Kali Linux

Xepor : Web Routing Framework For Reverse Engineers And Security Researchers

Xepor (pronounced /ˈzɛfə/, zephyr), a web routing framework for reverse engineers and security researchers. It provides a Flask-like API for hackers to intercept and modify HTTP request and/or HTTP response in a human-friendly coding style.

This project is meant to be used with mitmproxy. User write scripts with xepor, and run the script inside mitmproxy with mitmproxy -s your-script.py.

If you want to step from PoC to production, from demo(e.g. http-reply-from-proxy.py, http-trailers.py, http-stream-modify.py) to something you could take out with your WiFi Pineapple, then Xepor is for you!

Features

  • Code everything with @api.route(), just like Flask! Write everything in one script and no if..else any more.
  • Handle multiple URL routes, even multiple hosts in one InterceptedAPI instance.
  • For each route, you can choose to modify the request before connecting to server (or even return a fake response without connection to upstream), or modify the response before forwarding to user.
  • Blacklist mode or whitelist mode. Only allow URL endpoints defined in scripts to connect to upstream, blocking everything else (in specific domain) with HTTP 404. Suitable for transparent proxying.
  • Human readable URL path definition and matching powered by parse
  • Host remapping. define rules to redirect to genuine upstream from your fake hosts. Regex matching is supported. Best for SSL stripping and server side license cracking!
  • Plus all the bests from mitmproxy! ALL operation modes ( mitmproxy / mitmweb + regular / transparent / socks5 / reverse:SPEC / upstream:SPEC) are fully supported.

Use Case

  • Evil AP and phishing through MITM.
  • Sniffing traffic from specific device by iptables + transparent proxy, modify the payload with xepor on the fly.
  • Cracking cloud based software license. See examples/krisp/ as an example.
  • Write complicated web crawler in ~100 lines of codes. See examples/polyv_scrapper/ as an example.
  • … and many more.

SSL stripping is NOT provided by this project.

Installation

pip install xepor

Quick start

Take the script from examples/httpbin as an example.

In this example, we setup the mitmproxy server on 127.0.0.1. You could change it to any IP on your machine or alternatively to the IP of your VPS. The mitmproxy server running in reverse, upstream and transparent mode requires --set connection_strategy=lazy option to be set so that Xepor could function correctly. I recommand this option always be on for best stability.

Set your Browser HTTP Proxy to http://127.0.0.1:8080, and access web interface at http://127.0.0.1:8081/.

Send a GET request from http://httpbin.org/#/HTTP_Methods/get_get , Then you could see the modification made by Xepor in mitmweb interface, browser devtools or Wireshark.

The httpbin.py do two things.

  • When user access http://httpbin.org/get, inject a query string parameter payload=evil_param inside HTTP request.
  • When user access http://httpbin.org/basic-auth/xx/xx/ (we just pretends we don’t know the password), sniff Authorization headers from HTTP requests and print the password to the attacker.

Just what mitmproxy always do, but with code written in xepor way.

https://github.com/xepor/xepor-examples/tree/main/httpbin/httpbin.py

from mitmproxy.http import HTTPFlow
from xepor import InterceptedAPI, RouteType
HOST_HTTPBIN = “httpbin.org”
api = InterceptedAPI(HOST_HTTPBIN)
@api.route(“/get”)
def change_your_request(flow: HTTPFlow):
“””
Modify URL query param.
Test at:
http://httpbin.org/#/HTTP_Methods/get_get
“””
flow.request.query[“payload”] = “evil_param”
@api.route(“/basic-auth/{usr}/{pwd}”, rtype=RouteType.RESPONSE)
def capture_auth(flow: HTTPFlow, usr=None, pwd=None):
“””
Sniffing password.
Test at:
http://httpbin.org/#/Auth/get_basic_auth__user___passwd_
“””
print(
f”auth @ {usr} + {pwd}:”,
f”Captured {‘successful’ if flow.response.status_code < 300 else ‘unsuccessful’} login:”,
flow.request.headers.get(“Authorization”, “”),
)
addons = [api]

R K

Recent Posts

SpyAI : Intelligent Malware With Advanced Capabilities

SpyAI is a sophisticated form of malware that leverages advanced technologies to capture and analyze…

1 day ago

Proxmark3 : The Ultimate Tool For RFID Security And Analysis

The Proxmark3 is a versatile, open-source tool designed for radio-frequency identification (RFID) security analysis, research,…

1 day ago

Awesome Solana Security : Enhancing Program Development

The "Awesome Solana Security" collection is a comprehensive resource designed to help developers build more…

1 day ago

IngressNightmare-POCs : Understanding The Vulnerability Exploitation Flow

The "IngressNightmare" vulnerabilities, disclosed in March 2025, represent a critical set of security issues affecting…

1 day ago

AdaptixC2 : Enhancing Penetration Testing With Advanced Framework Capabilities

AdaptixC2 is an advanced post-exploitation and adversarial emulation framework designed specifically for penetration testers. It…

1 day ago

Bincrypter : Enhancing Linux Binary Security through Runtime Encryption And Obfuscation

Bincrypter is a powerful Linux binary runtime crypter written in BASH. It is designed to…

1 day ago