Intercepting proxy
Pencheff ships an intercepting proxy that captures browser/app traffic and runs passive scanners over every flow — no active requests, no new load on your target.
Backends
- mitmproxy (preferred) — spawned via
mitmdump. Supports HTTPS interception when you install the mitmproxy CA cert on your device/browser. - HTTP fallback — a minimal async forward proxy built into Pencheff. No CONNECT / no TLS decryption, but works without any extra dependencies.
Start a proxy
start_proxy(session_id=sid, port=8888)
→ { port: 8888, mode: "mitmproxy", pid: 12543 }Configure your browser / app to use localhost:8888 as an HTTP proxy.
For HTTPS capture, install the CA cert from
http://mitm.it while your browser is routed through the proxy.
Retrieve traffic
get_proxy_traffic(session_id=sid, since=1729510000, include_passive_findings=True)
→ {
count: 123,
flows: [{ method: "GET", url: "...", status: 200, timestamp: ... }, …],
passive_findings_added: 4
}Setting include_passive_findings=True runs the
passive scanner over every flow and adds any
new findings to the session.
Stop the proxy
stop_proxy(session_id=sid)
→ { stopped: true }What the passive scanner catches
See passive scanner for the full rule list. Every rule runs on observed traffic only — zero outbound requests.
Security notes
- Traffic captured by mitmproxy is decrypted and stored in the session memory; don’t run the proxy against sensitive production traffic unless you understand the risk.
- The HTTP fallback cannot intercept HTTPS — use it for local dev and plain-HTTP services.
- On macOS/Linux the process runs with your user’s privileges; it does not need root.