HTTP/HTTPS MITM proxy and recorder.

Related tags

Security hyperfox


Build Status

Hyperfox is a security auditing tool that proxies and records HTTP and HTTPS traffic between two points.


You can install the latest version of hyperfox to /usr/local/bin with the following command (requires admin privileges):

curl -sL '' | sh

If you'd rather not accept free candy from this van you can also grab a release from our releases page and install it manually.

Building hyperfox from source

In order to build hyperfox from source you'll need Go and a C compiler:

Use go install to build and install hyperfox:

go install

How does it work?

Hyperfox creates a transparent HTTP proxy server and binds it to port 1080/TCP on localhost (-addr -http 1080). The proxy server reads plaintext HTTP requests and redirects them to the target destination (the Host header is used to identify the destination), when the target destination replies, Hyperfox intercepts the response and forwards it to the original client.

All HTTP communications between origin and destination are intercepted by Hyperfox and recorded on a SQLite database that is created automatically. Everytime Hyperfox starts, a new database is created (e.g.: hyperfox-00123.db). You can change this behaviour by explicitly providing a database name (e.g.: -db traffic-log.db).


Launch Hyperfox with default configuration:


use cURL to request any HTTP page, the -x parameter tells cURL to use hyperfox as proxy:

curl -x

you should be able to see a log for the page you requested in Hyperfox's output:

... - - [11/Apr/2020:19:19:48 -0500] "GET HTTP/1.1" 200 -1

User interface (-ui)


Use the -ui parameter to enable Hyperfox UI wich will open in a new browser window:

hyperfox -db records.db -ui

The above command creates a web server that binds to If you'd like to change the bind address or port use the -ui-addr switch:

hyperfox -db records.db -ui -ui-addr

Changing the UI server address is specially useful when Hyperfox is running on a remote or headless host and you'd like to see the UI from another host.

Enabling the UI also enables a minimal REST API (at that is consumed by the front-end application.

Please note that Hyperfox's REST API is only protected by a randomly generated key that changes everytime Hyperfox starts, depending on your use case this might not be adecuate.

Run Hyperfox UI on your mobile device

When the -ui-addrparameter is different from Hyperfox will output a QR code to make it easier to connect from mobile devices:

hyperfox -db records.db -ui -ui-addr

SSL/TLS mode (-ca-cert & -ca-key)

SSL/TLS connections are secure end to end and protected from eavesdropping. Hyperfox won't be able to see anything happening between a client and a secure destination. This is only valid as long as the chain of trust remains untouched.

Let's suppose that the client trusts a root CA certificate that is known by Hyperfox, if that happens Hyperfox will be able to issue certificates that are going to be trusted by the client.

Examples of such bogus root CA files be found here:

you can also generate your own root CA certificate and key.

There are a number of ways to install root CA certificates, depending on your operating system.

This QR code might come in handy when installing Hyperfox's root CA on a mobile device:

Hyperfox root CA certificate

Use the -ca-cert and -ca-key flags to provide Hyperfox with the root CA certificate and key you'd like to use:

hyperfox -ca-cert rootCA.crt -ca-key rootCA.key

the above command creates a special server and binds it to, this server waits for a SSL/TLS connection to arrive. When a new SSL/TLS connection hits in, Hyperfox uses the SNI extension to identify the destination nameserver and to create a SSL/TLS certificate for it, this certificate is signed with the providede root CA key.

TLS interception example

Launch Hyperfox with appropriate TLS parameters and -http 443 (port 443 requires admin privileges).

sudo hyperfox -ca-cert ./ca/rootCA.crt -ca-key ./ca/rootCA.key -https 443

Use cURL to build a HTTPs request to the -resolve option tells cURL to skip DNS verification and use as if it were the legitimate address for, while the -k parameter tells cURL to accept any TLS certificate.

curl -k -resolve

you should be able to see a log for the page you requested in Hyperfox's output: - - [11/Apr/2020:19:36:56 -0500] "GET HTTP/2.0" 200 -1

Usage examples

Via /etc/hosts on localhost

Add the host you'd like to inspect to your /etc/hosts file:

Run Hyperfox with the options you'd like, just remember that you should use ports 80 for HTTP and 443 for HTTPS, and that requires admin privileges. In addition to -http and -https use the -dns parameter with a valid DNS resolver:

sudo hyperfox -ui -http 80 -dns

that will make Hyperfox skip the OS DNS resolver and use an alternative one (remember that points to 127.0.1).

