{
"info": {
"author": "Rob Glew",
"author_email": "rglew56@gmail.com",
"bugtrack_url": null,
"classifiers": [
"Development Status :: 2 - Pre-Alpha",
"Intended Audience :: Developers",
"Intended Audience :: Information Technology",
"License :: OSI Approved :: MIT License",
"Operating System :: MacOS",
"Operating System :: POSIX :: Linux",
"Programming Language :: Python :: 2.6",
"Programming Language :: Python :: 2.7",
"Topic :: Security"
],
"description": "The Pappy Proxy\n===============\n\n`Documentation `__ -\n`Tutorial `__\n\nIntroduction\n------------\n\nThe Pappy (**P**\\ roxy **A**\\ ttack **P**\\ roxy **P**\\ rox\\ **Y**) Proxy\nis an intercepting proxy for performing web application security\ntesting. Its features are often similar, or straight up rippoffs from\n`Burp Suite `__. However, Burp Suite is\nneither open source nor a command line tool, thus making a proxy like\nPappy inevitable. The project is still in its early stages, so there are\nbugs and only the bare minimum features, but it can already do some cool\nstuff.\n\nContributing\n------------\n\n**I am taking any and all feature requests.** If you've used Burp and\nhad any inconvenience with it, tell me about it and I'll do everything\nin my power to make sure Pappy doesn't have those issues. Or even\nbetter, if you want Burp to do something that it doesn't already, let me\nknow so that I can [STRIKEOUT:use it to stomp them into the dust]\nimprove my project.\n\nIf you're brave and want to try and contribute code, please let me know.\nRight now the codebase is kind of rough and I have refactored it a few\ntimes already, but I would be more than happy to find a stable part of\nthe codebase that you can contribute to.\n\nAnother option is to try writing a plugin. It might be a bit easier than\ncontributing code and plugins are extremely easy to integrate as a core\nfeature. So you can also contribute by writing a plugin and letting me\nknow about it. You can find out more by looking at `the official plugin\ndocs `__.\n\nYou can find ideas for features to add on `the contributing page in the\ndocs `__.\n\nHow to Use It\n=============\n\nInstallation\n------------\n\nPappy supports OS X and Linux (sorry Windows). Installation requires\n``pip`` or some other command that can handle a ``setup.py`` with\nrequirements. Once the requirements are installed, you can check that it\ninstalled correctly by running ``pappy -l`` to start the proxy.\n\n::\n\n $ git clone --recursive https://github.com/roglew/pappy-proxy.git\n $ cd pappy-proxy\n $ pip install .\n\nQuickstart\n----------\n\nPappy projects take up an entire directory. Any generated scripts,\nexported responses, plugin data, etc. will be placed in the current\ndirectory so it's good to give your project a directory of its own. To\nstart a project, do something like:\n\n::\n\n $ mkdir test_project\n $ cd test_project \n $ pappy\n Copying default config to directory\n Proxy is listening on port 8000\n pappy> exit\n $ ls\n data.db project_config.json\n $ \n\nAnd that's it! The proxy will by default be running on port 8000 and\nbound to localhost (to keep the hackers out). You can modify the\nport/interface in ``config.json``. You can list all your intercepted\nrequests with ``ls``, view a full request with ``vfq `` or view a\nfull response with ``vfs ``. Right now, the only command to\ndelete requests is ``filter_prune`` which deletes all the requests that\naren't in the current context (look at the sections on the\ncontext/filter strings for more information on that).\n\nLite Mode\n---------\n\nIf you don't want to dirty up a directory, you can run Pappy in \"lite\"\nmode. Pappy will use the default configuration settings and will create\na temporary data file in ``/tmp`` to use. When you quit, the file will\nbe deleted. If you want to run Pappy in lite mode, run Pappy with either\n``-l`` or ``--lite``.\n\nExample:\n\n::\n\n $ pappy -l\n Temporary datafile is /tmp/tmpw4mGv2\n Proxy is listening on port 8000\n pappy> quit\n Deleting temporary datafile\n $ \n\nAdding The CA Cert to Your Browser\n----------------------------------\n\nIn order for Pappy to view data sent using HTTPS, you need to add a\ngenerated CA cert (``certificate.crt``) to your browser. Certificates\nare generated using the ``gencerts`` command and are by default stored\nin ``~/.pappy/certs``. This allows Pappy to act as a CA and sign any\nHTTPS certificate it wants without the browser complaining. This allows\nPappy to decrypt and modify HTTPS requests. The certificate installation\ninstructions are different for each browser.\n\nFirefox\n~~~~~~~\n\nYou can add the CA cert to Firefox by going to\n``Preferences -> Advanced -> View Certificates -> Authorities -> Import``\nand selecting the ``certificate.crt`` file in the ``certs`` directory.\n\nChrome\n~~~~~~\n\nYou can add the CA cert to Chrome by going to\n``Settings -> Show advanced settings -> HTTPS/SSL -> Manage Certificates -> Authorities -> Import``\nand selecting the ``certificate.crt`` file in the ``certs`` directory.\n\nSafari\n~~~~~~\n\nFor Safari (on macs, obviously), you need to add the CA cert to your\nsystem keychain. You can do this by double clicking on the CA cert and\nfollowing the prompts.\n\nInternet Explorer\n~~~~~~~~~~~~~~~~~\n\nI didn't search too hard for instructions on this (since Pappy doesn't\nsupport windows) and I don't own a Windows machine to try this, so if\nyou have trouble, I'm not the one to ask. According to Google you can\ndouble-click the cert to install it to the system, or you can do\n``Tools -> Content -> Certificates -> Trusted Root Certificates -> Import``.\n\nConfiguration\n-------------\n\nConfiguration for each project is done in the ``config.json`` file. The\nfile is a JSON-formatted dictionary that contains settings for the\nproxy. The following fields can be used to configure the proxy:\n\n+----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| Key | Value |\n+============================+=======================================================================================================================================================================================================================================================================================================================================================================================+\n| ``data_file`` | The file where requests and images will be stored |\n+----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``debug_dir`` (optional) | Where connection debug info should be stored. If not present, debug info is not saved to a file. |\n+----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``cert_dir`` | Where the CA cert and the private key for the CA cert are stored |\n+----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``proxy_listeners`` | A list of dicts which describe which ports the proxy will listen on. Each item is a dict with \"port\" and \"interface\" values which determine which port and interface to listen on. For example, if port=8000 and the interface is 127.0.0.1, the proxy will only accept connections from localhost on port 8000. To accept connections from anywhere, set the interface to 0.0.0.0. |\n+----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n\nThe following tokens will also be replaced with values:\n\n+-----------------+-----------------------------------------------------+\n| Token | Replaced with |\n+=================+=====================================================+\n| ``{DATADIR}`` | The directory where Pappy's data files are stored |\n+-----------------+-----------------------------------------------------+\n\nSee the default ``config.json`` for examples.\n\nGeneral Console Techniques\n--------------------------\n\nThere are a few tricks you can use in general when using Pappy's\nconsole. Most of these are provided by the\n`cmd `__ and\n`cmd2 `__.\n\nRun a shell command\n~~~~~~~~~~~~~~~~~~~\n\nYou can run a shell command with ``!``:\n\n::\n\n pappy> ls\n ID Verb Host Path S-Code Req Len Rsp Len Time Mngl\n 5 GET vitaly.sexy /netscape.gif 304 Not Modified 0 0 0.08 --\n 4 GET vitaly.sexy /esr1.jpg 304 Not Modified 0 0 0.07 --\n 3 GET vitaly.sexy /construction.gif 304 Not Modified 0 0 0.07 --\n 2 GET vitaly.sexy /vitaly2.jpg 0 N/A -- --\n 1 GET vitaly.sexy / 304 Not Modified 0 0 0.07 --\n pappy> !ls\n cmdhistory config.json data.db\n pappy>\n\nRunning Python Code\n~~~~~~~~~~~~~~~~~~~\n\nYou can use the ``py`` command to either run python code or to drop down\nto a Python shell.\n\n::\n\n pappy> py print ':D '*10\n :D :D :D :D :D :D :D :D :D :D\n pappy> py\n Python 2.7.6 (default, Jun 22 2015, 17:58:13)\n [GCC 4.8.2] on linux2\n Type \"help\", \"copyright\", \"credits\" or \"license\" for more information.\n (ProxyCmd)\n\n py : Executes a Python command.\n py: Enters interactive Python mode.\n End with ``Ctrl-D`` (Unix) / ``Ctrl-Z`` (Windows), ``quit()``, '`exit()``.\n Non-python commands can be issued with ``cmd(\"your command\")``.\n Run python code from external files with ``run(\"filename.py\")``\n\n >>> from pappyproxy import config\n >>> config.CONFIG_DICT\n {u'data_file': u'./data.db', u'history_size': 1000, u'cert_dir': u'{DATADIR}/certs', u'proxy_listeners': [{u'interface': u'127.0.0.1', u'port': 8000}]}\n >>> exit()\n pappy>\n\nRedirect Output To File\n~~~~~~~~~~~~~~~~~~~~~~~\n\nYou can use ``>`` to direct output to a file. However, a number of\ncommands use colored output. If you just redirect these to a file, there\nwill be additional bytes which represent the ANSI color codes. To get\naround this, use the ``nocolor`` command to remove the color from the\ncommand output.\n\n::\n\n pappy> ls > ls.txt\n pappy> !xxd -c 32 -g 4 ls.txt\n 0000000: 1b5b316d 1b5b346d 49442020 56657262 2020486f 73742020 20202020 20202050 .[1m.[4mID Verb Host P\n 0000020: 61746820 20202020 20202020 20202020 2020532d 436f6465 20202020 20202020 ath S-Code\n 0000040: 20202020 52657120 4c656e20 20527370 204c656e 20205469 6d652020 20204d6e Req Len Rsp Len Time Mn\n 0000060: 676c2020 1b5b306d 0a352020 201b5b33 366d4745 541b5b30 6d202020 1b5b3931 gl .[0m.5 .[36mGET.[0m .[91\n 0000080: 6d766974 616c792e 73657879 1b5b306d 20201b5b 33366d1b 5b306d2f 1b5b3334 mvitaly.sexy.[0m .[36m.[0m/.[34\n 00000a0: 6d6e6574 73636170 652e6769 661b5b30 6d202020 2020201b 5b33356d 33303420 mnetscape.gif.[0m .[35m304\n 00000c0: 4e6f7420 4d6f6469 66696564 1b5b306d 20203020 20202020 20202030 20202020 Not Modified.[0m 0 0\n 00000e0: 20202020 302e3038 20202020 2d2d2020 20200a34 2020201b 5b33366d 4745541b 0.08 -- .4 .[36mGET.\n 0000100: 5b306d20 20201b5b 39316d76 6974616c 792e7365 78791b5b 306d2020 1b5b3336 [0m .[91mvitaly.sexy.[0m .[36\n 0000120: 6d1b5b30 6d2f1b5b 33346d65 7372312e 6a70671b 5b306d20 20202020 20202020 m.[0m/.[34mesr1.jpg.[0m\n 0000140: 201b5b33 356d3330 34204e6f 74204d6f 64696669 65641b5b 306d2020 30202020 .[35m304 Not Modified.[0m 0\n 0000160: 20202020 20302020 20202020 2020302e 30372020 20202d2d 20202020 0a332020 0 0.07 -- .3\n 0000180: 201b5b33 366d4745 541b5b30 6d202020 1b5b3931 6d766974 616c792e 73657879 .[36mGET.[0m .[91mvitaly.sexy\n 00001a0: 1b5b306d 20201b5b 33366d1b 5b306d2f 1b5b3334 6d636f6e 73747275 6374696f .[0m .[36m.[0m/.[34mconstructio\n 00001c0: 6e2e6769 661b5b30 6d20201b 5b33356d 33303420 4e6f7420 4d6f6469 66696564 n.gif.[0m .[35m304 Not Modified\n 00001e0: 1b5b306d 20203020 20202020 20202030 20202020 20202020 302e3037 20202020 .[0m 0 0 0.07\n 0000200: 2d2d2020 20200a32 2020201b 5b33366d 4745541b 5b306d20 20201b5b 39316d76 -- .2 .[36mGET.[0m .[91mv\n 0000220: 6974616c 792e7365 78791b5b 306d2020 1b5b3336 6d1b5b30 6d2f1b5b 33346d76 italy.sexy.[0m .[36m.[0m/.[34mv\n 0000240: 6974616c 79322e6a 70671b5b 306d2020 20202020 201b5b33 366d3230 30204f4b italy2.jpg.[0m .[36m200 OK\n 0000260: 1b5b306d 20202020 20202020 20202020 30202020 20202020 20323033 34303033 .