functionality between different browsers. They acknowledge the inherent challenges in maintaining such workarounds but appreciate the effort to provide a more unified experience for web developers.

  In summary, the discussion revolves around the practicality, security implications, and technical challenges associated with the proposed WebUSB workaround. Commenters acknowledge the cleverness of the approach while also raising important concerns about its long-term viability and security. They offer alternative solutions and insights into the complexities of WebUSB implementation, providing a balanced perspective on the topic.

• Httptap: View HTTP/HTTPS requests made by any Linux program

  permalink

  Posted: 2025-02-03 16:28:45

  Verbose tl;dr

  Httptap is a command-line tool for Linux that intercepts and displays HTTP and HTTPS traffic generated by any specified program. It works by injecting a dynamic library into the target process, allowing it to capture requests and responses before they reach the network stack. This provides a convenient way to observe the HTTP communication of applications without requiring proxies or modifying their source code. Httptap presents the captured data in a human-readable format, showing details like headers, body content, and timing information.

  httptap is a command-line utility for Linux systems that allows users to intercept and inspect HTTP and HTTPS traffic generated by any specified program. It functions as a specialized proxy server, sitting between the target application and its intended destination server. When a program makes an HTTP or HTTPS request, httptap intercepts it, displays detailed information about the request in the terminal, and then forwards the request to the original destination server. The response from the server is then relayed back to the application, allowing it to function normally while providing the user with full visibility into the network communication.

  The information displayed by httptap includes various crucial details about each request and response. For requests, this includes the HTTP method (GET, POST, PUT, etc.), the full URL, headers, and the request body (if present). For responses, httptap displays the HTTP status code, headers, and the complete response body. This comprehensive view allows developers and users to debug network issues, analyze API interactions, understand how applications communicate with servers, and even modify requests or responses (although this functionality is not explicitly mentioned in the core documentation and might require additional tools or scripting).

  httptap works by leveraging the LD_PRELOAD environment variable in Linux. This allows it to inject a shared library into the target application's process. This library overrides the standard network functions (like connect, send, recv, etc.) used by the program. By intercepting calls to these functions, httptap can capture and display the HTTP/HTTPS traffic before passing it along. This approach means httptap works at the socket level and doesn't require any special configuration within the target application itself. It simply requires running the desired program with the appropriate LD_PRELOAD setting pointing to the httptap library. This method is generally effective for most applications, providing a convenient way to analyze their network behavior without modifying their source code.

  The tool is described as being especially useful for command-line applications, which often lack built-in tools for inspecting HTTP traffic. It offers a more streamlined and less intrusive alternative to using general-purpose proxy tools or browser developer tools, particularly when dealing with programs that don't utilize a browser for network communication. While focusing on clarity and ease of use, httptap aims to provide a straightforward way to gain insights into the HTTP/HTTPS traffic of any Linux program.

  • HTTP
  • HTTPS
  • Network Monitoring
  • Linux
  • Debugging
  • traffic analysis
  • Security
  • Open Source
  • cli
  • command-line tool
  • System Tools
  • networking
  • httptap
  • Packet Capture
  • Proxy

  Summary of Comments ( 66 )
  https://news.ycombinator.com/item?id=42919909

  Verbose tl;dr

  Hacker News users discuss httptap, focusing on its potential uses and comparing it to existing tools. Some praise its simplicity and ease of use for quickly inspecting HTTP traffic, particularly for debugging. Others suggest alternative tools like mitmproxy, tcpdump, and Wireshark, highlighting their more advanced features, such as SSL decryption and broader protocol support. The conversation also touches on the limitations of httptap, including its current lack of HTTPS decryption and potential performance impact. Several commenters express interest in contributing features, particularly HTTPS support. Overall, the sentiment is positive, with many appreciating httptap as a lightweight and convenient option for simple HTTP inspection.

  The Hacker News post for "Httptap: View HTTP/HTTPS requests made by any Linux program" (https://news.ycombinator.com/item?id=42919909) has several comments discussing the utility and functionality of the tool.

  One commenter points out the potential security implications of tools like httptap, highlighting that granting access to /proc effectively grants root access, making it a significant security concern. They suggest exploring alternatives like using system call tracing through eBPF which could provide similar functionality with a smaller security footprint. This raises an important consideration for users concerned about system security.

  Another comment elaborates on the mechanism by which httptap functions. They explain how it uses LD_PRELOAD to intercept libc functions like connect, send, and recv. This clarifies how httptap gains visibility into the network traffic of processes without requiring modifications to the processes themselves. They also acknowledge the security concerns associated with this approach.

  A subsequent comment chain delves deeper into the security discussion, comparing httptap to tools like mitmproxy and discussing the relative risks of each. One commenter explains how mitmproxy operates as a proxy, requiring configuration changes on the client-side, while httptap directly intercepts traffic. This distinction clarifies the different use cases and security considerations for each tool. They further suggest that for debugging specific processes, using a debugger with network inspection capabilities might be a more secure approach.

  Another comment focuses on alternative methods for intercepting and analyzing HTTPS traffic, specifically mentioning the use of SSLKEYLOGFILE. This environment variable allows tools like Wireshark to decrypt TLS traffic, offering another option for analyzing HTTPS requests.

  One commenter mentions using strace with the -e trace=network option for a similar purpose. This suggestion provides a simpler, built-in alternative for basic network traffic inspection.

  Finally, a comment acknowledges the utility of httptap for debugging issues related to TLS certificate validation, offering a specific use case where this tool could be particularly helpful.

  In summary, the comments on the Hacker News post offer a range of perspectives on httptap, including discussions of its functionality, security implications, and alternative solutions. The comments provide valuable context for potential users to understand the benefits and risks associated with the tool.