Get the top HN stories in your inbox every day.
ericjung1982
I wrote the FoxyProxy for Firefox and Chrome web extensions. The Firefox version has a good logging mechanism, although no modification capabilities. Are you looking for contributors?
sachinjain
Wow, FoxyProxy is very popular on Firefox. I'd definitely love to discuss this. Can you please drop a hi at sachin@requestly.io
Mattwmaster58
I'm interested in this for its potential reverse engineering apps on Android. I've had some success with `mitmproxy` but I'm wondering what other HN-ers use for this purpose.
matt_heimer
I've been building a list of apps and libraries in this space. In no particular order:
https://dutzi.github.io/tamper/
https://www.telerik.com/fiddler
https://github.com/alibaba/lightproxy
https://wiki.squid-cache.org/Features/SslPeekAndSplice
http://www.tofuproxy.stargrave.org/
https://github.com/http-party/node-http-proxy
ohgodplsno
Note that any properly made android app will pin its certificates and disallow user-added certificates, so you'll only see garbage go through. You need to install your certificate as a system certificate, which either requires root, or using the emulator.
sachinjain
great collection. You can also create a Github awesome repo collection like awesome-requests-proxy-tools
michaelkariv
Second that. Would be most useful, especially if maintained. I myself am still on fiddler
UPDATE: did that myself, but wish someone takes over. I only check for new and better stuff once in 3 years. The community deserves someone better.
mzfr
I use burp suite(community version) for the same purpose along with frida. There is also Brida[1] its sort of a bridge between both of them.
Something which I don't like is that every time I need the traffic to go through burp I need to go the WiFi settings and modify the "advance option" to use proxy. And if I keep the proxy settings on all the time then I've had issues with playstore and other such app, on the testing device. So that small bit of manual work is what I don't like.
In another comment[2] they mentioned they'll be releasing an android interceptor which would work without proxy, I think that would make me try this.
[1] [https://github.com/federicodotta/Brida](https://github.com/f...
[2] [https://news.ycombinator.com/item?id=30541263](https://news....
radlad
I recently used Fiddler along with Frida[1] to deal with cert pinning in the app I was looking into.
abdusco
Sweet, thanks for the link.
I was looking for something like this. Tried mitmproxy but it was useless against cert pinning. So I went with decompiling the app to extract the auth keys and urls for the internal API it was using.
c0wb0yc0d3r
Is there a way to deal cert pinning without decompiling the app?
franga2000
Here's my setup (for private projects, work stuff is under NDA):
- Android device running Android 10 (generally using older versions is better) - Magisk for root + Trust User Certificates module - mitmproxy (sometimes using mitmweb) - ProxyDroid to connect to mitmproxy - Frida with a one of a handful open source SSL pinning bypass scripts (and a custom one at work)
When network requests aren't enough, I reach for JADX-GUI for decompilation and Frida (REPL and custom scripts) for extracting data at runtime (taking the necessary "cleanroom" precautions for commercial projects).
chrisweekly
Same. mitmproxy (and its built-in mitmdump lib), along w/ the (criminally obscure / amazing) lnav (https://lnav.org), have served me very well in the past for this kind of thing.
sachinjain
I have seen Inav earlier but never used it. Does it also provide response modification capabilities?
chrisweekly
No, at least not out of the box, bc that's outside its intended realm; lnav (short for log navigator) is like a mini-ETL CLI powertool w/ embedded SQLite. You can pipe (semi/)structured data in, then query and optionally transform and/or export it out. Its API makes it convenient for chaining w/ tools like mitmproxy, so you could do almost anything with it in a custom script pipeline.
DerJacques
This looks great! Congratulations. I particularly like the "shortcuts" to common actions like "Insert JS/CSS". That's very useful!
