ghost-proxy

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Reaper MITM Proxy

Reaper MITM代理

Reaper is a CLI-based MITM HTTPS proxy for application security testing. It intercepts, logs, and allows inspection of HTTP/HTTPS traffic flowing through it. Use it to capture live request/response pairs for security validation.

Reaper是一款基于CLI的MITM HTTPS代理，用于应用安全测试。它会拦截、记录并允许检查流经它的HTTP/HTTPS流量。使用它可以捕获实时的请求/响应对以进行安全验证。

Prerequisites

前提条件

Before using any reaper command, make sure the latest version of the binary is installed:

bash

curl -sfL https://raw.githubusercontent.com/ghostsecurity/reaper/main/scripts/install.sh | bash

All

reaper

commands in this document should be invoked as

~/.ghost/bin/reaper

unless

~/.ghost/bin

is on

PATH

使用任何reaper命令之前，请确保已安装最新版本的二进制文件：

bash

curl -sfL https://raw.githubusercontent.com/ghostsecurity/reaper/main/scripts/install.sh | bash

本文档中的所有

reaper

命令都应使用

~/.ghost/bin/reaper

调用，除非

~/.ghost/bin

已添加到

PATH

中。

Quick Reference

快速参考

Command	Purpose
`reaper start --domains example.com`	Start proxy (foreground)
`reaper start --domains example.com -d`	Start proxy (daemon)
`reaper logs`	Show recent captured entries
`reaper search --method POST --path /api/*`	Search captured traffic
`reaper get <id>`	Show full request + response
`reaper req <id>`	Show raw HTTP request only
`reaper res <id>`	Show raw HTTP response only
`reaper stop`	Stop the daemon

命令	用途
`reaper start --domains example.com`	启动代理（前台模式）
`reaper start --domains example.com -d`	启动代理（守护进程模式）
`reaper logs`	显示最近捕获的条目
`reaper search --method POST --path /api/*`	搜索已捕获的流量
`reaper get <id>`	显示完整的请求+响应
`reaper req <id>`	仅显示原始HTTP请求
`reaper res <id>`	仅显示原始HTTP响应
`reaper stop`	停止守护进程

Starting the Proxy

启动代理

Start reaper scoped to the target domain(s). At least one

--domains

--hosts

flag is required.

bash

undefined

启动限定于目标域名的reaper代理。至少需要一个

--domains

或

--hosts

参数。

bash

undefined

Intercept all traffic to example.com and its subdomains

拦截所有发往example.com及其子域名的流量

reaper start --domains example.com

Multiple domains

多个域名

reaper start --domains example.com,api.internal.co

Exact hostname matching

精确主机名匹配

reaper start --hosts api.example.com

Both domain suffix and exact host matching

同时使用域名后缀和精确主机匹配

reaper start --domains example.com --hosts special.internal.co

Custom port (default: 8443)

自定义端口（默认：8443）

reaper start --domains example.com --port 9090

Run as background daemon

以后台守护进程运行

reaper start --domains example.com -d


**Scope behavior**:
- `--domains`: Suffix match. `example.com` matches `example.com`, `api.example.com`, `sub.api.example.com`
- `--hosts`: Exact match. `api.example.com` matches only `api.example.com`
- Traffic outside scope passes through transparently without logging

reaper start --domains example.com -d


**范围行为**:
- `--domains`: 后缀匹配。`example.com`会匹配`example.com`、`api.example.com`、`sub.api.example.com`
- `--hosts`: 精确匹配。`api.example.com`仅匹配`api.example.com`
- 超出范围的流量会透明传递，不会被记录

Routing Traffic Through the Proxy

将流量路由到代理

Configure the HTTP client to use the proxy. The default listen address is

localhost:8443

bash

undefined

配置HTTP客户端以使用该代理。默认监听地址为

localhost:8443

。

bash

undefined

curl

curl命令

curl -x http://localhost:8443 -k https://api.example.com/endpoint

Environment variables (works with many tools)

环境变量（适用于许多工具）

export http_proxy=http://localhost:8443 export https_proxy=http://localhost:8443

Python requests

Python requests库

import requests requests.get("https://api.example.com/endpoint", proxies={"http": "http://localhost:8443", "https": "http://localhost:8443"}, verify=False)


The `-k` / `verify=False` flag is needed because reaper generates its own CA certificate at startup for MITM TLS interception.

import requests requests.get("https://api.example.com/endpoint", proxies={"http": "http://localhost:8443", "https": "http://localhost:8443"}, verify=False)


需要使用`-k` / `verify=False`参数，因为reaper在启动时会生成自己的CA证书用于MITM TLS拦截。

Viewing Captured Traffic

查看已捕获的流量

Show last 50 entries (default)

显示最后50条条目（默认）

reaper logs

Show last 200 entries

显示最后200条条目

reaper logs -n 200


Output columns: `ID`, `METHOD`, `HOST`, `PATH`, `STATUS`, `MS`, `REQ` (request body size), `RES` (response body size).