[0m 0 2034003\n 0000280: 20203135 352e3131 20202d2d 20202020 0a312020 201b5b33 366d4745 541b5b30 155.11 -- .1 .[36mGET.[0\n 00002a0: 6d202020 1b5b3931 6d766974 616c792e 73657879 1b5b306d 20201b5b 33366d1b m .[91mvitaly.sexy.[0m .[36m.\n 00002c0: 5b306d2f 1b5b3334 6d1b5b30 6d202020 20202020 20202020 20202020 2020201b [0m/.[34m.[0m .\n 00002e0: 5b33356d 33303420 4e6f7420 4d6f6469 66696564 1b5b306d 20203020 20202020 [35m304 Not Modified.[0m 0\n 0000300: 20202030 20202020 20202020 302e3037 20202020 2d2d2020 20200a 0 0.07 -- .\n pappy> nocolor ls > ls2.txt\n pappy> !xxd -c 32 -g 4 ls2.txt\n 0000000: 49442020 56657262 2020486f 73742020 20202020 20202050 61746820 20202020 ID Verb Host Path\n 0000020: 20202020 20202020 2020532d 436f6465 20202020 20202020 20202020 52657120 S-Code Req\n 0000040: 4c656e20 20527370 204c656e 20205469 6d652020 20204d6e 676c2020 0a352020 Len Rsp Len Time Mngl .5\n 0000060: 20474554 20202076 6974616c 792e7365 78792020 2f6e6574 73636170 652e6769 GET vitaly.sexy /netscape.gi\n 0000080: 66202020 20202033 3034204e 6f74204d 6f646966 69656420 20302020 20202020 f 304 Not Modified 0\n 00000a0: 20203020 20202020 20202030 2e303820 2020202d 2d202020 200a3420 20204745 0 0.08 -- .4 GE\n 00000c0: 54202020 76697461 6c792e73 65787920 202f6573 72312e6a 70672020 20202020 T vitaly.sexy /esr1.jpg\n 00000e0: 20202020 33303420 4e6f7420 4d6f6469 66696564 20203020 20202020 20202030 304 Not Modified 0 0\n 0000100: 20202020 20202020 302e3037 20202020 2d2d2020 20200a33 20202047 45542020 0.07 -- .3 GET\n 0000120: 20766974 616c792e 73657879 20202f63 6f6e7374 72756374 696f6e2e 67696620 vitaly.sexy /construction.gif\n 0000140: 20333034 204e6f74 204d6f64 69666965 64202030 20202020 20202020 30202020 304 Not Modified 0 0\n 0000160: 20202020 20302e30 37202020 202d2d20 2020200a 32202020 47455420 20207669 0.07 -- .2 GET vi\n 0000180: 74616c79 2e736578 7920202f 76697461 6c79322e 6a706720 20202020 20203230 taly.sexy /vitaly2.jpg 20\n 00001a0: 30204f4b 20202020 20202020 20202020 30202020 20202020 20323033 34303033 0 OK 0 2034003\n 00001c0: 20203135 352e3131 20202d2d 20202020 0a312020 20474554 20202076 6974616c 155.11 -- .1 GET vital\n 00001e0: 792e7365 78792020 2f202020 20202020 20202020 20202020 20202033 3034204e y.sexy / 304 N\n 0000200: 6f74204d 6f646966 69656420 20302020 20202020 20203020 20202020 20202030 ot Modified 0 0 0\n 0000220: 2e303720 2020202d 2d202020 200a0a .07 -- ..\n pappy>\n\nIf you want to write the contents of a request or response to a file,\ndon't use ``nocolor`` with ``vfq`` or ``vfs``. Use just the ``vbq`` or\n``vbs`` commands.\n\n+---------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| Command | Description |\n+===============+==============================================================================================================================================================================+\n| ``nocolor`` | Run a command and print its output without ASCII escape codes. Intended for use when redirecting output to a file. Should only be used with text and not with binary data. |\n+---------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n\nGenerating Pappy's CA Cert\n--------------------------\n\nIn order to intercept and modify requests to sites that use HTTPS, you\nhave to generate and install CA certs to your browser. You can do this\nby running the ``gencerts`` command in Pappy. By default, certs are\nstored ``~/.pappy/certs``. This is also the default location that Pappy\nwill look for certificates (unless you specify otherwise in\n``config.json``.) In addition, you can give the ``gencerts`` command an\nargument to have it put the generated certs in a different directory.\n\n+----------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| Command | Description |\n+========================================+==================================================================================================================================================================================================================================================================================+\n| ``gencerts [/path/to/put/certs/in]`` | Generate a CA cert that can be added to your browser to let Pappy decrypt HTTPS traffic. Also generates the private key for that cert in the same directory. If no path is given, the certs will be placed in the default certificate location. Overwrites any existing certs. |\n+----------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n\nBrowsing Recorded Requests/Responses\n------------------------------------\n\nThe following commands can be used to view requests and responses\n\n+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| Command | Aliases | Description |\n+==============================================================================================================================================================================================================================================================================================================+==================================+====================================================================================================================================================================================================================================================================================================================================================================================================================================+\n| ``ls [a|``] | list, ls | List requests that are in the current context (see Context section). Has information like the host, target path, and status code. With no arguments, it will print the 25 most recent requests in the current context. If you pass 'a' or 'all' as an argument, it will print all the requests in the current context. If you pass a number \"n\" as an argument, it will print the n most recent requests in the current context. |\n+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``sm`` [p] | sm, site\\_map | Print a tree showing the site map. It will display all requests in the current context that did not have a 404 response. This has to go through all of the requests in the current context so it may be slow. If the ``p`` option is given, it will print the paths as paths rather than as a tree. |\n+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``viq `` | view\\_request\\_info, viq | View additional information about requests. Includes the target port, if SSL was used, applied tags, and other information. |\n+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``vfq `` | view\\_full\\_request, vfq, kjq | [V]iew [F]ull Re[Q]uest, prints the full request including headers and data. |\n+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``vbq `` | view\\_request\\_bytes, vbq | [V]iew [B]ytes of Re[Q]uest, prints the full request including headers and data without coloring or additional newlines. Use this if you want to write a request to a file. |\n+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``ppq `` | pretty\\_print\\_request, ppq | Pretty print a request with a specific format. See the table below for a list of formats. |\n+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``vhq `` | view\\_request\\_headers, vhq | [V]iew [H]eaders of a Re[Q]uest. Prints just the headers of a request. |\n+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``vfs `` | view\\_full\\_response, vfs, kjs | [V]iew [F]ull Re[S]ponse, prints the full response associated with a request including headers and data. |\n+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``vhs `` | view\\_response\\_headers, vhs | [V]iew [H]eaders of a Re[S]ponse. Prints just the headers of a response associated with a request. |\n+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``vbs `` | view\\_response\\_bytes, vbs | [V]iew [B]ytes of Re[S]ponse, prints the full response including headers and data without coloring or additional newlines. Use this if you want to write a response to a file. |\n+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``pps `` | pretty\\_print\\_response, pps | Pretty print a response with a specific format. See the table below for a list of formats. |\n+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``pprm `` | print\\_params, pprm | Print a summary of the parameters submitted with the request. It will include URL params, POST params, and/or cookies |\n+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``pri [ct] [key(s)] | param_info, pri | Print a summary of the parameters and values submitted by in-context requests. You can pass in keys to limit which values will be shown. If you also provide``\\ ct\\ ``as the first argument, it will include any keys that are passed as arguments. | |``\\ watch\\` | watch | Print requests and responses in real time as they pass through the proxy. |\n+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n\nAvailable formats for ``ppq`` and ``pps`` commands:\n\n+------------+------------------------------------------------------------+\n| Format | Description |\n+============+============================================================+\n| ``form`` | Print POST data submitted from a form (normal post data) |\n+------------+------------------------------------------------------------+\n| ``json`` | Print as JSON |\n+------------+------------------------------------------------------------+\n\nThe table shown by ``ls`` will have the following columns:\n\n+-----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| Label | Description |\n+===========+========================================================================================================================================================================================================================+\n| ID | The request ID of that request. Used to identify the request for other commands. |\n+-----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| Method | The method(/http verb) for the request |\n+-----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| Host | The host that the request was sent to |\n+-----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| Path | The path of the request |\n+-----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| S-Code | The status code of the response |\n+-----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| Req Len | The length of the data submitted |\n+-----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| Rsp Len | The length of the data returned in the response |\n+-----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| Time | The time in seconds it took to complete the request |\n+-----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| Mngl | If the request or response were mangled with the interceptor. If the request was mangled, the column will show 'q'. If the response was mangled, the column will show 's'. If both were mangled, it will show 'q/s'. |\n+-----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n\nTags\n----\n\nYou can apply tags to a request and use filters to view specific tags.