I'm currently conducting penetration testing on a website, and I'm attempting to intercept requests using Mitmproxy to reverse engineer the backend APIs. However, I'm encountering a "502 Bad Gateway" error when trying to intercept the requests.
Here is the info:
Status 502 Bad Gateway
Version HTTP/2
Transferred 267 B (170 B size)
Referrer Policy strict-origin-when-cross-origin
Request Priority Highest
Request Headers:
content-type text/html
server mitmproxy 10.2.2
X-Firefox-Spdy h2
Response Headers:
Accept application/json, text/plain, */*
Accept-Encoding gzip, deflate, br
Accept-Language en-US,en;q=0.5
Connection keep-alive
Content-Length 227
Content-Type application/json
Host -----------
Origin https://-------
Referer https://-------/--/---
Sec-Fetch-Dest empty
Sec-Fetch-Mode cors
Sec-Fetch-Site same-origin
TE trailers
User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Additional error message: "Certificate verify failed: self-signed certificate"
Error message: "502 Bad Gateway" I'm using Mitmproxy version "10.2.2" on "Kali Linux". I've ensured that the server is running and accessible.
I've attempted to resolve the certificate verification issue by deleting the imported CA certificate and reimporting it into Firefox.
Additionally, I've addressed CORS issues that were previously encountered.
I've tried troubleshooting the issue by checking the server logs and verifying the configuration, but I haven't been able to identify the root cause of the problem.
Any insights or suggestions on how to resolve this issue would be greatly appreciated. Thank you!
The error Certificate verify failed: self-signed certificate means the server under test uses a certificate not trusted by mitmproxy.
Therefore mitmproxy refuses to connect to the server and on client-side generates the "502 Bad Gateway" response.
You can supply the root ca cert to mitmproxy via ssl_verify_upstream_trusted_ca option. Create a PEM file my-ca-certificates.pem file containing the used certificate in PEM format. In that file you can place multiple PEM encoded certificates, just concat them together. And then start mitmproxy:
mitmproxy --set ssl_verify_upstream_trusted_ca=my-ca-certificates.pem
Note that using this command only the certificates in my-ca-certificates.pem are trusted. This means the certificates in my-ca-certificates.pem replace the root CA certificates, they are not considered in addition.
Alternatively you can disable TLS certificate checking of the upstream server to the server via setting the ssl_insecure option:
mitmproxy --set ssl_insecure=true