Are there any HTTP/HTTPS interception tools other than Fiddler, Charles, Poster, and Achilles? [closed]

Question

I'm in the process of testing my application with respect to security.

Aside from Fiddler, Charles and Poster (Firefox plug in). Are there any other free to use https interception (and editing) applications out there? Especially ones which can be installed w/o admin privileges.

Achilles comes to mind, but I don't think it can handle https traffic.

Answer 1

Achilles does work on HTTPS traffic, but they note on their site that it is not the best tool any more.

Their suggestions are Burp Suite and WebScarab both of which I highly recommend.

Answer 2

OWASP ZAP - its free, open source and cross platform.

Its also the most active open source web security tool and came first and second in the last 2 'Top Security Tools' surveys run by Toolswatch.org (2013, 2014)

It was originally forked from Paros, which is no longer maintained, but it now has loads more functionality.

Its an OWASP Flagship project having replaced WebScarab, which is also essentially no longer maintained.

Simon (ZAP Project Lead)

Answer 3

Wireshark is amazing. It captures everything on the network so you'll need to filter down to http/https: http://wiki.wireshark.org/CaptureFilters.

Answer 4

Doing more research I came across Paros Proxy. Seems to be a good alternative to the others.

Answer 5

There are a few programs that I would suggest.

Paros Proxy and Ratproxy have already been noted.

scapy is a powerful packet manipulation tool, and has all of the sniffing and monitoring capabilities as well. dsniff is a suite of tools that allows manipulation, injection, and all sorts of interception and modification options.

There is also a plugin for IE called Tamper IE that has a simple GUI based packet editor.

All of these are free.

Answer 6

I'd strongly recommend HttpWatch. I believe the basic version is free and captures your HTTPS traffic to some extent. The Professional version is worth the money.

Answer 7

Have a look at ratproxy. It may not be exactly what you're asking for, but is very useful in testing the security of your web app.

Rather than intercepting HTTP and allowing you to edit or replay requests, it installs as a proxy and monitors the normal use of your web app, and then provides a report on possible security issues, along with their severity. It can also be configured to attempt active XSS or XSRF attacks where it thinks there is a vulnerability.

The site says "Ratproxy is currently believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments" but I've only used it on Linux.

Answer 8

Check HTTP Debugger Pro

It is proxy-less solution and have zero impact to the transferring data.

Also it has modern user interface :)