reaper logs -n 200


输出列：`ID`、`METHOD`、`HOST`、`PATH`、`STATUS`、`MS`、`REQ`（请求体大小）、`RES`（响应体大小）。

Searching

搜索

bash

undefined

bash

undefined

By HTTP method

按HTTP方法搜索

reaper search --method POST

By host (supports * wildcard)

按主机搜索（支持*通配符）

reaper search --host *.api.example.com

By domain suffix

按域名后缀搜索

reaper search --domains example.com

By path prefix (supports * wildcard)

按路径前缀搜索（支持*通配符）

reaper search --path /api/v3/transfer

By status code

按状态码搜索

reaper search --status 200

Combined filters

组合筛选条件

reaper search --method POST --path /api/v3/* --status 200 -n 50

undefined

reaper search --method POST --path /api/v3/* --status 200 -n 50

undefined

Inspecting Individual Entries

检查单个条目

bash

undefined

bash

undefined

Full request and response (raw HTTP)

完整的请求和响应（原始HTTP格式）

reaper get 42

Request only

仅查看请求

reaper req 42

Response only

仅查看响应

reaper res 42


Output is raw HTTP/1.1 format including headers and body, suitable for analysis or replay.

reaper res 42


输出为原始HTTP/1.1格式，包含头部和正文，适合分析或重放。

Stopping the Proxy

停止代理

bash

reaper stop

bash

reaper stop

Common Workflows

常见工作流程

Validate a Security Finding

验证安全漏洞

When used with the

validate

skill (may need to collaborate with the user to setup the test environment):

Start reaper scoped to the application domain
Verify traffic is being captured by running
```
reaper logs
```
— at least one entry should appear after routing a test request through the proxy
If no entries appear, verify proxy settings and domain scope match the target
Authenticate (or ask the user to authenticate) as a normal user and exercise the vulnerable endpoint legitimately
Search for the captured request to understand the expected request format
Craft and send a malicious request that exercises the exploit described in the finding
Inspect the response to determine if the exploit succeeded
Use
```
reaper get <id>
```
to capture the full request/response as evidence

与

validate

技能配合使用时（可能需要与用户协作设置测试环境）：

启动限定于应用域名的reaper代理
通过运行
```
reaper logs
```
验证流量是否被捕获——将测试请求路由到代理后，应至少显示一条条目
如果没有条目显示，验证代理设置和域名范围是否与目标匹配
以普通用户身份认证（或让用户进行认证），并合法地触发存在漏洞的端点
搜索已捕获的请求，以了解预期的请求格式
构造并发送恶意请求，以验证漏洞描述中的利用方式
检查响应以确定漏洞利用是否成功
使用
```
reaper get <id>
```
捕获完整的请求/响应作为证据

Data Storage

数据存储

All data is stored in

~/.reaper/

```
reaper.db
```
- SQLite database with captured entries
```
reaper.sock
```
- Unix socket for CLI-to-daemon IPC
```
reaper.pid
```
- Daemon process ID

The CA certificate is generated fresh in memory on each start and is not persisted.

所有数据都存储在

~/.reaper/

目录下：

```
reaper.db
```
- 存储已捕获条目的SQLite数据库
```
reaper.sock
```
- 用于CLI与守护进程通信的Unix套接字
```
reaper.pid
```
- 守护进程的进程ID

CA证书会在每次启动时在内存中重新生成，不会被持久化存储。

ghost-proxy

Original

Translation

Reaper MITM Proxy

Reaper MITM代理

Prerequisites

前提条件

Quick Reference

快速参考

Starting the Proxy

启动代理

Intercept all traffic to example.com and its subdomains

拦截所有发往example.com及其子域名的流量

Multiple domains

多个域名

Exact hostname matching

精确主机名匹配

Both domain suffix and exact host matching

同时使用域名后缀和精确主机匹配

Custom port (default: 8443)

自定义端口（默认：8443）

Run as background daemon

以后台守护进程运行

Routing Traffic Through the Proxy

将流量路由到代理

curl

curl命令

Environment variables (works with many tools)

环境变量（适用于许多工具）

Python requests

Python requests库

Viewing Captured Traffic

查看已捕获的流量

Recent Entries

最近条目

Show last 50 entries (default)

显示最后50条条目（默认）

Show last 200 entries

显示最后200条条目

Searching

搜索

By HTTP method

按HTTP方法搜索

By host (supports * wildcard)

按主机搜索（支持*通配符）

By domain suffix

按域名后缀搜索

By path prefix (supports * wildcard)

按路径前缀搜索（支持*通配符）

By status code

按状态码搜索

Combined filters

组合筛选条件

Inspecting Individual Entries

检查单个条目

Full request and response (raw HTTP)

完整的请求和响应（原始HTTP格式）

Request only

仅查看请求

Response only

仅查看响应

Stopping the Proxy

停止代理

Common Workflows

常见工作流程

Validate a Security Finding

验证安全漏洞

Data Storage

数据存储