Now use cURL and try to go to the destination:


Hyperfox will capture the request and print it to its output: - - [11/Apr/2020:19:43:30 -0500] "GET HTTP/1.1" 200 -1

Via ARP Spoofing on a LAN

See MITM attack with Hyperfox and arpfox.


Choose an issue, fix it and send a pull request.


Copyright (c) 2012-today José Nieto,

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.


  • TLS oversized record error

    TLS oversized record error


    I'm trying to setup HTTPs capturing, but I'm receiving multiple errors like this when initializing HTTPs requests:

    2015/03/08 12:48:15 http: TLS handshake error from tls: oversized record received with length 20037

    I'm running the latest OS X and have followed the tutorials on Hyperfox version is 0.9. HTTP capturing works fine.

    Any idea what might be wrong?

    opened by jhvst 6
  • Windows support.

    Windows support.

    I think Hyperfox would compile fine on a Windows machine but I can't test it since I don't have a license so some help would be appreciated.

    Some concerns:

    • Hyperfox depends on mattn's SQLite driver which requires CGO.
    • We need instructions for building and testing from scratch on a VirtualBox's virtual machine and not a binary build.
    • Instructions for enabling IP forwarding are also needed.
    opened by xiam 5
  • undefined: tls.ClientHelloInfo

    undefined: tls.ClientHelloInfo


    When I launch "go get" I obtain the following result:

    /usr/lib/go/src/pkg/ undefined: tls.ClientHelloInfo /usr/lib/go/src/pkg/ unknown tls.Config field 'GetCertificate' in struct literal

    Have you an idea ?

    I work on Debian in multi release mode and the go version is "go1.3.2 linux/amd64"

    Thanks in advance ;)

    opened by mekhalleh 3
  •  panic serving Unknown condition type uint

    panic serving Unknown condition type uint

    Full stack trace:

