Use MITM proxy to force a race condition when testing asynchronous applications

When testing or building a web application, it is helpful to run your traffic through a proxy so you can see what is happening.

I have used this in my automated testing with great success. It can also be useful in testing the “what-ifs”. Many times you will be presented with a form with rock solid client side validation, form length limits, required fields, et cetera. Any good tester smirks and knows that client side validation is like putting a “please do not eat” sign on a plate of cookies and leaving it in the break room—easy to defeat and a potential insight into information you do not want someone to have.

If you are using Angular or some other modern architecture you are likely sending most of your data in JSON. There might be much more data in the JSON object sent to the client that might not be displayed in the browser. A proxy will allow you to see and manipulate the data being sent to the browser—allowing you to craft different test cases with ease.

Use Man In The Middle proxy

There are many proxies out there. Some popular proxies are Fiddler or Burp. They have their drawbacks like tedious formulas for intercepting requests, or a heavy java footprint. Man in the Middle Proxy is a lightweight python proxy that runs on the command line. The documentation is pretty good on their site so I won’t go into how to use it here, with a couple exceptional cases that are very useful for the testing arsenal.

Follow mode

When running the proxy, it will by default stay at the top of the list of requests. Soon the active requests will trail off the bottom of the screen. Use ‘Shift+F’ to put the proxy in “follow mode”. Think of it like using ‘tail -f’.

Clear

‘Shift+C’ will clear the console.

Intercepting reponses to force the race condition

Let’s say you want to mess with the response coming back, either to see how robust the client code is, or to easily test some alternate use cases.

pressing ‘i’ will allow you to set an intercept filter (there are many, see the help by pressing ‘?’ for more). Then press ‘~s’. This will intercept all responses. You will see the response stop and change to orange in the console. Press ‘enter’ on the response in question. Follow the on-screen prompts to edit at will, then ‘a’ to accept the response and move on. One huge advantage over burp is that you can do this asynchronously. You do not have to accept the responses in order. This enables you to force XHR requests to come back in an order that may have not been anticpated by developers—allowing for testing of race conditions and other unexpected side effects.

Installation Notes

I could not make the pip installer work on OSX. I did not really try very hard. I typed it, it failed, so I used the binary. Then I typed:

./mitmproxy

pointed my browser at it, and it worked. I have @bmecham to thank for making me try it. It did not look awesome at first glance. But it is.