\nThe following commands can be used to apply and remove tags to requests:\n\n+---------------------------+-----------+---------------------------------------------------------------------------------------------------------------+\n| Command | Aliases | Description |\n+===========================+===========+===============================================================================================================+\n| ``tag [id(s)]`` | tag | Apply a tag to the given requests. If no IDs are given, the tag will be applied to all in-context requests. |\n+---------------------------+-----------+---------------------------------------------------------------------------------------------------------------+\n| ``untag [id(s)]`` | untag | Remove a tag from the given ids. If no IDs are given, the tag is removed from every in-context request. |\n+---------------------------+-----------+---------------------------------------------------------------------------------------------------------------+\n| ``clrtag `` | clrtag | Removes all tags from the given ids. |\n+---------------------------+-----------+---------------------------------------------------------------------------------------------------------------+\n\nRequest IDs\n-----------\n\nRequest IDs are how you identify a request and every command that\ninvolves specifying a request will take one or more request IDs. You can\nsee it when you run ``ls``. In addition, you can prepend an ID with\nprefixes to get requests or responses associated with the request (for\nexample if you modified the request or its response with the\ninterceptor, you can get the unmangled versions.) Here are the valid\nprefixes:\n\n+----------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| Prefix | Description |\n+==========+=========================================================================================================================================================================================================================+\n| ``u`` | If the request was mangled, prefixing the ID with ``u`` will result in the unmangled version of the request. The resulting request will not have an associated response because it was never submitted to the server. |\n+----------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``s`` | If the response was mangled, prefixing the request ID ``s`` will result in the same request but its associated response will be the unmangled version. |\n+----------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n\nI know it sounds kind of unintuitive. Here are some example commands\nthat will hopefully make things clearer. Suppose request 1 had its\nrequest mangled, and request 2 had its response mangled.\n\n- ``vfq 1`` Prints the mangled version of request 1\n- ``vfq u1`` Prints the unmangled version of request 1\n- ``rp u1`` Open the repeater with the unmangled version of request 1\n- ``vfs u1`` Throws an error because the unmangled version was never\n submitted\n- ``vfs s1`` Throws an error because the response for request 1 was\n never mangled\n- ``vfs 2`` Prints the mangled response of request 2\n- ``vfs s2`` Prints the unmangled response of request 2\n- ``vfq u2`` Throws an error because request 2's request was never\n mangled\n- ``vfs u2`` Throws an error because request 2's request was never\n mangled\n\nPassing Multiple Request IDs to a Command\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSome arguments can take multiple IDs for an argument. To pass multiple\nIDs to a command, separate the IDs with commas **(no spaces!)**. A few\nexamples:\n\n- ``viq 1,2,u3`` View information about requests 1, 2, and the\n unmangled version of 3\n- ``gma foo 4,5,6`` Generate a macro with definitions for requests 4,\n 5, and 6\n\nContext\n-------\n\nThe context is a set of filters that define which requests are\nconsidered \"active\". Only requests in the current context are displayed\nwith ``ls``. By default, the context includes every single request that\npasses through the proxy. You can limit down the current context by\napplying filters. Filters apply rules such as \"the response code must\nequal 500\" or \"the host must contain google.com\". Once you apply one or\nmore filters, only requests/responses which pass every active filter\nwill be a part of the current context.\n\n+-------------------------+---------------------+------------------------------------------------------------------------------------------------------------------------------------------------+\n| Command | Aliases | Description |\n+=========================+=====================+================================================================================================================================================+\n| ``f `` | filter, fl, f | Add a filter that limits which requests are included in the current context. See the Filter String section for how to create a filter string |\n+-------------------------+---------------------+------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``fc`` | filter\\_clear, fc | Clears the filters and resets the context to contain all requests and responses. Ignores scope |\n+-------------------------+---------------------+------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``fu`` | filter\\_up, fu | Removes the most recently applied filter |\n+-------------------------+---------------------+------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``fls`` | filter\\_list, fls | Print the filters that make up the current context |\n+-------------------------+---------------------+------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``filter_prune`` | filter\\_prune | Delete all the requests that aren't in the current context from the data file |\n+-------------------------+---------------------+------------------------------------------------------------------------------------------------------------------------------------------------+\n\nFilter Strings\n--------------\n\nFilter strings define a condition that a request/response pair must pass\nto be part of the context. Most filter strings have the following\nformat:\n\n::\n\n \n\nWhere ```` is some part of the request/response, ````\nis some comparison to ````. For example, if you wanted a filter\nthat only matches requests to ``target.org``, you could use the\nfollowing filter string:\n\n::\n\n host is target.org\n\n field = \"host\"\n comparer = \"is\"\n value = \"target.org\"\n\nAlso **if you prefix a comparer with 'n' it turns it into a negation.**\nUsing the previous example, the following will match any request except\nfor ones where the host contains ``target.org``:\n\n::\n\n host nis target.org\n\n field = \"host\"\n comparer = \"nis\"\n value = \"target.org\"\n\nFor fields that are a list of key/value pairs (headers, get params, post\nparams, and cookies) you can use the following format:\n\n::\n\n [ ]\n\nThis is a little more complicated. If you don't give comparer2/value2,\nthe filter will pass any pair where the key or the value matches\ncomparer1 and value1. If you do give comparer2/value2, the key must\nmatch comparer1/value1 and the value must match comparer2/value2 For\nexample:\n\n::\n\n Filter A:\n cookie contains Session\n\n Filter B:\n cookie contains Session contains 456\n\n Filter C:\n cookie ncontains Ultra\n\n Cookie: SuperSession=abc123\n Matches A and C but not B\n\n Cookie: UltraSession=abc123456\n Matches both A and B but not C\n\nList of fields\n~~~~~~~~~~~~~~\n\n+--------------+--------------------------------+----------------------------------------------------------------------------------+-------------+\n| Field Name | Aliases | Description | Format |\n+==============+================================+==================================================================================+=============+\n| all | all | The entire request represented as one string | String |\n+--------------+--------------------------------+----------------------------------------------------------------------------------+-------------+\n| host | host, domain, hs, dm | The target host (ie www.target.com) | String |\n+--------------+--------------------------------+----------------------------------------------------------------------------------+-------------+\n| path | path, pt | The path of the url (ie /path/to/secrets.php) | String |\n+--------------+--------------------------------+----------------------------------------------------------------------------------+-------------+\n| body | body, data, bd, dt | The body (data section) of either the request or the response | String |\n+--------------+--------------------------------+----------------------------------------------------------------------------------+-------------+\n| reqbody | qbody, qdata, qbd, qdt | The body (data section) of th request | String |\n+--------------+--------------------------------+----------------------------------------------------------------------------------+-------------+\n| rspbody | sbody, sdata, sbd, sdt | The body (data section) of th response | String |\n+--------------+--------------------------------+----------------------------------------------------------------------------------+-------------+\n| verb | verb, vb | The HTTP verb of the request (ie GET, POST) | String |\n+--------------+--------------------------------+----------------------------------------------------------------------------------+-------------+\n| param | param, pm | Either the get or post parameters | Key/Value |\n+--------------+--------------------------------+----------------------------------------------------------------------------------+-------------+\n| header | header, hd | An HTTP header (ie User-Agent, Basic-Authorization) in the request or response | Key/Value |\n+--------------+--------------------------------+----------------------------------------------------------------------------------+-------------+\n| reqheader | reqheader, qhd | An HTTP header in the request | Key/Value |\n+--------------+--------------------------------+----------------------------------------------------------------------------------+-------------+\n| rspheader | rspheader, shd | An HTTP header in the response | Key/Value |\n+--------------+--------------------------------+----------------------------------------------------------------------------------+-------------+\n| rawheaders | rawheaders, rh | The entire header section (as one string) of either the head or the response | String |\n+--------------+--------------------------------+----------------------------------------------------------------------------------+-------------+\n| sentcookie | sentcookie, sck | A cookie sent in a request | Key/Value |\n+--------------+--------------------------------+----------------------------------------------------------------------------------+-------------+\n| setcookie | setcookie, stck | A cookie set by a response | Key/Value |\n+--------------+--------------------------------+----------------------------------------------------------------------------------+-------------+\n| statuscode | statuscode, sc, responsecode | The response code of the response | Numeric |\n+--------------+--------------------------------+----------------------------------------------------------------------------------+-------------+\n| tag | tag | Any of the tags applied to the request | String |\n+--------------+--------------------------------+----------------------------------------------------------------------------------+-------------+\n\nList of comparers\n~~~~~~~~~~~~~~~~~\n\n+--------------+------------------+-----------------------------------------------------------------+\n| Field Name | Aliases | Description |\n+==============+==================+=================================================================+\n| is | is | Exact string match |\n+--------------+------------------+-----------------------------------------------------------------+\n| contains | contains, ct | A contain B is true if B is a substring of A |\n+--------------+------------------+-----------------------------------------------------------------+\n| containsr | containsr, ctr | A containr B is true if A matches regexp B |\n+--------------+------------------+-----------------------------------------------------------------+\n| exists | exists, ex | A exists B if A is not an empty string (likely buggy) |\n+--------------+------------------+-----------------------------------------------------------------+\n| Leq | Leq | A Leq B if A's length equals B (B must be a number) |\n+--------------+------------------+-----------------------------------------------------------------+\n| Lgt | Lgt | A Lgt B if A's length is greater than B (B must be a number ) |\n+--------------+------------------+-----------------------------------------------------------------+\n| Llt | Llt | A Llt B if A's length is less than B (B must be a number) |\n+--------------+------------------+-----------------------------------------------------------------+\n| eq | eq | A eq B if A = B (A and B must be a number) |\n+--------------+------------------+-----------------------------------------------------------------+\n| gt | gt | A gt B if A > B (A and B must be a number) |\n+--------------+------------------+-----------------------------------------------------------------+\n| lt | lt | A lt B if A < B (A and B must be a number) |\n+--------------+------------------+-----------------------------------------------------------------+\n\nSpecial form filters\n~~~~~~~~~~~~~~~~~~~~\n\nA few filters don't conform to the field, comparer, value format. You\ncan still negate these.