Charles Proxy - Hacker News

Posted by handfuloflight 3 days ago

Charles Proxy(www.charlesproxy.com)

328 points | 119 commentspage 2

rramadass 3 days ago|

How does "Zed Attack Proxy" (ZAP - https://www.zaproxy.org/) which is opensource and part of OWASP (https://owasp.org/www-community/Free_for_Open_Source_Applica...) compare with this and other similar proxies?

doomerhunter 3 days ago||

I am a Burp guy, but lately Caido[1] has been trending, pretty lightweight and can be ran in headless mode. It's still very security-oriented (as Burp Suite is), but might be worth your time, notably as you can run it on a VPS/container to proxy all your traffic through it (which is by-design, contrary to my beloved burp/zap)

[1] https://caido.io/

Sytten 3 days ago|

Caido co-founder here, thanks for the shoutout! We are slowly moving to the DevSecOps space too.

doomerhunter 2 days ago|||

My pleasure, your team is doing a great job and its good to see competition in that space, forces everyone to push forward :D

ghxst 3 days ago|||

Please consider allowing the user to modify the TLS handshake / ClientHello. Out of all proxies I have used only Burp offers this through a plugin / extension.

Sytten 1 day ago||

Agreed this is something we need to do, but not easy to do properly. The TLS 1.3 spec has a lot of extensions, currently we use openssl that for example doesn't support GREASE.

infomaniac 3 days ago||

Fantastic software that I've used for over a decade. Interacted with Karl a few years ago about Adobe's AMF format; very generous with his time. I was surprised to learn that it's over 20 years old! https://en.wikipedia.org/wiki/Charles_Proxy

sponno 3 days ago|

i just texted Karl to say he’s on the front page of HN. I was the same. Charles was soo good for ol AMF!! Still miss Flash.

swaraj 3 days ago||

I once used Charles Proxy to change all the game configs for Candy Crush Saga on my phone back in 2013 by intercepting and replacing the API requests - I made all the puzzles have 1-2 colors and infinite powerups. I guess they didn't care much about the security because I ended up spending way more time in the game

h33t-l4x0r 3 days ago||

I loved Charles, I used it for many years. It only stopped when an update changed the UI in ways that were confusing, and also the chrome network tab really did everything I need in terms of inspecting requests / responses.

snyp 3 days ago||

A much better alternative for MacOS folks https://proxyman.com/

ollysb 3 days ago|

I used Charles for many years but proxyman's performance is a real step up.

dhuan_ 3 days ago||

I’ve found tools like Charles really useful for understanding what’s happening on the wire. When I need something more repeatable (tests, offline work), I usually reach for a mock server instead. I ended up building a small one for my own use and later open-sourced it:

https://dhuan.github.io/mock/latest/examples.html

dacapoday 1 day ago||

Why not [Reqable](https://reqable.com/en-US/)? More modern, more powerful.

dilyevsky 3 days ago||

Is there a story behind misusing the term "reverse proxy" as it is clearly a forward proxy?

kyleblarson 3 days ago|

The combination of Charles + Postman is great for reverse engineering mobile API's. Inspect traffic w/ Charles, export request to cUrl, import cUrl into Postman, play around with request headers / params / etc, export to py, use Cursor to create reusable library.

oxedom 3 days ago|

Out of curiosity, what would the setup for reverse enginering a iOS/Android app look like using Charles Proxy?

More comments...