Landing AppBandit Public BETA

Our intercepting web security proxy has just arrived

Tue Mar 06 2018 07:25:31 GMT+0000 (GMT)

We are very excited to announce the public beta release of our latest tool we fondly call AppBandit, or AB (as in AB Proxy) for short. AppBandit is an intercepting security-enhanced proxy built on top of our existing technology stack you are already familiar with from our online testing suite. With AppBandit we are not just making a brand new proxy in the same vein as all others but also extending the existing proxy concepts and workflows with new ideas and tooling not seen anywhere else. It is a complete game changer.

Parallel, non-buffering proxy

At the core of AppBandit we have a simple but powerful proxy server that never buffers. The internal proxy engine is constantly streaming, asynchronously forwarding packets from the source to the destination as quick as your system allows. This in itself is a welcome feature especially if the proxy has to be used as system proxy on a phone or the desktop where it is expected many software products to utilise the system proxy settings. AppBandit will handle this situation without stutter, relaying the packets from one end to the other consistently with great performance.

Many modern clients, such as browsers like Firefox and Chrome, will pipeline the requests one after another saving packets required to negotiate each connection. This situation is handled gracefully without interrupting the flow of bytes. In other words, pipelining and streaming HTTP traffic is handled as normal even when active interception is set in place.

We have also deliberately separated the UI from the network components in order to make the tool as reliable as we can. Captured information is forwarded asynchronously without blocking the networking tasks. Due to this parallelism, the proxy is also able to actively intercept multiple streams of requests and responses at the same time. You don't have to modify the requests in the sequence they arrive. You can modify any request or response as soon as it is available.


Unlike existing intercepting proxies you may already be familiar with, AppBandit is not a one-trick pony. For example, you can configure the tool to capture traffic from more than one proxy server. You can also easily bind the local proxy implementation to as many network cards as you want on as many ports as you need. All you need to do is type the address and you are set. Even more, you can capture traffic from remote proxy servers. This feature is not seen in any other tool out there. This allows for interesting use-cases where the environment you are testing is highly restrictive. It is certainly possible to embed the proxy server in a shellcode, delivered to the target and spun in memory. AppBandit will easily connect to it and start intercepting.

Even more so, AppBandit can be configured to extract HTTP sessions directly by sniffing network traffic. Think of every time you had to run Burp or ZAP together with Wireshark. Now you can do it all with the same tool. Again, you don't have to sniff your local network. You can do that remotely because AppBandit can connect to remote streams to consume data, which makes it perfect for debugging and testing applications in very restrictive environments such as mobile apps or networks that are set in certain ways that prevent direct interception of the flow of data.

Integrated auxiliary tools

We have integrated many auxiliary tools right into AppBandit so that you don't have to break your train of thought by switching context or by switching to other tools. For example, access to common generators, hash functions, encoders and decoders are available on the spot. No more copy-pasting. This feature is enhanced further with the help of Variables. You can set common strings to be reused all over the place.

Other tools which we integrated into AppBandit include the automatic issue discovery tool which works passively by analysing your requests and responses, a full-featured browser preview (not just some janky rendering engine), diff viewer so that you can compare and identify differences between the current and previous requests easily, a slice viewer which helps you concentrate on the things that matter most, a powerful code generator and much, much more. It is no doubt, AppBandit is the most feature-packed proxy you will ever use. We are very proud of this achievement.

Simple and Extensible

AppBandit is very extensible by default. Our plugin system will be opened up in the upcoming months allowing you to build your own custom proxy feeds, fuzz generators, auxiliary tools and much more.

We are also using an easy to parse document format for your saved sessions so that you can easily consume your files in other tools. We say no more to proprietary or complex formats for security tools. We have certainly invested a lot of effort to choose something that is fast, reliable but also easy to use by novice and experienced users alike.

Full OS Integration

AppBandit is available on Windows, Mac and Linux. We have made sure the tool takes advantage of many of the built-in platform features such as system notifications, bouncing the taskbar or the dock when requests or responses are intercepted, multiple active windows, shortcuts and more.

You can work with more than one project at the same time. Just open another window and you are good to go. AppBandit works flawlessly in the window manager of your choice, taking care of all platform features currently available.

What's Next

Although AppBandit is in public BETA, the tool is fully working as expected. It is fast, reliable, with good architecture backing all important components and although there are certainly some bug we know of, which we will fix in the upcoming days, we believe this tool is ready for prime time. Keep an open mind that it is still beta though.

We welcome anyone interested in AppBandit to join us on Twitter or Reddit. If there are any problems just ask. Any feedback, good or bad, will be appreciated.

What are you waiting for? Download AppBandit today and start hacking.