\n\n+-----------+------------------+---------------------------------------------------------------------------------------------------------+\n| Format | Aliases | Description |\n+===========+==================+=========================================================================================================+\n| before | before, bf, b4 | Filters out any request that is not before the given request. Filters out any request without a time. |\n+-----------+------------------+---------------------------------------------------------------------------------------------------------+\n| after | after, af | Filters out any request that is not before the given request. Filters out any request without a time. |\n+-----------+------------------+---------------------------------------------------------------------------------------------------------+\n| inv | inf | Inverts a filter string. Anything that matches the filter string will not pass the filter. |\n+-----------+------------------+---------------------------------------------------------------------------------------------------------+\n\nExamples:\n\n::\n\n Only show requests before request 1234\n f b4 1234\n\n Only show requests after request 1234\n f af 1234\n\n Show requests without a csrf parameter\n f inv param ct csrf\n\nScope\n-----\n\nScope is a set of rules to define whether Pappy should mess with a\nrequest. You define the scope by setting the context to what you want\nthe scope to be and running ``scope_save``. The scope is saved in the\ndata file and is automatically restored when using the same project\ndirectory.\n\nAny requests which don't match all the filters in the scope will be\npassed straight to the browser and will not be caught by the interceptor\nor recorded in the data file. This is useful to make sure you don't\naccidentally do something like log in to your email through the proxy\nand have your plaintext username/password stored.\n\n+--------------------+---------------------------+------------------------------------------------------+\n| Command | Aliases | Description |\n+====================+===========================+======================================================+\n| ``scope_save`` | ``scope_save`` | Set the current context to be the scope |\n+--------------------+---------------------------+------------------------------------------------------+\n| ``sr`` | ``scope_reset``, ``sr`` | Set the current context to the scope |\n+--------------------+---------------------------+------------------------------------------------------+\n| ``scope_delete`` | ``scope_delete`` | Clear the scope (everything's in scope!) |\n+--------------------+---------------------------+------------------------------------------------------+\n| ``scope_list`` | ``scope_list``, ``sls`` | List all the filters that are applied to the scope |\n+--------------------+---------------------------+------------------------------------------------------+\n\nBuilt-In Filters\n~~~~~~~~~~~~~~~~\n\nPappy also includes some built in filters that you can apply. These are\nthings that you may want to filter by but may be too tedius to type out.\nThe ``fbi`` command also supports tab completion.\n\n+-----------------+--------------------------------------------------+\n| Filter | Description |\n+=================+==================================================+\n| ``not_image`` | Matches anything that isn't an image. |\n+-----------------+--------------------------------------------------+\n| ``not_jscss`` | Matches anything that isn't JavaScript or CSS. |\n+-----------------+--------------------------------------------------+\n\n+--------------------+-------------------------------+--------------------------------------------------+\n| Command | Aliases | Description |\n+====================+===============================+==================================================+\n| ``fbi `` | ``builtin_filter``, ``fbi`` | Apply a built-in filter to the current context |\n+--------------------+-------------------------------+--------------------------------------------------+\n\nDecoding Strings\n----------------\n\nThese features try to fill a similar role to Burp's decoder. Each\ncommand will automatically copy the results to the clipboard. In\naddition, if no string is given, the commands will encode/decode\nwhatever is already in the clipboard. Here is an example of how to\nbase64 encode/decode a string.\n\n::\n\n pappy> b64e \"Hello World!\"\n SGVsbG8gV29ybGQh\n pappy> b64d\n Hello World!\n pappy>\n\nAnd if the result contains non-printable characters, a hexdump will be\nproduced instead\n\n::\n\n pappy> b64d ImALittleTeapot=\n 0000 22 60 0b 8a db 65 79 37 9a a6 8b \"`...ey7...\n\n pappy>\n\nThe following commands can be used to encode/decode strings:\n\n+---------------------------+-------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| Command | Aliases | Description |\n+===========================+=====================================+=====================================================================================================================================================================+\n| ``base64_decode`` | ``base64_decode``, ``b64d`` | Base64 decode a string |\n+---------------------------+-------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``base64_encode`` | ``base64_encode``, ``b64e`` | Base64 encode a string |\n+---------------------------+-------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``asciihex_decode`` | ``asciihex_decode``, ``ahd`` | Decode an ASCII hex string |\n+---------------------------+-------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``asciihex_encode`` | ``asciihex_encode``, ``ahe`` | Encode an ASCII hex string |\n+---------------------------+-------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``html_decode`` | ``html_decode``, ``htmld`` | Decode an html encoded string |\n+---------------------------+-------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``html_encode`` | ``html_encode``, ``htmle`` | Encode a string to html encode all of the characters |\n+---------------------------+-------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``url_decode`` | ``url_decode``, ``urld`` | Url decode a string |\n+---------------------------+-------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``url_encode`` | ``url_encode``, ``urle`` | Url encode a string |\n+---------------------------+-------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``gzip_decode`` | ``gzip_decode``, ``gzd`` | Gzip decompress a string. Probably won't work too well since there's not a great way to get binary data passed in as an argument. I'm working on this. |\n+---------------------------+-------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``gzip_encode`` | ``gzip_encode``, ``gze`` | Gzip compress a string. Result doesn't get copied to the clipboard. |\n+---------------------------+-------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``base64_decode_raw`` | ``base64_decode_raw``, ``b64dr`` | Same as ``base64_decode`` but will not print a hexdump if it contains non-printable characters. It is suggested you use ``>`` to redirect the output to a file. |\n+---------------------------+-------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``base64_encode_raw`` | ``base64_encode_raw``, ``b64er`` | Same as ``base64_encode`` but will not print a hexdump if it contains non-printable characters. It is suggested you use ``>`` to redirect the output to a file. |\n+---------------------------+-------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``asciihex_decode_raw`` | ``asciihex_decode_raw``, ``ahdr`` | Same as ``asciihex_decode`` but will not print a hexdump if it contains non-printable characters. It is suggested you use ``>`` to redirect the output to a file. |\n+---------------------------+-------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``asciihex_encode_raw`` | ``asciihex_encode_raw``, ``aher`` | Same as ``asciihex_encode`` but will not print a hexdump if it contains non-printable characters. It is suggested you use ``>`` to redirect the output to a file. |\n+---------------------------+-------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``html_decode_raw`` | ``html_decode_raw``, ``htmldr`` | Same as ``html_decode`` but will not print a hexdump if it contains non-printable characters. It is suggested you use ``>`` to redirect the output to a file. |\n+---------------------------+-------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``html_encode_raw`` | ``html_encode_raw``, ``htmler`` | Same as ``html_encode`` but will not print a hexdump if it contains non-printable characters. It is suggested you use ``>`` to redirect the output to a file. |\n+---------------------------+-------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``url_decode_raw`` | ``url_decode_raw``, ``urldr`` | Same as ``url_decode`` but will not print a hexdump if it contains non-printable characters. It is suggested you use ``>`` to redirect the output to a file. |\n+---------------------------+-------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``url_encode_raw`` | ``url_encode_raw``, ``urler`` | Same as ``url_encode`` but will not print a hexdump if it contains non-printable characters. It is suggested you use ``>`` to redirect the output to a file. |\n+---------------------------+-------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``gzip_decode_raw`` | ``gzip_decode_raw``, ``gzdr`` | Same as ``gzip_decode`` but will not print a hexdump if it contains non-printable characters. It is suggested you use ``>`` to redirect the output to a file. |\n+---------------------------+-------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``gzip_encode_raw`` | ``gzip_encode_raw``, ``gzer`` | Same as ``gzip_encode`` but will not print a hexdump if it contains non-printable characters. It is suggested you use ``>`` to redirect the output to a file. |\n+---------------------------+-------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``unixtime_decode`` | ``unixtime_decode``, ``uxtd`` | Take in a unix timestamp and print a human readable timestamp |\n+---------------------------+-------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n\nInterceptor\n-----------\n\nThis feature is like Burp's proxy with \"Intercept Mode\" turned on,\nexcept it's not turned on unless you explicitly turn it on. When the\nproxy gets a request while in intercept mode, it lets you edit it before\nforwarding it to the server. In addition, it can stop responses from the\nserver and let you edit them before they get forwarded to the browser.\nWhen you run the command, you can pass ``req`` and/or ``rsp`` as\narguments to say whether you would like to intercept requests and/or\nresponses. Only in-scope requests/responses will be intercepted (see\nScope section).\n\nThe interceptor will use your EDITOR variable to decide which editor to\nedit the request/response with. If no editor variable is set, it will\ndefault to ``vi``.\n\nTo forward a request, edit it, save the file, then quit.\n\n+---------------------+-------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| Command | Aliases | Description |\n+=====================+=========================+=================================================================================================================================================================================================================+\n| ``ic +`` | ``intercept``, ``ic`` | Begins interception mode. Press enter to leave interception mode and return to the command prompt. Pass in ``request`` to intercept requests, ``response`` to intercept responses, or both to intercept both. |\n+---------------------+-------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n\n::\n\n Intercept both requests and responses:\n > ic requests responses\n > ic req rsp\n\n Intercept just requests:\n > ic requests\n > ic req\n\n Intercept just responses:\n > ic responses\n > ic rsp\n\n Be totally useless:\n > ic\n\nTo drop a request, delete everything, save and quit.\n\nRepeater\n--------\n\nThis feature is like Burp's repeater (yes, really). You choose a request\nand Pappy will open vim in a split window with your request on the left\nand the original response on the right. You can make changes to the\nrequest and then run \":RepeaterSubmitBuffer\" to submit the modified\nrequest. The response will be displayed on the right. This command is\nbound to ``f`` by default, but you can bind it to something else\ntoo in your vimrc (I think, dunno if vim will complain if the function\nundefined which it will be for regular files). This command will submit\nwhatever buffer your cursor is in, so make sure it's in the request\nbuffer.\n\nWhen you're done with repeater, run \":qa!\" to avoid having to save\nchanges to nonexistent files.\n\n+---------------+----------------+----------------------------------------------+\n| Command | Aliases | Description |\n+===============+================+==============================================+\n| ``rp `` | repeater, rp | Open the specified request in the repeater |\n+---------------+----------------+----------------------------------------------+\n\n+----------------------------+--------------+----------------------------------------------------------------------------------------------------+\n| Vim Command | Keybinding | Action |\n+============================+==============+====================================================================================================+\n| ``RepeaterSubmitBuffer`` | f | Submit the current buffer, split the windows vertically, and show the result in the right window |\n+----------------------------+--------------+----------------------------------------------------------------------------------------------------+\n\nMacros\n------\n\nMacros are Pappy's version of Burp's intruder. You can use macros to\nmake automated requests through the proxy and save them to the data\nfile. A macro file is any python script file in the current directory\nthat is in the form ``macro_.py``. An example project directory\nwith macros would be:\n\n::\n\n $ ls -l\n -rw-r--r-- 1 scaryhacker wheel 150 Nov 26 11:17 config.json\n -rw------- 1 scaryhacker wheel 2639872 Nov 26 17:18 data.db\n -rw-r--r-- 1 scaryhacker wheel 471 Nov 26 18:42 macro_blank.py\n -rw-r--r-- 1 scaryhacker wheel 264 Nov 26 18:49 macro_hackthensa.py\n -rw-r--r-- 1 scaryhacker wheel 1261 Nov 26 18:37 macro_testgen.py\n -rw-r--r-- 1 scaryhacker wheel 241 Nov 26 17:18 macro_test.py\n\nIn this case we have a ``blank``, ``hackthensa``, ``testgen``, and\n``test`` macro. A macro script is any python script that defines a\n``run_macro(args)`` function and a ``MACRO_NAME`` variable. For example,\na simple macro would be:\n\n::\n\n ### macro_print.py\n\n MACRO_NAME = 'Print Macro'\n\n def run_macro(args):\n if args:\n print \"Hello, %s!\" % args[0]\n else:\n print \"Hello, Pappy!\"\n\nYou can place this macro in your project directory then load and run it\nfrom Pappy. When a macro is run, arguments are passed from the command\nline. Arguments are separated the same way as they are on the command\nline, so if you want to use spaces in your argument, you have to put\nquotes around it.\n\n::\n\n $ pappy\n Proxy is listening on port 8000\n pappy> lma\n Loaded \"\"\n Loaded \"\"\n Loaded \"\"\n Loaded \"\"\n Loaded \"\"\n pappy> rma print\n Hello, Pappy!\n pappy> rma print NSA\n Hello, NSA!\n pappy> rma print Idiot Slayer\n Hello, Idiot!\n pappy> rma print \"Idiot Slayer\"\n Hello, Idiot Slayer!\n\nYou'll need to run ``lma`` every time you make a change to the macro in\norder to reload it. In addition, any code outside of the ``run_macro``\nfunction will be run when it the macro gets loaded.\n\nGenerating Macros From Requests\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nYou can also generate macros that have Pappy ``Request`` objects created\nwith the same information as requests you've already made. For example:\n\n::\n\n $ pappy\n Proxy is listening on port 8000\n pappy> ls\n ID Verb Host Path S-Code Req Len Rsp Len Time Mngl\n 5 GET vitaly.sexy /esr1.jpg 200 OK 0 17653 -- --\n 4 GET vitaly.sexy /netscape.gif 200 OK 0 1135 -- --\n 3 GET vitaly.sexy /construction.gif 200 OK 0 28366 -- --\n 2 GET vitaly.sexy /vitaly2.jpg 200 OK 0 2034003 -- --\n 1 GET vitaly.sexy / 200 OK 0 1201 -- --\n pappy> gma sexy 1\n Wrote script to macro_sexy.py\n pappy> quit\n $ cat macro_sexy.py\n from pappyproxy.http import Request, get_request, post_request\n\n MACRO_NAME = 'Macro 94664581'\n SHORT_NAME = ''\n\n ###########\n ## Requests\n\n req0 = Request((\n 'GET / HTTP/1.1\\r\\n'\n 'Host: vitaly.sexy\\r\\n'\n 'User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0\\r\\n'\n 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n'\n 'Accept-Language: en-US,en;q=0.5\\r\\n'\n 'Accept-Encoding: gzip, deflate\\r\\n'\n 'Connection: keep-alive\\r\\n'\n 'Pragma: no-cache\\r\\n'\n 'Cache-Control: no-cache\\r\\n'\n '\\r\\n'\n ))\n\n\n def run_macro(args):\n # Example:\n # req = req0.copy() # Copy req0\n # req.submit() # Submit the request to get a response\n # print req.response.raw_headers # print the response headers\n # req.save() # save the request to the data file\n # or copy req0 into a loop and use string substitution to automate requests\n pass\n\nIf you enter in a value for ``SHORT_NAME``, you can use it as a shortcut\nto run that macro. So if in a macro you set ``SHORT_NAME='tm'`` you can\nrun it by running ``pappy> rma tm``.\n\n+--------------------------+-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------+\n| Command | Aliases | Description |\n+==========================+===============================+=====================================================================================================================================+\n| ``lma [dir]`` | ``load_macros``, ``lma`` | Load macros from a directory. If ``dir`` is not given, use the current directory (the project directory) |\n+--------------------------+-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------+\n| ``rma `` | ``run_macro``, ``rma`` | Run a macro with the given name. You can use the shortname, filename, or long name. |\n+--------------------------+-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------+\n| ``gma [id(s)]`` | ``generate_macro``, ``gma`` | Generate a macro with the given name. If request IDs are given, the macro will contain request objects that contain each request. |\n+--------------------------+-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------+\n| ``rpy `` | ``rpy`` | Print the Python object definitions for each of the given ids |\n+--------------------------+-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------+\n\nRequest Objects\n~~~~~~~~~~~~~~~\n\nThe main method of interacting with the proxy is through ``Request``\nobjects. You can submit a request with ``req.sumbit()`` and save it to\nthe data file with ``req.save()``. The objects also have attributes\nwhich can be used to modify the request in a high-level way. You can see\nthe `full\ndocumentation `__\nfor more details on using these objects.\n\nDict-like objects are represented with a custom class called a\n``RepeatableDict``. Again, look at the docs for details. For the most\npart, you can interact with it like a normal dictionary, but don't be\nsurprised if it's missing some methods you would expect.\n\nHere is a quick list of attributes that you can use with ``Request``\nobjects:\n\n+-----------------+-------------+------------------+-----------------------------------------------------------------------------------------------------------------+\n| Attribute | Settable? | Data Type | Description |\n+=================+=============+==================+=================================================================================================================+\n| cookies | Yes | RepeatableDict | Cookies sent in the request |\n+-----------------+-------------+------------------+-----------------------------------------------------------------------------------------------------------------+\n| fragment | Yes | String | The url fragment (The text after the #) |\n+-----------------+-------------+------------------+-----------------------------------------------------------------------------------------------------------------+\n| full\\_path | No | String | The path including url params and the fragment |\n+-----------------+-------------+------------------+-----------------------------------------------------------------------------------------------------------------+\n| full\\_request | No | String | The full request including headers and data |\n+-----------------+-------------+------------------+-----------------------------------------------------------------------------------------------------------------+\n| headers | Yes | RepeatableDict | The headers of the request |\n+-----------------+-------------+------------------+-----------------------------------------------------------------------------------------------------------------+\n| host | Yes | String | The host that the request is sent to |\n+-----------------+-------------+------------------+-----------------------------------------------------------------------------------------------------------------+\n| is\\_ssl | Yes | Bool | Whether the request is/was sent over SSL |\n+-----------------+-------------+------------------+-----------------------------------------------------------------------------------------------------------------+\n| path | Yes | String | The document path (ie www.a.com/this/is/the/path) |\n+-----------------+-------------+------------------+-----------------------------------------------------------------------------------------------------------------+\n| port | Yes | Integer | The port the request is/was sent to |\n+-----------------+-------------+------------------+-----------------------------------------------------------------------------------------------------------------+\n| post\\_params | Yes | RepeatableDict | Post parameters |\n+-----------------+-------------+------------------+-----------------------------------------------------------------------------------------------------------------+\n| raw\\_data | Yes | String | The data part of the request |\n+-----------------+-------------+------------------+-----------------------------------------------------------------------------------------------------------------+\n| raw\\_headers | No | String | The text of the headers section of the request |\n+-----------------+-------------+------------------+-----------------------------------------------------------------------------------------------------------------+\n| reqid | Yes | Integer | The ID of the request. If set when save() is called, it replaces the request with the same id in the database |\n+-----------------+-------------+------------------+-----------------------------------------------------------------------------------------------------------------+\n| response | Yes | Response | The associated response for the request |\n+-----------------+-------------+------------------+-----------------------------------------------------------------------------------------------------------------+\n| rsptime | No | Datetime Delta | The time it took to complete the request. Set when submit() is called |\n+-----------------+-------------+------------------+-----------------------------------------------------------------------------------------------------------------+\n| status\\_line | Yes | String | The status line of the request (ie 'GET / HTTP/1.1') |\n+-----------------+-------------+------------------+-----------------------------------------------------------------------------------------------------------------+\n| time\\_end | Yes | Datetime | The time when the request was completed |\n+-----------------+-------------+------------------+-----------------------------------------------------------------------------------------------------------------+\n| time\\_start | Yes | Datetime | The time when the request was started |\n+-----------------+-------------+------------------+-----------------------------------------------------------------------------------------------------------------+\n| unmangled | Yes | Request | If the request was mangled, the unmangled version of the request |\n+-----------------+-------------+------------------+-----------------------------------------------------------------------------------------------------------------+\n| url | Yes | String | The URL of the request (ie 'https://www.google.com') |\n+-----------------+-------------+------------------+-----------------------------------------------------------------------------------------------------------------+\n| url\\_params | Yes | RepeatableDict | The URL parameters of the request |\n+-----------------+-------------+------------------+-----------------------------------------------------------------------------------------------------------------+\n| verb | Yes | String | The verb used for the request (ie GET, POST, PATCH, HEAD, etc). Doesn't have to be a valid verb. |\n+-----------------+-------------+------------------+-----------------------------------------------------------------------------------------------------------------+\n| version | Yes | String | The version part of the status line (ie 'HTTP/1.1') |\n+-----------------+-------------+------------------+-----------------------------------------------------------------------------------------------------------------+\n\nRequest methods:\n\n+------------+-------------------------------------------------------------------------------------------------------------------------------+\n| Function | Description |\n+============+===============================================================================================================================+\n| submit() | Submit the request through the proxy. Does not save the request to the data file |\n+------------+-------------------------------------------------------------------------------------------------------------------------------+\n| save() | Save the request, its unmangled version, its associated response, and the unmangled version of the response to the database |\n+------------+-------------------------------------------------------------------------------------------------------------------------------+\n\nAnd here is a quick list of attributes that you can use with\n``Response`` objects:\n\n+------------------+-------------+------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| Attribute | Settable? | Data Type | Description |\n+==================+=============+==================+=================================================================================================================================================================================+\n| cookies | Yes | RepeatableDict | Cookies set by the response |\n+------------------+-------------+------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| headers | Yes | RepeatableDict | The headers of the response |\n+------------------+-------------+------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| response\\_code | Yes | Integer | The response code of the response |\n+------------------+-------------+------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| response\\_text | Yes | String | The text associated with the response code (ie OK, NOT FOUND) |\n+------------------+-------------+------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| rspid | Yes | Integer | The response id of the response. If this is the same as another response in the database, calling save() on the associated request will replace that response in the database |\n+------------------+-------------+------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| unmangled | Yes | Response | If the response was mangled, this will refer to the unmangled version of the response. Otherwise it is None |\n+------------------+-------------+------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| version | Yes | String | The version part of the status line of the response (ie 'HTTP/1.1') |\n+------------------+-------------+------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| raw\\_headers | No | String | A text version of the headers of the response |\n+------------------+-------------+------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| status\\_line | Yes | String | The status line of the response |\n+------------------+-------------+------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| raw\\_data | Yes | String | The data portion of the response |\n+------------------+-------------+------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| full\\_response | No | String | The full text version of the response including headers and data |\n+------------------+-------------+------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n\nLike I said, these interfaces are prone to change and will probably\ncrash when you use them. If you get a traceback, send me an email so I\ncan fix it.\n\nUseful Functions\n~~~~~~~~~~~~~~~~\n\nThere are also a few functions which could be useful for creating\nrequests in macros. It's worth pointing out that ``request_by_id`` is\nuseful for passing request objects as arguments. For example, here is a\nmacro that lets you resubmit a request with the Google Bot user agent:\n\n::\n\n ## macro_googlebot.py\n\n from pappyproxy.http import Request, get_request, post_request, request_by_id\n from pappyproxy.context import set_tag\n from pappyproxy.iter import *\n\n MACRO_NAME = 'Submit as Google'\n SHORT_NAME = ''\n\n def run_macro(args):\n req = request_by_id(args[0])\n req.headers['User-Agent'] = \"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\"\n req.submit()\n req.save()\n\n+-------------------------------------------------------+-------------------------------------------------------------------------------------------------------------+\n| Function | Description |\n+=======================================================+=============================================================================================================+\n| get\\_request(url, url\\_params={}) | Returns a Request object that contains a GET request to the given url with the given url params |\n+-------------------------------------------------------+-------------------------------------------------------------------------------------------------------------+\n| post\\_request(url, post\\_params={}, url\\_params={}) | Returns a Request object that contains a POST request to the given url with the given url and post params |\n+-------------------------------------------------------+-------------------------------------------------------------------------------------------------------------+\n| request\\_by\\_id(reqid) | Get a request object from its id. |\n+-------------------------------------------------------+-------------------------------------------------------------------------------------------------------------+\n\nIntercepting Macros\n-------------------\n\nIntercepting macros let you mangle requests as they pass through the\nproxy. Similarly to normal macros, an intercepting macro is any python\nscript with an \"int\" prefix. For example, ``int_name.py`` would be a\nvalid intercepting macro name. They are also loaded with the ``lma``\ncommand. An intercepting macro can define two functions:\n``mangle_request`` or ``mangle_response``. Both requests only take a\n``Request`` object as a parameter. ``mangle_request`` returns either a\nnew, modified Request object to change it, or it can return the original\nobject to not mangle it. The ``mange_response`` must return a\n``Response`` (not request!) object. The request passed in to\n``mangle_response`` will have an associated response with it. If you\nwant to modify the response, copy ``request.response``, make\nmodifications, then return it. If you would like to pass it through\nuntouched, just return ``request.response``.\n\nNote, that due to twisted funkyness, *you cannot save requests from\nintercepting macros*. Technically you **can**, but to do that you'll\nhave to define ``async_mangle_request`` (or response) instead of\n``mangle_request`` (or response) then use ``Request.async_deep_save``\nwhich generates a deferred, then generate a deferred from\n``async_mangle_requests`` (inline callbacks work too). If you've never\nused twisted before, please don't try. Twisted is hard. Plus the mangled\nrequest will be saved before it is submitted anyways.\n\nConfusing? Here are some example intercepting macros:\n\n::\n\n ## int_cloud2butt.py\n\n import string\n\n MACRO_NAME = 'Cloud to Butt'\n\n def mangle_response(request):\n r = request.response.copy()\n r.raw_data = string.replace(r.raw_data, 'cloud', 'butt')\n r.raw_data = string.replace(r.raw_data, 'Cloud', 'Butt')\n return r\n\n::\n\n ## int_donothing.py\n\n import string\n\n MACRO_NAME = 'Do Nothing'\n\n def mangle_request(request):\n return request\n\n def mangle_response(request):\n return request.response\n\n::\n\n ## int_adminplz.py\n\n from base64 import base64encode as b64e\n\n MACRO_NAME = 'Admin Session'\n\n def mangle_request(request):\n r = request.copy()\n r.headers['Authorization'] = 'Basic %s' % b64e('Admin:Password123')\n return r\n\nIn addition, you can use an ``init(args)`` function to get arguments\nfrom the command line. If no arguments are passed, args will be an empty\nlist. Here is an example macro that does a search and replace:\n\n::\n\n ## int_replace.py\n\n MACRO_NAME = 'Find and Replace'\n SHORT_NAME = ''\n runargs = []\n\n def init(args):\n global runargs\n runargs = args\n\n def mangle_request(request):\n global runargs\n if len(runargs) < 2:\n return request\n request.body = request.body.replace(runargs[0], runargs[1])\n return request\n\n def mangle_response(request):\n global runargs\n if len(runargs) < 2:\n return request.response\n request.response.body = request.response.body.replace(runargs[0], runargs[1])\n return request.response\n\nYou can use this macro to do any search and replace that you want. For\nexample, if you wanted to replace \"Google\" with \"Skynet\", you can run\nthe macro like this:\n\n::\n\n pappy> lma\n Loaded \"\"\n pappy> rim replace Google Skynet\n \"Find and Replace\" started\n pappy> \n\nNow every site that you visit will be a little bit more accurate.