    toby @ ~ () => hyperfox 
    2016/12/10 14:41:23 Hyperfox v1.9.7 //
    2016/12/10 14:41:23 By José Carlos Nieto.
    2016/12/10 14:41:23 Initializing database hyperfox-00001.db...
    2016/12/10 14:41:23 Starting (local) API server...
    2016/12/10 14:41:23 Watch live capture at
    2016/12/10 14:41:23 Listening for incoming HTTP client requests on - - [10/Dec/2016:14:41:57 +0000] "GET HTTP/1.1" 302 261 - - [10/Dec/2016:14:41:57 +0000] "GET HTTP/1.1" 302 277
    2016/12/10 14:42:16 http: panic serving Unknown condition type uint
    goroutine 44 [running]:
    	/usr/local/go/src/net/http/server.go:1491 +0x12a
    panic(0x8095e0, 0xc42020c820)
    	/usr/local/go/src/runtime/panic.go:458 +0x243*templateWithUtils).ToWhereWithArguments(0xc420032080, 0x809760, 0xc42020c610, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8bfff8, 0x1, ...)
    	/app/src/ +0x11f1*templateWithUtils).ToWhereWithArguments(0xc420032080, 0x8027a0, 0xc4201fbae0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81ebe0, 0x0, ...)
    	/app/src/ +0x1640*selector).Where(0xc4200d5200, 0xc42020c600, 0x1, 0x1, 0xc694a0, 0xc4200d5200)
    	/app/src/ +0x13a*Result).buildSelect(0xc4200c6e10, 0x41ac4b, 0x8095e0)
    	/app/src/ +0x136*Result).One(0xc4200c6e10, 0x7f6f80, 0xc42000b900, 0xe, 0xc68720)
    	/app/src/ +0x2f
    main.getHandler(0xc651c0, 0xc4200dd790, 0xc4200c6d20)
    	/app/src/ +0x863
    net/http.HandlerFunc.ServeHTTP(0x8c0310, 0xc651c0, 0xc4200dd790, 0xc4200c6d20)
    	/usr/local/go/src/net/http/server.go:1726 +0x44*Router).ServeHTTP(0xc4200134f0, 0xc651c0, 0xc4200dd790, 0xc4200c6d20)
    	/app/src/ +0x10d
    net/http.serverHandler.ServeHTTP(0xc42001ef00, 0xc651c0, 0xc4200dd790, 0xc4200c6b40)
    	/usr/local/go/src/net/http/server.go:2202 +0x7d
    net/http.(*conn).serve(0xc420144500, 0xc65900, 0xc4201546c0)
    	/usr/local/go/src/net/http/server.go:1579 +0x4b7
    created by net/http.(*Server).Serve
    	/usr/local/go/src/net/http/server.go:2293 +0x44d
    2016/12/10 14:42:16 http: panic serving Unknown condition type uint
    goroutine 54 [running]:
    	/usr/local/go/src/net/http/server.go:1491 +0x12a
    panic(0x8095e0, 0xc4201da6c0)
    	/usr/local/go/src/runtime/panic.go:458 +0x243*templateWithUtils).ToWhereWithArguments(0xc420032080, 0x809760, 0xc4201da4b0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x8095e0, ...)
    	/app/src/ +0x11f1*templateWithUtils).ToWhereWithArguments(0xc420032080, 0x8027a0, 0xc4201d6940, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81ebe0, 0x0, ...)
    	/app/src/ +0x1640*selector).Where(0xc42016e540, 0xc4201da4a0, 0x1, 0x1, 0xc694a0, 0xc42016e540)
    	/app/src/ +0x13a*Result).buildSelect(0xc420189e00, 0x41ac4b, 0x8095e0)
    	/app/src/ +0x136*Result).One(0xc420189e00, 0x7f6f80, 0xc420143300, 0xe, 0xc68720)
    	/app/src/ +0x2f
    main.getHandler(0xc651c0, 0xc4201869c0, 0xc420189d10)
    	/app/src/ +0x863
    net/http.HandlerFunc.ServeHTTP(0x8c0310, 0xc651c0, 0xc4201869c0, 0xc420189d10)
    	/usr/local/go/src/net/http/server.go:1726 +0x44*Router).ServeHTTP(0xc4200134f0, 0xc651c0, 0xc4201869c0, 0xc420189d10)
    	/app/src/ +0x10d
    net/http.serverHandler.ServeHTTP(0xc42001ef00, 0xc651c0, 0xc4201869c0, 0xc4200c6f00)
    	/usr/local/go/src/net/http/server.go:2202 +0x7d
    net/http.(*conn).serve(0xc42001f780, 0xc65900, 0xc420017e00)
    	/usr/local/go/src/net/http/server.go:1579 +0x4b7
    created by net/http.(*Server).Serve
    	/usr/local/go/src/net/http/server.go:2293 +0x44d

    Was triggered clicking the i icon next to a request.

    opened by tobbbles 1
  • hi,may i ask a question about flow control (single client connect to server )

    hi,may i ask a question about flow control (single client connect to server )

    I setup a https proxy server ,and provide the proxy service for many people,and now i want to control the flow each person ..can hyperfox make it ? thanks!

    opened by dotcool 1
  • `dsniff` link on points to the sample CA certificate

    `dsniff` link on points to the sample CA certificate

    opened by oko 1
  • Fix -dns flag when -https is enabled

    Fix -dns flag when -https is enabled

    This change makes the -dns flag be respected with the -https flag

    Before this change the sudo hyperfox -ui -http 80 -dns -> curl lead to an infinite request loop when -https was also supplied (i.e. sudo hyperfox -ui -http 80 -https 443 -dns

    opened by 2opremio 0
  • io.Copy

    io.Copy "context canceled"

    I have been looking at potentially using hyperfox as the base for writing a GitHub API mocking tool, but I cannot even get it to proxy. Here is my command line:

    sudo bin/hyperfox -addr -https 9999 \
       --ca-cert /Users/mikeschinkel/Projects/hyperfox/ca/rootCA.crt \
       --ca-key /Users/mikeschinkel/Projects/hyperfox/ca/rootCA.key

    When I run a Go program that uses to call Client.Repositories.GetContents() which in turn calls the API I get this output:

    2021/02/18 16:44:19 io.Copy: "context canceled" - - [18/Feb/2021:16:44:19 -0500] "CONNECT HTTP/1.1" 400 161256```

    I debugged through it for over an hour but still cannot figure out what I am doing wrong.

