Skip to content

SIA-IOTechnology/KittyProxy

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

KittyProxy

HTTP/HTTPS intercepting proxy with a web UI, packaged as a UI extension for KittySploit. It captures browser and API traffic through mitmproxy, exposes a FastAPI backend, and ties into KittySploit modules, workspaces, and collaboration.

Features

  • Traffic capture — Live HTTP/HTTPS flows with search, replay, and custom requests
  • Intercept — Hold, edit, and resume requests; configurable breakpoints
  • Scope — Limit capture to selected hosts and paths
  • Repeater & API tester — Resend and craft requests from the UI
  • PCAP import — Load .pcap / .pcapng files into the flow list
  • Plugins — Extensible interception pipeline (header modification, payload injection, URL blocklist, and more)
  • KittySploit modules — Discover, suggest, configure, and run framework modules directly from a captured flow
  • Security tooling — Parameter fuzzing, reflection checks, IDOR tests, JWT crack/sign, side-channel helpers
  • Browser Security Workbench — Correlates DOM sinks, CSP, browser headers, cookies, auth flows, WebSockets, and GraphQL with versioned OWASP ASVS 5.0.0 mappings
  • Collaboration — Shared sessions, flow sync, annotations, and browser mirroring over WebSockets
  • Workspaces — Switch between KittySploit workspace contexts from the proxy UI
  • UI extensions — Load optional front-end extensions via a small manifest API

Requirements

  • KittySploit ≥ 1.0.0 (framework root with core/)
  • Python dependencies (installed in the framework venv): mitmproxy, uvicorn, fastapi, starlette, requests, websockets

Without the marketplace install, the KittySploit CLI proxy command prompts you to run market install kittyproxy.

Installation

From the KittySploit shell:

kittysploit> market install kittyproxy

This installs the extension under extensions/kittyproxy/latest/ and generates launch_kittyproxy.py at the framework root (generated file, not tracked in this repository).

Local development (clone of this repo):

kittysploit> market install /path/to/KittyProxy

Usage

After installation:

python launch_kittyproxy.py

Or from the extension entry point:

python src/main.py
Option Default Description
--proxy-port 8080 mitmproxy listen port
--api-port 8443 Web UI / API port
--api-host 127.0.0.1 API bind address
--framework-path (auto) KittySploit root if not detected
-v, --verbose off Verbose logging
  1. Point your browser or client at 127.0.0.1:8080 (HTTP proxy).
  2. Install the mitmproxy CA certificate when prompted (required for HTTPS).
  3. Open the web UI at http://127.0.0.1:8443 (or the host/port you configured).

Set KITTYSPLOIT_HOME to the framework install directory if auto-detection fails.

Browser Security Workbench

Open the Security Workbench tab after capturing browser traffic. A scan produces:

  • deduplicated findings with redacted evidence, confidence, remediation, affected flow IDs, and versioned ASVS mappings;
  • replay from the captured request, followed by a resolved/persisting/new finding delta and automated assertions;
  • portable regression artifacts as JSON or a standalone Python requests runner. Authentication values are replaced with environment placeholders by default.

The generated runner accepts KITTYPROXY_TEST_PROXY for replay through a proxy and KITTYPROXY_VERIFY_TLS=0 for an explicitly trusted local interception certificate.

The matching API endpoints are:

  • POST /api/security-workbench/analyze
  • GET /api/security-workbench/report
  • POST /api/security-workbench/replay
  • POST /api/security-workbench/regression-suite

The workbench uses passive, heuristic evidence from captured traffic. Its ASVS mapping is an aid to verification planning, not a compliance certification.

Project layout

KittyProxy/
├── extension.toml          # Marketplace manifest
├── README.md
├── LICENSE
└── src/
    ├── main.py             # Entry point (paths, CLI, startup)
    └── kittyproxy/
        ├── api.py              # FastAPI routes & WebSockets
        ├── proxy_core.py       # mitmproxy wrapper & plugins
        ├── flow_manager.py
        ├── plugins/            # Built-in interception plugins
        ├── payloads/           # Fuzzing wordlists (XSS, SQLi, …)
        ├── static/             # Web UI assets
        └── ui_extensions/      # Optional UI extension loader

Built-in plugins

Plugin Role
header_modifier Add or override request/response headers
payload_injector Inject payloads into requests
url_blocklist Block matching URLs
kittysploit_badge KittySploit branding marker

Enable and configure plugins from the web UI or via /api/plugins.

Development

  • Application code lives under src/kittyproxy/.
  • src/main.py resolves the KittySploit framework root, initializes encryption/database via Framework, then starts mitmproxy and uvicorn.
  • Add interception plugins by subclassing InterceptionPlugin in src/kittyproxy/plugins/ (see plugins/template.py).

License

MIT — see LICENSE.

About

KittySploit Extension: Intelligent HTTP/HTTPS intercepting proxy with a web UI for KittySploit. Capture, inspect, and replay traffic; auto-discover REST APIs, GraphQL & WebSockets.

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages