HTTP Proxy Configuration¶
If your target is behind a proxy, or you require a proxy for Mayhem to reach the
API during testing, you can provide proxy information for the
mapi CLI. Support for common proxy environment variables follows:
| Environment Variable | Description |
|---|---|
HTTP_PROXY |
The address to use when initiating HTTP connection(s) |
HTTPS_PROXY |
The address to use when initiating HTTPS connection(s) |
NO_PROXY |
Network address(es)/range(s) and domains to exclude from proxying |
ℹ️ When running
mapiin a Windows command prompt (CMD) it is important to NOT add quotes ("...") around your environment variable declaration.❌ BAD
C:\work> SET HTTPS_PROXY="my.outbound.proxy:8888" C:\work> mapi status✅ GOOD
C:\work> SET HTTPS_PROXY=my.outbound.proxy:8888 C:\work> mapi status
Examples¶
Say you wish to capture all the communication between the fuzzer and your API. You
can place a proxy between Mayhem and your API such as
Charles Proxy (which listens on localhost:8888 by
default) to intercept and record all traffic.
HTTP_PROXY=http://localhost:8888 mapi run <target> ...
If your target is an https, you can use the HTTPS_PROXY variable:
HTTPS_PROXY=https://localhost:8888 mapi run <target> ...
If your proxy server requires authentication with username and password, you must include the credentials:
https_proxy=http://username:password@localhost:8888 mapi run <target> ...
For SOCKS5 proxy servers, you must specify the socks5 protocol in the
URL:
https_proxy=socks5://socksproxy.example.com
Proxying https traffic may result in some certificate errors when the
CLI attempts to communicate with the API during testing. This can be
resolved by ignoring certain addresses from being sent to the proxy with
the NO_PROXY variable. For example:
HTTPS_PROXY=https://localhost:8888 \
NO_PROXY=app.mayhem.security \
mapi run <target> ...