\n\nEnabling/Disabling Intercepting Macros\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nYou can use the following commands to start/stop intercepting macros\n\n+-------------------------------+------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+\n| Command | Aliases | Description |\n+===============================+====================================+================================================================================================================================+\n| ``lma [dir]`` | ``load_macros``, ``lma`` | Load macros from a directory. If ``dir`` is not given, use the current directory (the project directory) |\n+-------------------------------+------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+\n| ``rim `` | ``run_int_macro``, ``rim`` | Run an intercepting macro. Similarly to normal macros you can use the name, short name, or file name of the macro. |\n+-------------------------------+------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+\n| ``sim [args]`` | ``stop_int_macro``, ``sim`` | Stop an intercepting macro. If arguments are given, they will be passed to the macro's ``init(args)`` function if it exists. |\n+-------------------------------+------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+\n| ``lim`` | ``list_int_macros``, ``lsim`` | List all enabled/disabled intercepting macros |\n+-------------------------------+------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+\n| ``gima `` | ``generate_int_macro``, ``gima`` | Generate an intercepting macro with the given name. |\n+-------------------------------+------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+\n\nLogging\n-------\n\nYou can watch in real-time what requests are going through the proxy.\nVerbosisty defaults to 1 which just states when connections are\nmade/lost and some information on what is happening. If verbosity is set\nto 3, it includes all the data which is sent through the proxy and\nprocessed. It will print the raw response from the server, what it\ndecodes it to, etc. Even if you don't run this command, all the\ninformation is stored in the dubug directory (the directory is cleared\nevery start though!)\n\n+-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| Command | Description |\n+=======================+===============================================================================================================================================================================================================================+\n| ``log [verbosity]`` | View the log at the given verbosity. Default verbosity is 1 which just shows connections being made/lost and some other info, verbosity 3 shows full requests/responses as they pass through and are processed by the proxy |\n+-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n\nAdditional Commands and Features\n--------------------------------\n\nThis is a list of other random stuff you can do that isn't categorized\nunder anything else. These are mostly commands that I found that I\nneeded while doing a test and just added. They likely don't do a ton of\nerror checking.\n\n+----------------------------------------+---------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+\n| Command | Aliases | Description |\n+========================================+=====================+=======================================================================================================================================================+\n| ``dump_response [filename]`` | ``dump_response`` | Dumps the data from the response to the given filename (useful for images, .swf, etc). If no filename is given, it uses the name given in the path. |\n+----------------------------------------+---------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``export `` | ``export`` | Writes either the full request or response to a file in the current directory. |\n+----------------------------------------+---------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+\n| ``merge `` | ``merge`` | Add all the requests from another datafile to the current datafile |\n+----------------------------------------+---------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+\n\nResponse streaming\n~~~~~~~~~~~~~~~~~~\n\nIf you don't have any intercepting macros running, Pappy will forward\ndata to the browser as it gets it. However, if you're trying to mangle\nmessages/responses, Pappy will need to download the entire message\nfirst.\n\nPlugins\n-------\n\nNote that this section is a very quick overview of plugins. For a full\ndescription of how to write them, please see `the official\ndocs `__.\n\nIt is also possible to write plugins which are reusable across projects.\nPlugins are simply Python scripts located in ``~/.pappy/plugins``.\nPlugins are able to create new console commands and maintain state\nthroughout a Pappy session. They can access the same API as macros, but\nthe plugin system is designed to allow you to create general purpose\ncommands as compared to macros which are meant to be project-specific\nscripts. Still, it may not be a bad idea to try building a macro to do\nsomething in a quick and dirty way before writing a plugin since plugins\nare more complicated to write.\n\nA simple hello world plugin could be something like:\n\n::\n\n ## hello.py\n import shlex\n\n def hello_world(line):\n if line:\n args = shlex.split(line)\n print 'Hello, %s!' % (', '.join(args))\n else:\n print \"Hello, world!\"\n\n ###############\n ## Plugin hooks\n\n def load_cmds(cmd):\n cmd.set_cmds({\n 'hello': (hello_world, None),\n })\n cmd.add_aliases([\n ('hello', 'hlo'),\n ('hello', 'ho'),\n ])\n\nYou can also create commands which support autocomplete:\n\n::\n\n import shlex\n\n _AUTOCOMPLETE_NAMES = ['alice', 'allie', 'sarah', 'mallory', 'slagathor']\n\n def hello_world(line):\n if line:\n args = shlex.split(line)\n print 'Hello, %s!' % (', '.join(args))\n else:\n print \"Hello, world!\"\n \n def complete_hello_world(text, line, begidx, endidx):\n return [n for n in _AUTOCOMPLETE_NAMES if n.startswith(text)]\n \n ###############\n ## Plugin hooks\n\n def load_cmds(cmd):\n cmd.set_cmds({\n 'hello': (hello_world, complete_hello_world),\n })\n cmd.add_aliases([\n ('hello', 'hlo'),\n ])\n\nThen when you run Pappy you can use the ``hello`` command:\n\n::\n\n $ pappy -l\n Temporary datafile is /tmp/tmpBOXyJ3\n Proxy is listening on port 8000\n pappy> ho\n Hello, world!\n pappy> ho foo bar baz\n Hello, foo, bar, baz!\n pappy> ho foo bar \"baz lihtyur\"\n Hello, foo, bar, baz lihtyur!\n pappy>\n\nShould I Write a Plugin or a Macro?\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nA lot of the time, you can get away with writing a macro. However, you\nmay consider writing a plugin if:\n\n- You find yourself copying one macro to multiple projects\n- You want to write a general tool that can be applied to any website\n- You need to maintain state during the Pappy session\n\nMy guess is that if you need one quick thing for a project, you're\nbetter off writing a macro first and seeing if you end up using it in\nfuture projects. Then if you find yourself needing it a lot, write a\nplugin for it. You may also consider keeping a ``mine.py`` plugin where\nyou can write out commands that you use regularly but may not be worth\ncreating a dedicated plugin for.\n\nGlobal Settings\n---------------\n\nThere are some settings that apply to Pappy as a whole and are stored in\n``~/.pappy/global_config.json``. These settings are generally for tuning\nperformance or modifying behavior on a system-wide level. No information\nabout projects is put in here since it is world readable. You can\ntechnically add settings in here for plugins that you write, but if it's\nat all possible, please keep settings in the normal project config.\n\nSettings included in ``~/.pappy/global_config.json``:\n\n+---------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| Setting | Description |\n+===============+===============================================================================================================================================================================+\n| cache\\_size | The number of requests from history that will be included in memory at any given time. Set to -1 to keep everything in memory. See the request cache section for more info. |\n+---------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n\nUsing a SOCKS Server\n--------------------\n\nPappy allows you to use an upstream SOCKS server. You can do this by\nadding a ``socks_proxy`` value to config.json. You can use the following\nfor anonymous access to the proxy:\n\n::\n\n \"socks_proxy\": {\"host\":\"socks.proxy.host\", \"port\":5555}\n\nTo use credentials you add a ``username`` and ``password`` value to the\ndictionary:\n\n::\n\n \"socks_proxy\": {\"host\":\"socks.proxy.host\", \"port\":5555, \"username\": \"mario\", \"password\":\"ilovemushrooms\"}\n\nAnything that passes through any of the active listeners will use the\nproxy.\n\nTransparent Host Redirection\n----------------------------\n\nSometimes you get a frustrating thick client that doesn\u2019t let you mess\nwith proxy settings to get it to go through a proxy. However, if you can\nredirect where it sends its traffic to localhost, you can get Pappy to\ntake that traffic and redirect it to go where it should.\n\nIt takes root permissions to listen on low numbered ports. As a result,\nwe\u2019ll need to do some root stuff to listen on ports 80 and 443 and get\nthe data to Pappy. There are two ways to get the traffic to Pappy. The\nfirst is to set up port forwarding as root to send traffic from\nlocalhost:80 to localhost:8080 and localhost:443 to localhost:8443\n(since we can listen on 8080 and 8443 without root). Or you can YOLO,\nrun Pappy as root and just have it listen on 80 and 443.\n\nAccording to Google you can use the following command to forward port 80\non localhost to 8080 on Linux:\n\n::\n\n iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j REDIRECT --to-ports 8080\n\nThen to route 443 to 8443:\n\n::\n\n iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 443 -j REDIRECT --to-ports 8443\n\nOf course, both of these need to be run as root.\n\nThen on mac it\u2019s\n\n::\n\n echo \"\n rdr pass inet proto tcp from any to any port 80 -> 127.0.0.1 port 8080\n rdr pass inet proto tcp from any to any port 443 -> 127.0.0.1 port 8443\n \" | sudo pfctl -ef -\n Then to turn it off on mac it\u2019s\n sudo pfctl -F all -f /etc/pf.conf\n\nThen modify the listener settings in the project\u2019s config.json to be:\n\n::\n\n \"proxy_listeners\": [\n {\"port\": 8080, \"interface\": \"127.0.0.1\", \"forward_host\": \"www.example.faketld\"},\n {\"port\": 8443, \"interface\": \"127.0.0.1\", \"forward_host_ssl\": \"www.example.faketld\"},\n ]\n\nThis configuration will cause Pappy to open a port on 8080 that will\naccept connections normally and a port on 8443 which will accept SSL\nconnections. The forward\\_host setting tells Pappy to redirect any\nrequests sent to the port to the given host. It will also update the\nrequest\u2019s host header. forward\\_host\\_ssl does the same thing, but it\nlistens for SSL connections and forces the connection to use SSL.\n\nOr if you\u2019re going to YOLO it do the same thing then listen on port\n80/443 directly. I do not suggest you do this.