I want to also give a shoutout to https://proxyman.io/. Proxyman is a native Mac App that also works as a local proxy and is a pleasure to use. I've been using it for similar workflows and can highly recommend it over Charles (the SSL handling alone is 100x simpler).
sachinjain
Insert JS is one of the most used features. Requestly also allows adding multiple scripts which are loaded sequentially So you can basically add a library URL like jQuery and write a code block which depends upon jQuery. Proxyman is a very good tool. No doubt over it. SSL handling is a challenge and I just don't like the way we have to setup things for Mobile app debugging, that's the trigger for building the native SDK for us.
santa_boy
I too used to use paid-version of Charles and then moved to Proxyman. I particularly like the scripting ability in Proxyman.
sachinjain
Interesting! What was the trigger point to move to Proxyman. How did you port the configurations you already had in Charles? Did you have to recreate them?
101008
Proxyman looks like something I always wanted: does it allow you to say "when any browsers/webpage request this URL {url}, return this {content} instead of the original one"? And if it works like that, does anyone know something like that for Windows? Thanks!
sachinjain
Yes, You can do this with Requestly desktop app. You can use Modify Response feature to just specify a URL then specify the status code you need like 400 or 500 and then you can also specify what content do you want to return.
Requestly also lets you write a simple JS script to change something in the existing content. Here are some references for you - About Modify Response (https://requestly.io/feature/modify-response/), Change Status Code (https://stackoverflow.com/questions/50923170/simulate-fake-4...).
And yes, Requestly is available on Windows too.
nullbytesmatter
Honest question, why use a company product over free tools like zap or even burp for this?
sachinjain
Zap and burp are more optimized towards security testing. There's definitely some overlap in terms of network requests interception but the capabilities on top of interception varies a lot So It depends upon your use case. If you are an application developer/QA you will find zap & burp to be an overkill solution for even simplest of things.
Sytten
Congratulation! We are big fans of Requestly at Caido as we are building something somewhat similar for the infosec community (https://caido.io).
Requestly feels good and there is a lot of potential for production debugging. I particularly like the switching of API endpoint so you can use the live prod website with a local API, super useful to debug.
invalidname
If your interest extends to debugging production backends you can also check out Lightrun ( https://lightrun.com ) which continues this all the way through.
sachinjain
Lightrun looks really interesting. Have you personally used lightrun to debug anything directly in production? I saw the video on landing page and very curious to know how it works under the hood.
invalidname
Sure. It works differently for every language/platform e.g. for Java it uses a JVMTI agent. This connects to the backend server which then connects to the IDE.
This lets you send action commands to production without having a debug session into you K8S cloud.
atfzl
How does it compare with https://httptoolkit.tech/
orliesaurus
httptoolkit is open-source. this one doesn't seem so: no mention of open source on either homepage, nor on this Show HN intro
from
There's a site I use that checks for membership only on the client side and I use requestly to spoof premium status. Just had to write a simple script like this to modify the response body of the request that gets membership status:
function modifyResponse(args) {
const {method, url, response, responseType, requestHeaders, requestData} = args;
const responseDataParsed = JSON.parse(response);
responseDataParsed.result.user.vip_end = "2030-06-11T14:16:20.000Z";
responseDataParsed.result.user.expire_in = "3573 days, 3 hours";
responseDataParsed.result.user.is_premium = true;
return JSON.stringify(responseDataParsed);
}
sachinjain
FYI - We are adding a support for responseJSON in the arguments so you can just write the above code like this
function modifyResponse(args) { const {method, url, response, responseType, requestHeaders, requestData, responseJSON} = args;
responseJSON.result.user.vip_end = "2030-06-11T14:16:20.000Z";
responseJSON.result.user.expire_in = "3573 days, 3 hours";
responseJSON.result.user.is_premium = true;
return responseJSON;
}sachinjain
This is clever. How was the experience with Modify API Response? Were you able to figure out everything on your own or Was there a learning curve?
from
I wrote it over a year ago so I don't remember exactly but I think there was a template when you went to make a new script that made it easy. Had to google some things but I don't think it took me more than 15 minutes.
jwong_
I don't see any obvious links to mobile debugging in the features list or the FAQ. I see you mention an SDK here in the comment, but is there any links to docs on this?
