Reaper MITM 代理：CLI HTTPS 代理工具，用于应用安全测试与流量分析

ghost-proxy by ghostsecurity/skills

616 周安装量

370 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/ghostsecurity/skills --skill ghost-proxy

自动化测试安全

🇨🇳中文介绍

Reaper MITM 代理

Reaper 是一款基于 CLI 的 MITM HTTPS 代理，用于应用程序安全测试。它能拦截、记录并允许检查流经它的 HTTP/HTTPS 流量。用它来捕获实时的请求/响应对，以进行安全验证。

前提条件

在使用任何 reaper 命令之前，请确保已安装最新版本的二进制文件：

curl -sfL https://raw.githubusercontent.com/ghostsecurity/reaper/main/scripts/install.sh | bash

除非 ~/.ghost/bin 已在 PATH 环境变量中，否则本文档中的所有 reaper 命令都应作为 ~/.ghost/bin/reaper 调用。

快速参考

命令	用途
`reaper start --domains example.com`

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

配置流量通过代理

配置 HTTP 客户端以使用代理。默认监听地址是 localhost:8443。

# curl
curl -x http://localhost:8443 -k https://api.example.com/endpoint

# 环境变量（适用于许多工具）
export http_proxy=http://localhost:8443
export https_proxy=http://localhost:8443

# Python requests
import requests
requests.get("https://api.example.com/endpoint",
             proxies={"http": "http://localhost:8443", "https": "http://localhost:8443"},
             verify=False)

需要 -k / verify=False 标志，因为 reaper 在启动时会生成自己的 CA 证书用于 MITM TLS 拦截。

查看捕获的流量

# 显示最后 50 个条目（默认）
reaper logs

# 显示最后 200 个条目
reaper logs -n 200

输出列：ID、METHOD、HOST、PATH、STATUS、MS、REQ（请求体大小）、RES（响应体大小）。

# 按 HTTP 方法
reaper search --method POST

# 按主机（支持 * 通配符）
reaper search --host *.api.example.com

# 按域名后缀
reaper search --domains example.com

# 按路径前缀（支持 * 通配符）
reaper search --path /api/v3/transfer

# 按状态码
reaper search --status 200

# 组合过滤器
reaper search --method POST --path /api/v3/* --status 200 -n 50

# 完整的请求和响应（原始 HTTP）
reaper get 42

# 仅请求
reaper req 42

# 仅响应
reaper res 42

输出是原始的 HTTP/1.1 格式，包括头部和正文，适合分析或重放。

与 validate 技能配合使用时（可能需要与用户协作设置测试环境）：

启动 reaper，限定到应用程序域
通过运行 reaper logs 验证流量是否被捕获 —— 在通过代理路由测试请求后，应至少出现一个条目
如果没有条目出现，请验证代理设置和域作用域是否与目标匹配
以普通用户身份进行身份验证（或要求用户进行身份验证），并合法地操作易受攻击的端点
搜索捕获的请求以了解预期的请求格式
构造并发送恶意请求，以利用发现中描述的漏洞
检查响应以确定利用是否成功
使用 reaper get <id> 捕获完整的请求/响应作为证据

所有数据都存储在 ~/.reaper/ 目录中：

reaper.db - 包含捕获条目的 SQLite 数据库
reaper.sock - 用于 CLI 与守护进程间 IPC 的 Unix 套接字
reaper.pid - 守护进程的进程 ID

CA 证书在每次启动时在内存中重新生成，不会持久化。

2026 年 2 月 20 日

🇺🇸English

Reaper MITM Proxy

Reaper is a CLI-based MITM HTTPS proxy for application security testing. It intercepts, logs, and allows inspection of HTTP/HTTPS traffic flowing through it. Use it to capture live request/response pairs for security validation.

Prerequisites

Before using any reaper command, make sure the latest version of the binary is installed:

curl -sfL https://raw.githubusercontent.com/ghostsecurity/reaper/main/scripts/install.sh | bash

All reaper commands in this document should be invoked as ~/.ghost/bin/reaper unless ~/.ghost/bin is on PATH.