\n\n::\n\n \"proxy_listeners\": [\n {\"port\": 80, \"interface\": \"127.0.0.1\", \"forward_host\": \"www.example.faketld\"},\n {\"port\": 443, \"interface\": \"127.0.0.1\", \"forward_host_ssl\": \"www.example.faketld\"},\n ]\n\nPappy will automatically use this host to make the connection and\nforward the request to the new server.\n\nFAQ\n---\n\nI still like Burp, but Pappy looks interesting, can I use both?\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nYes! If you don't want to go completely over to Pappy yet, you can\nconfigure Burp to use Pappy as an upstream proxy server. That way,\ntraffic will go through both Burp and Pappy and you can use whichever\nyou want to do your testing.\n\nHow to have Burp forward traffic through Pappy:\n\n1. Open Burp\n2. Go to ``Options -> Connections -> Upstream Proxy Servers``\n3. Click ``Add``\n4. Leave ``Destination Host`` blank, but put ``127.0.0.1`` in\n ``Proxy Host`` and ``8000`` into ``Port`` (assuming you're using the\n default listener)\n5. Configure your browser to use Burp as a proxy\n\nWhy does my request have an id of ``--``?!?!\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nYou can't do anything with a request/response until it is decoded and\nsaved to disk. In between the time when a request is decoded and when\nit's saved to disk, it will have an ID of ``--``. So just wait a little\nbit and it will get an ID you can use.\n\nBoring, Technical Stuff\n-----------------------\n\nI do some stuff to try and keep speed and memory usage to reasonable\nlevels. Unfortunately, things might seem slow in some areas. This is\nwhere I try and explain why those exist. Honestly, you probably don't\ncare about this, but I'd rather have it written down and have nobody\nread it than just leave people in the dark.\n\nRequest Cache / Memory usage\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nFor performance reasons, Pappy by default will not store every request\nin memory. The cache will store a certain number of the most recently\naccessed requests in memory. This means that if you go through all of\nhistory, it could be slow (for example running ``ls a`` or ``sm``). If\nyou have enough RAM to keep everything in memory, you can set the\nrequest cache size to -1 to just keep everything in memory. However,\neven if the cache size is unlimited, it still won't load a request into\nmemory untill you access it. So if you want to load everything in\nmemory, run ``ls a``.\n\nBy default, Pappy will cache 2000 requests. This is kind of heavy, but\nit's assumed you're doing testing on a reasonably specced laptop.\nPersonally, I live on the edge and use -1 until I run into memory\nissues.\n\nChangelog\n---------\n\nThe boring part of the readme\n\n- 0.2.7\n\n - boring unit tests\n - should make future releases more stable I guess\n - Support for upstream SOCKS servers\n - ``print_params`` command\n - ``inv`` filter\n - ``param_info`` command\n - Filters by request/response only headers/body\n - Transparent host redirection\n - Some easier to type aliases for common commands\n\n- 0.2.6\n\n - Fix pip being dumb\n - ``watch`` command to watch requests/responses in real time\n - Added ``pp[qs] form `` to print POST data\n - Bugfixes\n\n- 0.2.5\n\n - Requests sent with repeater now are given ``repeater`` tag\n - Add ppq and pps commands\n - Look at the pretty prompt\n - Bugfixes\n\n- 0.2.4\n\n - Add command history saving between sessions\n - Add html encoder/decoder\n - All the bugs were fixed so I added some more for 0.2.5\n\n- 0.2.3\n\n - Decoder functions\n - Add ``merge`` command\n - Bugfixes\n\n- 0.2.2\n\n - COLORS\n - Performance improvements\n - Bugfixes (duh)\n\n- 0.2.1\n\n - Improve memory usage\n - Tweaked plugin API\n\n- 0.2.0\n\n - Lots of refactoring\n - Plugins\n - Bugfixes probably\n - Change prompt to make Pappy look more professional (but it will\n always be pappy time in your heart, I promise)\n - Create changelog\n - Add response streaming if no intercepting macros are active\n\n- 0.1.1\n\n - Start using sane versioning system\n - Did proxy things",
"description_content_type": null,
"docs_url": null,
"download_url": "https://github.com/roglew/pappy-proxy/archive/0.2.14.tar.gz",
"downloads": {
"last_day": -1,
"last_month": -1,
"last_week": -1
},
"home_page": "https://www.github.com/roglew/pappy-proxy",
"keywords": "http proxy hacking 1337hax pwnurmum",
"license": "MIT",
"maintainer": null,
"maintainer_email": null,
"name": "pappyproxy",
"package_url": "https://pypi.org/project/pappyproxy/",
"platform": "UNKNOWN",
"project_url": "https://pypi.org/project/pappyproxy/",
"project_urls": {
"Download": "https://github.com/roglew/pappy-proxy/archive/0.2.14.tar.gz",
"Homepage": "https://www.github.com/roglew/pappy-proxy"
},
"release_url": "https://pypi.org/project/pappyproxy/0.2.14/",
"requires_dist": null,
"requires_python": null,
"summary": "The Pappy Intercepting Proxy",
"version": "0.2.14"
},
"last_serial": 2433283,
"releases": {
"0.0.1": [
{
"comment_text": "",
"digests": {
"md5": "b54565e6914aba3b9c6e3e09bc335b0e",
"sha256": "7760306fdca16cae9bb67e8b27a9d17cf7be62c8fc51ca6f8512c1e394d3c29d"
},
"downloads": -1,
"filename": "pappyproxy-0.0.1.tar.gz",
"has_sig": false,
"md5_digest": "b54565e6914aba3b9c6e3e09bc335b0e",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 51267,
"upload_time": "2015-11-24T05:24:56",
"url": "https://files.pythonhosted.org/packages/86/d1/5f70b57e8566de236437bfff264a53462d8e113420efc76d4e521cb77ffd/pappyproxy-0.0.1.tar.gz"
}
],
"0.0.2": [
{
"comment_text": "",
"digests": {
"md5": "ac90bafcbb295d989ed85ed83cdde842",
"sha256": "f287dbe1faff25613b469220c14c02ae82ee6cf6775934ffcc374740cf20c816"
},
"downloads": -1,
"filename": "pappyproxy-0.0.2.tar.gz",
"has_sig": false,
"md5_digest": "ac90bafcbb295d989ed85ed83cdde842",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 4787506,
"upload_time": "2015-12-29T05:04:09",
"url": "https://files.pythonhosted.org/packages/be/91/fa5a2c98f5f22e5ffced65776f35fb2168efed5e4a5496edf4be84071e76/pappyproxy-0.0.2.tar.gz"
}
],
"0.1.0": [
{
"comment_text": "",
"digests": {
"md5": "d5d85cef82c2b48c0a05784c65f9e4d5",
"sha256": "9a5987dd1665dbd3b5635766ed7222716c118f238922b8d8f1f704f7ec7f1472"
},
"downloads": -1,
"filename": "pappyproxy-0.1.0.tar.gz",
"has_sig": false,
"md5_digest": "d5d85cef82c2b48c0a05784c65f9e4d5",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 4800391,
"upload_time": "2015-12-29T05:26:05",
"url": "https://files.pythonhosted.org/packages/6f/5f/c3865091671fbbfa0e8fbe0dc91d8e1615228c984b23757aea79aadee063/pappyproxy-0.1.0.tar.gz"
}
],
"0.1.1": [
{
"comment_text": "",
"digests": {
"md5": "8c4cd266052b46e444628f8cbc9fbc13",
"sha256": "29d370e8bb9e9d3b82e8648b5503cdb0b4e18246c4bf96dfd7e4643dbddf1bd8"
},
"downloads": -1,
"filename": "pappyproxy-0.1.1.tar.gz",
"has_sig": false,
"md5_digest": "8c4cd266052b46e444628f8cbc9fbc13",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 4817314,
"upload_time": "2015-12-29T06:37:18",
"url": "https://files.pythonhosted.org/packages/b7/51/f6e56a98de01cfd2bb8ee0e4c7df007d5848edc99862be590dc15030ee67/pappyproxy-0.1.1.tar.gz"
}
],
"0.2.10": [
{
"comment_text": "",
"digests": {
"md5": "2781038a885d121e7a03948df96751a8",
"sha256": "8146e00791f4972f2deccc07e148d0b90d8beeae7d4b70778e290d83160749e7"
},
"downloads": -1,
"filename": "pappyproxy-0.2.10.tar.gz",
"has_sig": false,
"md5_digest": "2781038a885d121e7a03948df96751a8",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 292870,
"upload_time": "2016-03-30T20:25:30",
"url": "https://files.pythonhosted.org/packages/da/1c/8b831851d81aee2a3280517c31e1037782779b9f0fc7efc8594b4fa3466d/pappyproxy-0.2.10.tar.gz"
}
],
"0.2.11": [
{
"comment_text": "",
"digests": {
"md5": "1f300450c00e86e107effd13f879975c",
"sha256": "bc5c0eadba146b7b4e93d3575801c08d105aaeb09d0a5404d18b9aa2925f4152"
},
"downloads": -1,
"filename": "pappyproxy-0.2.11.tar.gz",
"has_sig": false,
"md5_digest": "1f300450c00e86e107effd13f879975c",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 302482,
"upload_time": "2016-04-14T22:28:04",
"url": "https://files.pythonhosted.org/packages/27/01/d634c9b0950d1437e756c397d490fe4c5e9cdab2c184995aa5bf7c02fa9a/pappyproxy-0.2.11.tar.gz"
}
],
"0.2.12": [
{
"comment_text": "",
"digests": {
"md5": "52495af3fd3bc77b1898da5032ebac58",
"sha256": "3c2244b27304c857111f0a78f6286e3c9f71e4e8bf2b8d27726cf45ed9a22798"
},
"downloads": -1,
"filename": "pappyproxy-0.2.12.tar.gz",
"has_sig": false,
"md5_digest": "52495af3fd3bc77b1898da5032ebac58",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 4950290,
"upload_time": "2016-10-12T19:09:42",
"url": "https://files.pythonhosted.org/packages/59/e9/79b478ee5593e74b1c414b4a827329737b28e35fec44388d3869c48aa2de/pappyproxy-0.2.12.tar.gz"
}
],
"0.2.13": [
{
"comment_text": "",
"digests": {
"md5": "26e049d3208d30b460eb5fd78cd1bb40",
"sha256": "6f1cdbd81dc0dd2e35619276eeb53208a695a3701c931e99bb907f8423422c20"
},
"downloads": -1,
"filename": "pappyproxy-0.2.13.tar.gz",
"has_sig": false,
"md5_digest": "26e049d3208d30b460eb5fd78cd1bb40",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 4950324,
"upload_time": "2016-10-12T19:15:12",
"url": "https://files.pythonhosted.org/packages/c9/98/eee819cc3418412a73cc0dde814596d018c9097a4806159d58b91baa9a9c/pappyproxy-0.2.13.tar.gz"
}
],
"0.2.14": [
{
"comment_text": "",
"digests": {
"md5": "e530677bb317f9341989c01876aeaec7",
"sha256": "df491694b893f2420e7e45990c0e2ea68059990ec2ab37d3f9cf592a57b811ca"
},
"downloads": -1,
"filename": "pappyproxy-0.2.14.tar.gz",
"has_sig": false,
"md5_digest": "e530677bb317f9341989c01876aeaec7",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 5040070,
"upload_time": "2016-10-31T16:57:24",
"url": "https://files.pythonhosted.org/packages/b8/38/bae4144dfc6aba61f6318273c182c82a3ba34be3106bf2b97f51d778d5f8/pappyproxy-0.2.14.tar.gz"
}
],
"0.2.6": [
{
"comment_text": "",
"digests": {
"md5": "6e2be161e896cbb4e340213edab064b9",
"sha256": "651db17ceb8f0e0754707bb1da2da6c8a9e52e8d4b30d8d6ded80c49898e532e"
},
"downloads": -1,
"filename": "pappyproxy-0.2.6.tar.gz",
"has_sig": false,
"md5_digest": "6e2be161e896cbb4e340213edab064b9",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 145255,
"upload_time": "2016-02-12T16:18:29",
"url": "https://files.pythonhosted.org/packages/0c/d1/31ccad8dce4afdd5ac9b1be33043a75954cb2867169a0bebfae4c2fd81f6/pappyproxy-0.2.6.tar.gz"
}
],
"0.2.7": [
{
"comment_text": "",
"digests": {
"md5": "bb18fa94d5109f5cf363f70ecccdca73",
"sha256": "888ede1f3d6cc10834dc3e9083426d5e86f42f04be13622b06c9836b459916aa"
},
"downloads": -1,
"filename": "pappyproxy-0.2.7.tar.gz",
"has_sig": false,
"md5_digest": "bb18fa94d5109f5cf363f70ecccdca73",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 177691,
"upload_time": "2016-02-18T21:35:01",
"url": "https://files.pythonhosted.org/packages/6b/b5/f9c98fdc97aee3889ee6287034d15ba7af6f1fe2b0e45fa70f324ea14c39/pappyproxy-0.2.7.tar.gz"
}
],
"0.2.8": [
{
"comment_text": "",
"digests": {
"md5": "95d0b05829c81faf4aa96103b7d3f718",
"sha256": "a140e7050e596daddefffc7142e1a58966d7ee796df452fb115255fbdbb98749"
},
"downloads": -1,
"filename": "pappyproxy-0.2.8.tar.gz",
"has_sig": false,
"md5_digest": "95d0b05829c81faf4aa96103b7d3f718",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 248214,
"upload_time": "2016-03-08T22:00:12",
"url": "https://files.pythonhosted.org/packages/50/c0/6d3d340c5a267657f6940117bf39f1d8984d4119a8b66b695f6a31424e19/pappyproxy-0.2.8.tar.gz"
}
]
},
"urls": [
{
"comment_text": "",
"digests": {
"md5": "e530677bb317f9341989c01876aeaec7",
"sha256": "df491694b893f2420e7e45990c0e2ea68059990ec2ab37d3f9cf592a57b811ca"
},
"downloads": -1,
"filename": "pappyproxy-0.2.14.tar.gz",
"has_sig": false,
"md5_digest": "e530677bb317f9341989c01876aeaec7",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 5040070,
"upload_time": "2016-10-31T16:57:24",
"url": "https://files.pythonhosted.org/packages/b8/38/bae4144dfc6aba61f6318273c182c82a3ba34be3106bf2b97f51d778d5f8/pappyproxy-0.2.14.tar.gz"
}
]
}