reverse-engineeringweb-api-testingmitmproxypenetration-testing

Unable to Intercept Requests with Mitmproxy: Getting "502 Bad Gateway" Error


I'm currently conducting penetration testing on a website, and I'm attempting to intercept requests using Mitmproxy to reverse engineer the backend APIs. However, I'm encountering a "502 Bad Gateway" error when trying to intercept the requests.

Here is the info:

Status 502 Bad Gateway
Version HTTP/2
Transferred 267 B (170 B size)
Referrer Policy strict-origin-when-cross-origin
Request Priority Highest
    
Request Headers:
content-type    text/html
server  mitmproxy 10.2.2
X-Firefox-Spdy  h2
    
Response Headers:
Accept  application/json, text/plain, */*
Accept-Encoding gzip, deflate, br
Accept-Language en-US,en;q=0.5
Connection  keep-alive
Content-Length  227
Content-Type application/json
Host -----------
Origin  https://-------
Referer https://-------/--/---
Sec-Fetch-Dest  empty
Sec-Fetch-Mode  cors
Sec-Fetch-Site  same-origin
TE  trailers
User-Agent  Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0

Additional error message: "Certificate verify failed: self-signed certificate"

Error message: "502 Bad Gateway" I'm using Mitmproxy version "10.2.2" on "Kali Linux". I've ensured that the server is running and accessible.

ā€‹

I've attempted to resolve the certificate verification issue by deleting the imported CA certificate and reimporting it into Firefox.

Additionally, I've addressed CORS issues that were previously encountered.

I've tried troubleshooting the issue by checking the server logs and verifying the configuration, but I haven't been able to identify the root cause of the problem.

Any insights or suggestions on how to resolve this issue would be greatly appreciated. Thank you!


Solution

  • The error Certificate verify failed: self-signed certificate means the server under test uses a certificate not trusted by mitmproxy. Therefore mitmproxy refuses to connect to the server and on client-side generates the "502 Bad Gateway" response.

    You can supply the root ca cert to mitmproxy via ssl_verify_upstream_trusted_ca option. Create a PEM file my-ca-certificates.pem file containing the used certificate in PEM format. In that file you can place multiple PEM encoded certificates, just concat them together. And then start mitmproxy:

    mitmproxy --set ssl_verify_upstream_trusted_ca=my-ca-certificates.pem
    

    Note that using this command only the certificates in my-ca-certificates.pem are trusted. This means the certificates in my-ca-certificates.pem replace the root CA certificates, they are not considered in addition.

    Alternatively you can disable TLS certificate checking of the upstream server to the server via setting the ssl_insecure option:

    mitmproxy --set ssl_insecure=true