Quick Reference

Command	Purpose
`reaper start --domains example.com`	Start proxy (foreground)
`reaper start --domains example.com -d`	Start proxy (daemon)
`reaper logs`	Show recent captured entries
`reaper search --method POST --path /api/*`	Search captured traffic
`reaper get <id>`	Show full request + response
`reaper req <id>`	Show raw HTTP request only
`reaper res <id>`	Show raw HTTP response only
`reaper stop`	Stop the daemon

Starting the Proxy

Start reaper scoped to the target domain(s). At least one --domains or --hosts flag is required.

# Intercept all traffic to example.com and its subdomains
reaper start --domains example.com

# Multiple domains
reaper start --domains example.com,api.internal.co

# Exact hostname matching
reaper start --hosts api.example.com

# Both domain suffix and exact host matching
reaper start --domains example.com --hosts special.internal.co

# Custom port (default: 8443)
reaper start --domains example.com --port 9090

# Run as background daemon
reaper start --domains example.com -d

Scope behavior :

--domains: Suffix match. example.com matches example.com, api.example.com, sub.api.example.com
--hosts: Exact match. api.example.com matches only api.example.com
Traffic outside scope passes through transparently without logging

Routing Traffic Through the Proxy

Configure the HTTP client to use the proxy. The default listen address is localhost:8443.

# curl
curl -x http://localhost:8443 -k https://api.example.com/endpoint

# Environment variables (works with many tools)
export http_proxy=http://localhost:8443
export https_proxy=http://localhost:8443

# Python requests
import requests
requests.get("https://api.example.com/endpoint",
             proxies={"http": "http://localhost:8443", "https": "http://localhost:8443"},
             verify=False)

The -k / verify=False flag is needed because reaper generates its own CA certificate at startup for MITM TLS interception.

Viewing Captured Traffic

Searching

# By HTTP method
reaper search --method POST

# By host (supports * wildcard)
reaper search --host *.api.example.com

# By domain suffix
reaper search --domains example.com

# By path prefix (supports * wildcard)
reaper search --path /api/v3/transfer

# By status code
reaper search --status 200

# Combined filters
reaper search --method POST --path /api/v3/* --status 200 -n 50

Inspecting Individual Entries

# Full request and response (raw HTTP)
reaper get 42

# Request only
reaper req 42

# Response only
reaper res 42

Output is raw HTTP/1.1 format including headers and body, suitable for analysis or replay.

Stopping the Proxy

reaper stop

Common Workflows

Validate a Security Finding

When used with the validate skill (may need to collaborate with the user to setup the test environment):

Start reaper scoped to the application domain
Verify traffic is being captured by running reaper logs — at least one entry should appear after routing a test request through the proxy
If no entries appear, verify proxy settings and domain scope match the target
Authenticate (or ask the user to authenticate) as a normal user and exercise the vulnerable endpoint legitimately
Search for the captured request to understand the expected request format
Craft and send a malicious request that exercises the exploit described in the finding
Inspect the response to determine if the exploit succeeded
Use reaper get <id> to capture the full request/response as evidence

Data Storage

All data is stored in ~/.reaper/:

reaper.db - SQLite database with captured entries
reaper.sock - Unix socket for CLI-to-daemon IPC
reaper.pid - Daemon process ID

The CA certificate is generated fresh in memory on each start and is not persisted.

Weekly Installs

592

Repository

ghostsecurity/skills

GitHub Stars

368

First Seen

Feb 20, 2026

Security Audits

Gen Agent Trust HubFail SocketFail SnykFail

Installed on

claude-code492

github-copilot137

gemini-cli136

codex136

kimi-cli136

amp136

Better Auth 身份验证技能指南：为 TypeScript/JavaScript 应用添加认证

11,300 周安装

Reaper MITM 代理：CLI HTTPS 代理工具，用于应用安全测试与流量分析

🇨🇳中文介绍

Reaper MITM 代理

前提条件

快速参考

相关 Skills

启动代理

配置流量通过代理

查看捕获的流量

最近条目

搜索

检查单个条目

停止代理

常见工作流程

验证安全发现

数据存储