I frequently use Charles/Fiddler, but always interested in new offerings. Congrats on the release!
sachinjain
@jwong_ We are about to do a public release of Android SDK. Here are a couple of things which we did for internal purpose only (& WIP) but still sharing to give you an idea
https://youtu.be/gs02m2pZJlQ (Demo Video)
https://requestly.io/android-interceptor/ (WIP - Landing Page)
I'd be really happy to discuss further on this approach. I believe this is going to make things really easy for developers.
jwong_
Thanks for the links!
Curious on the body -- you showed some JSON requests, but do image resources or other larger responses also get proxied and viewable from browser?
For example, sometimes I like to view large minified JS blobs or images. Would that be viewable in the browser?
Also, what do the production vs debugging logs look like? Do you just run a special debugging build or is that a flag triggered within preferences? So e.g., would a user be able to turn debugging on to give extra logs to support staffs?
sachinjain
Our Native SDK provides listening to API Requests and Analytics events in your app. In order to view JS blogs or Images, you can use the desktop app - https://requestly.io/desktop
We provide the capability that you can disable the SDK in production builds and enable only in the debug builds. And yes we are going to provide the capability using which you can download or share the APIs and events sessions with your support staff.
ohgodplsno
Why would I use requestly for Android when perfectly good alternatives already exist ? Flipper (https://fbflipper.com/) lets me do all of this (viewing, mocks, etc), with the same setup. And it's extensible too. HTTP Toolkit offers the proxying solution to it. Is there anything that might be different ?
sachinjain
Thank you for asking this and This is a very good question. The way we are building Requestly is to be used within teams, test different case-cases, have them on cloud and use them again & again without setting up everything from scratch. Collaboration is an essential feature which is missing in this space. To give you an example - A developer working in E-Commerce domain has mocked an API to return empty slots for a cart, (s)he'd like to share it with the team so that anyone in the team can use the same configuration while making any changes in those files. Now, Think of a Repository of Rules available in your company when you have to test different scenarios. When you work on a particular component, you can just enable different configurations and test them out easily without having to know how to set those configurations up. I believe this really improves onboarding and efficiency in testing your code.
mat0
Requestly is awesome. I use it almost daily and to be honest I don't understand how this is not a native tool inside browser dev tools. It's such a simple idea yet so powerful. Thanks for your work
sachinjain
wow thanks! I believe Requestly is ChromeDevTools++ and Our vision is to make MobileDevTools++ and BackendDevTools++ really soon.
cyral
I've been using the Browser extension for years and it is incredibly helpful. We use it to debug scripts on customer websites by making them resolve to our local instance so that we can test fixes quickly.
I would recommend some sort of graphic on the homepage to explain what Requestly does though, as you mention it can be confused with Postman when it's entirely different. Maybe an animated flowchart type graphic showing how a browser request to X is redirected to Y based on some Requestly rule.
sachinjain
So glad to hear this. This is really good feedback. Noted this down. We will soon make this live. We already have an animated gif at https://requestly.io/feature/redirect-url/
Do you mean to say we should have an animated flowchart for the hero image on the page?
cyral
Yeah that image is exactly what I was thinking. I clicked the link in the post which was the download page which I mistake for the homepage.
sachinjain
This makes me realize that we need to improve upon the downloads page too. Noted this down. Feel free to drop me a Hi at sachin@requestly.io
ec109685
On iOS, the header doesn’t stick at the top of the page.
sachinjain
thank you for informing this! Making the fix.
matt_heimer
Congratulations! Looks super cool!
How challenging will it be to continue offering Chrome browser extension with the v3 manifest changes related to the blocking webRequest API? Does it impact requestly?