    BTW, I implemented a proxy in Go based on this code and it worked fine — though I was not able to inspect the information returned which is why I looked at hyperfox — so I know that the GET request by works.

    opened by mikeschinkel 0
  • Getting TLS Failure

    Getting TLS Failure

    I am trying your "proxy.StartTLS" call and when I send a request from the browser, the console shows:

    tls: first record does not look like a TLS handshake

    Ideas on what that could be? Thank you.

    opened by vbisbest 1
  • Cannot get latest version: module contains a go.mod file, so module path should be

    Cannot get latest version: module contains a go.mod file, so module path should be


    The uses Go modules and the current release version is v2. And it’s module path is "", instead of "". It must comply with the specification of "Releasing Modules for v2 or higher" available in the Modules documentation. Quoting the specification:

    A package that has opted in to modules must include the major version in the import path to import any v2+ modules To preserve import compatibility, the go command requires that modules with major version v2 or later use a module path with that major version as the final element. For example, version v2.0.0 of must instead use module path

    Steps to Reproduce

    GO111MODULE=on, run go get targeting any version >= v2.0.0 of the malfunkt/hyperfox:

    $ go get[email protected]
    go: finding v2.0.0
    go: finding v2.0.0
    go get[email protected]:[email protected]: invalid version: module contains a go.mod file, so major version must be compatible: should be v0 or v1, not v2

    run go get, the version will stuck in v1.9.8:

    $go get
    go: downloading v1.9.8
    go: upgrade => v1.9.8

    SO anyone using Go modules will not be able to easily use any newer version of malfunkt/hyperfox.


    1. Kill the go.mod files, rolling back to GOPATH.

    This would push them back to not being managed by Go modules (instead of incorrectly using Go modules). Ensure compatibility for downstream module-aware projects and module-unaware projects projects

    I see these dependencies in your go.mod file, which need modle awareness. So you'd better not use third-party tools(such as: Dep, glide, govendor…). v3.0.0

    You also need to update the import path to:


    2. Fix module path to strictly follow SIV rules.

    Patch the go.mod file to declare the module path as as per the specs. And adjust all internal imports. The downstream projects might be negatively affected in their building if they are module-unaware (Go versions older than 1.9.7 and 1.10.3; Or use third-party dependency management tools, such as: Dep, glide,govendor…).

    [*] You can see who will be affected here: [1 module-unaware user, i.e., Labs22/BlackServerOS]

    If you don't want to break the above repos. This method can provides better backwards-compatibility. Release a v2 or higher module through the major subdirectory strategy: Create a new v2 subdirectory ( and place a new go.mod file in that subdirectory. The module path must end with /v2. Copy or move the code into the v2 subdirectory. Update import statements within the module to also use /v2 (import "…"). Tag the release with v2.x.y.

    3. Suggest your downstream module users use hash instead of a version tag.

    If the standard rule of go modules conflicts with your development mode. Or not intended to be used as a library and does not make any guarantees about the API. So you can’t comply with the specification of "Releasing Modules for v2 or higher" available in the Modules documentation. Regardless, since it's against one of the design choices of Go, it'll be a bit of a hack. Instead of go get[email protected], module users need to use this following way to get the malfunkt/hyperfox: (1) Search for the tag you want (in browser) (2) Get the commit hash for the tag you want (3) Run go get[email protected] (4) Edit the go.mod file to put a comment about which version you actually used This will make it difficult for module users to get and upgrade malfunkt/hyperfox.

    [*] You can see who will be affected here: [1 module user, e.g., malfunkt/hyperfox]


    You can make a choice to fix DM issues by balancing your own development schedules/mode against the affects on the downstream projects.

    For this issue, Solution 2 can maximize your benefits and with minimal impacts to your downstream projects the ecosystem.


    opened by KateGo520 2
  • Problem with https proxy

    Problem with https proxy

    Hello, hyperfox is a great project. I am having some problems with https proxy. I encountered an error when I ran this program. http: TLS handshake error from tls: oversized record received with length 20037 Then I tried to upgrade my go version. Currently, the go version is 1.12.5. When I run again, it becomes another error. http: TLS : first record does not look like a TLS handshake My system is win10 amd64. Where am I configured wrong? I will be very grateful for your answer.

    opened by Releasel0ck 1
Automatic HTTPS for any Go program: fully-managed TLS certificate issuance and renewal

Easy and Powerful TLS Automation The same library used by the Caddy Web Server Caddy's automagic TLS features—now for your own Go programs—in one powe

Caddy 4.3k Jan 6, 2023
A GREAT GUI Offline Tool for manipulating/seeking resolver list of repique and dnscrypt proxy.

Intro A GUI Offline Tool for decrypting and manipulating *.md files used by repique and dnscrypt proxy It's targeted for creating your own DoT, DoH an

null 5 Nov 27, 2022
A Declarative Cloud Firewall Reverse Proxy Solution with Companion Mobile App

A declarative Cloud firewall reverse proxy solution with inbuilt DDoS protection and alerting mechanism to protect your servers and keeping an eye on those malicious requests

null 14 Aug 10, 2022
Generic impersonation and privilege escalation with Golang. Like GenericPotato both named pipes and HTTP are supported.

This is very similar to GenericPotato - I referenced it heavily while researching. Gotato starts a named pipe or web server and waits for input. Once

meet 102 Nov 9, 2022
A Flask-based HTTP(S) command and control (C2) framework with a web frontend. Malleable agents written in Go and scripts written in bash.

▄▄▄▄ ██▓ █████▒██▀███ ▒█████ ██████ ▄▄▄█████▓ ▓█████▄ ▓██▒▓██ ▒▓██ ▒ ██▒▒██▒ ██▒▒██ ▒ ▓ ██▒ ▓▒ ▒██▒ ▄██▒██▒▒████ ░▓██ ░▄█ ▒▒██░ ██▒░

Ashley Nikirk 29 Dec 24, 2022
HTTP middleware for Go that facilitates some quick security wins.

Secure Secure is an HTTP middleware for Go that facilitates some quick security wins. It's a standard net/http Handler, and can be used with many fram

Cory Jacobsen 2.1k Jan 3, 2023
Implementation of io/fs.FS that appends SHA256 hashes to filenames to allow for aggressive HTTP caching.

hashfs Implementation of io/fs.FS that appends SHA256 hashes to filenames to allow for aggressive HTTP caching.

Ben Johnson 221 Dec 1, 2022
Fastest recursive HTTP fuzzer, like a Ferrari.

Medusa Fastest recursive HTTP fuzzer, like a Ferrari. Usage Usage: medusa [options...] Options: -u Single URL -uL

Rıza Sabuncu 74 Oct 14, 2022
PoC for CVE-2015-1635 / MS15-034 - HTTP.sys Allows Remote Code Execution / Check & DOS

CVE-2015-1635 PoC for CVE-2015-1635 / MS15-034 - HTTP.sys Allows Remote Code Execution / Check & DOS ./MS15-034 <URL> <RESOURCE> <FLAG [0 or 18]> Note

Nikola Kipariz Stamov 0 Nov 3, 2021
ARP spoofing tool based on go language, supports LAN host scanning, ARP poisoning, man-in-the-middle attack, sensitive information sniffing, HTTP packet sniffing

[ARP Spoofing] [Usage] Commands: clear clear the screen cut 通过ARP欺骗切断局域网内某台主机的网络 exit exit the program help display help hosts 主机管理功能 loot 查看嗅探到的敏感信息

Re 55 Dec 30, 2022
CS http Dynamic Encrypt Bridge.

CS http Dynamic Encrypt Bridge.

TimWhite 34 Nov 25, 2022
Basic honeypot to capture log4shell payloads within HTTP headers.

log4shell-honeypot Catch and download log4shell payloads sent within HTTP headers. Modified version of Adikso's minecraft honeypot Setup git clone $re

Chris Bayliss 14 Sep 2, 2022
DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)

Minify and Secure Docker containers (free and open source!) Don't change anything in your Docker container image and minify it by up to 30x making it

docker-slim 15.7k Dec 27, 2022
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

age age is a simple, modern and secure file encryption tool, format, and library. It features small explicit keys, no config options, and UNIX-style c

Filippo Valsorda 12.4k Dec 28, 2022
Find secrets and passwords in container images and file systems

Find secrets and passwords in container images and file systems

null 1.9k Jan 1, 2023
Build awesome Golang desktop apps and beautiful interfaces with Vue.js, React.js, Framework 7, and more...

Guark Guark allows you to build beautiful user interfaces using modern web technologies such as Vue.js, React.js..., while your app logic handled and

Guark. 633 Jan 1, 2023
Scan and analyze OSS dependencies and licenses from compiled Go binaries

golicense - Go Binary OSS License Scanner golicense is a tool that scans compiled Go binaries and can output all the dependencies, their versions, and

Mitchell Hashimoto 664 Nov 6, 2022