The Linux page, https://requestly.io/downloads/linux/, has MacOS instructions instead of Linux.
sachinjain
That's a very good question. Manifest V3 changes heavily impact Requestly because we use webRequest API to intercept the network requests. We have already started evaluating what works and what not.
A couple of things which I see right away not being supported directly in Manifest V3 are like adding a random parameter to URL to avoid caching, Inserting a script before page load etc.
Apart from this, from a couple of folks whom I know have migrated to Manifest V3 their users have faced some issues So I'd be most likely wait for another 4-5 months before doing the migration. Do you have any pointers for v2 to v3 migration?
Thanks for the tip about the Linux page.
graderjs
This is a fantastic story of how you created your success with Requestly. I wish you continued success!
Get the top HN stories in your inbox every day.
Hi HN, My name is Sachin - I’m the founder of Requestly (https://requestly.io) and I’m very happy to be here and get feedback from you all. Requestly is software that lets you intercept network requests, modify, and debug them. We’re available as a browser extension as well as a desktop app and Requestly is useful whether you are a web developer, backend developer, or mobile developer.
When developers work with APIs on their local machine, current experience is very broken. Requestly saves you time by letting you test your APIs faster without deployment on staging. Requestly also lets you simulate different failover and edge case scenarios which are hard to simulate without code changes.
Back in 2014, I was working on Adobe Target and I had a customer issue where the delivered campaign was showing FOUC (Flash of Unstyled Content) on the customer’s website and It was intermittent. It was so hard to debug with the minified production version of the script, I built a tool to perform a simple redirect of production JS to my locally running JS. I was then able to do logging and gradually pinpoint the exact issue and where I could optimize. My team and I debugged a lot of customer issues using this tool, which eventually became Requestly.
I just loved working on Requestly so I kept maintaining the project over weekends and supporting users. It started to gain traction organically and today it serves more than 40K monthly active users. In a later job at Blinkit (10min delivery platform in India), I saw how mobile app debugging is hard, and similar problems exist in backend development. I did a bit of both there and decided to work on Requestly full time to solve these problems.
You might have used solutions like Charles Proxy earlier! Charles is good and I am myself a huge fan, but when it comes to modification capabilities—setting up redirects or mocking API responses—it requires a lot of work. Collaboration is missing, data extraction and offline history are missing. It’d be fair to say that we are building a better alternative to Charles Proxy. We are also simplifying mobile app debugging by building a native SDK that anyone can connect to our Web.
Many users also confuse us with Postman. I’d clarify this as Postman is an API development platform, while Requestly is an API debugging and testing platform. For example - as a frontend engineer at Uber, I’d like to test how my app would react if the driver allocation API doesn’t respond on time - will there be an automatic retry, or does the app crash?
Requestly intercepts your local network traffic and provides capabilities like Mocking API Response, Simulate HTTP(s) Status Codes, Switching API endpoints, Redirect Production Traffic (or selective API) to stage/local environment, Inject scripts on web pages, and much more. Requestly is available as a browser extension on Chromium and Firefox, as well as a desktop app on MacOS, Windows, and Linux systems. You can download it at https://requestly.io/downloads We have a freemium model. The free plan has almost every feature but is limited to 3 modification rules. Our pricing is at https://app.requestly.io/pricing.
We are now building an open-source Android SDK that lets developers view their API traffic (and analytics events) on the web. This is in testing and planning to roll out very soon. This can be used by non-developers as well. Folks like product managers or digital marketers will be able to validate the analytics instrumentation easily. As a matter of fact, tools like Requestly are needed not only in development environments but also in production environments to debug distributed transactions. We are not there yet but we have plans to solve that problem too. One foot at a time :)
I’d love to hear your thoughts on the product experience. What specific challenges do you face while developing and testing your code changes? Do you ever have to make changes in your codebase to simulate a scenario? I’d like to discuss & brainstorm potential use-cases that can be solved with Requestly. I’ll do my best to answer in the comments.