interseptor

module
v1.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 10, 2026 License: MIT

README

Interseptor

CI Release Go

"Interseptor" — from the Indonesian slang intersep (to intercept), plus -tor. It does exactly what it says on the tin: it interseps your HTTP/HTTPS traffic so you don't have to squint at DevTools like it's 2014.

A native intercepting proxy + security-testing toolkit, shipped as one static Go binary — no JVM to warm up, no license dongle, no "upgrade to Pro to export more than 3 findings." Point traffic at it, watch it flow, break things (yours, or things you're allowed to break).

Built for the AI-assisted pentester. You drive a fast web UI; your AI assistant drives the exact same engine through a real MCP server and a REST/SSE API — listing flows, replaying and mutating requests, fuzzing, scanning, toggling intercept — all under your direction, all on your machine, nothing phoned home.

⚖️ Responsible use. Interseptor is for testing systems you own or are explicitly authorized to test. Pointing it at traffic that isn't yours, or systems you don't have permission to test, is illegal in most places. That one's on you, not us.


What it does

  • Intercept & edit HTTP/HTTPS live (hold, forward, drop — requests and responses) via a local CA, with match-&-replace rules.
  • Repeater & Intruder — resend and mutate requests by hand, or run Sniper/Pitchfork/Race attacks with grep-match/extract and anomaly flagging.
  • Scanner — passive checks out of the box, plus a deterministic active-scan engine, plus an autonomous Autopilot mode that plans and runs its own testing and files only findings it can prove (differential repro → adversarial review → OOB proof → human confirm for the scary ones).
  • Extensible — write your own passive/active checks in sandboxed Starlark, no fork required.
  • Mobile-ready — Android and iOS setup for HTTPS interception on real devices.
  • AI & API native — a full MCP server (83 tools) and a REST/SSE API so an agent or script drives the same core as the UI, plus BYO-key AI assist for explaining requests and suggesting payloads.

That's the highlight reel — the full feature list covers WebSockets, HAR import/export, project bundles, collaboration/remote access, session & login macros, and more.

Get it running

Requires Go 1.25+, no cgo:

go install github.com/Veyal/interseptor/cmd/interseptor@latest
interseptor

That starts the proxy on 127.0.0.1:8080 and the UI on 127.0.0.1:9966. Point your traffic at the proxy, trust the CA from Settings to decrypt HTTPS, and you're intersep-ing.

Prebuilt binaries, interseptor update, building from source, environment variables, and running several projects at once are all in Getting started.

Docs

Getting started Install, quick start, HTTPS setup, configuration, multi-project
Full feature list Every capability, in detail
API & MCP Drive Interseptor from an AI agent or a script
Architecture Security model, package layout, UI structure
Custom checks · active checks Author your own Starlark checks
Contributing Code standards, TDD, commit style, cutting a release
Security policy Reporting a vulnerability in Interseptor
Roadmap & strategy Why this exists, what's next, benchmarks
Changelog What shipped, when

License

MIT © 2026 veyal.

Directories

Path Synopsis
cmd
interseptor command
Command interseptor runs the Interseptor intercepting proxy: an HTTP/HTTPS forward proxy plus a localhost control plane that serves the web UI.
Command interseptor runs the Interseptor intercepting proxy: an HTTP/HTTPS forward proxy plus a localhost control plane that serves the web UI.
internal
activescan
Package activescan is the deterministic active-scan engine: it enumerates the injection points of a request, fires per-class payloads at them through a caller-supplied sender, and confirms vulnerabilities with detectors.
Package activescan is the deterministic active-scan engine: it enumerates the injection points of a request, fires per-class payloads at them through a caller-supplied sender, and confirms vulnerabilities with detectors.
activescript
Package activescript runs user-authored ACTIVE scanner checks written in Starlark — the active twin of internal/checkscript.
Package activescript runs user-authored ACTIVE scanner checks written in Starlark — the active twin of internal/checkscript.
aiagent
Package aiagent provides a provider-agnostic, budgeted tool-calling agent loop for the autonomous-pentest engine.
Package aiagent provides a provider-agnostic, budgeted tool-calling agent loop for the autonomous-pentest engine.
aiassist
Package aiassist is an optional, bring-your-own-key bridge to an LLM that explains requests, suggests payloads, and summarizes findings.
Package aiassist is an optional, bring-your-own-key bridge to an LLM that explains requests, suggests payloads, and summarizes findings.
android
Package android configures a USB-connected Android device for HTTPS interception via adb.
Package android configures a USB-connected Android device for HTTPS interception via adb.
auth/jwtextract
Package jwtextract pulls JWT-shaped tokens from HTTP flows (Bearer header, JSON fields, URL path/query, cookies) for cross-host replay and SSO testing.
Package jwtextract pulls JWT-shaped tokens from HTTP flows (Bearer header, JSON fields, URL path/query, cookies) for cross-host replay and SSO testing.
autopwn
Package autopwn is the autonomous-pentest ("Autopilot") run engine: the Phase-2 orchestration core that reads captured in-scope history, plans and executes active security testing using Interseptor's own ~84 tools, verifies every candidate through the 4-gate verifier, and files ONLY machine-proven findings.
Package autopwn is the autonomous-pentest ("Autopilot") run engine: the Phase-2 orchestration core that reads captured in-scope history, plans and executes active security testing using Interseptor's own ~84 tools, verifies every candidate through the 4-gate verifier, and files ONLY machine-proven findings.
bind
Package bind holds listen-address policy shared by the CLI and control plane.
Package bind holds listen-address policy shared by the CLI and control plane.
capture
Package capture streams HTTP bodies into the store as they pass through, without buffering them in memory.
Package capture streams HTTP bodies into the store as they pass through, without buffering them in memory.
checkscript
Package checkscript runs user-authored passive scanner checks written in Starlark — a small, Python-like, deterministic language.
Package checkscript runs user-authored passive scanner checks written in Starlark — a small, Python-like, deterministic language.
codec
Package codec — body.go: HTTP response-body decompression helpers shared by control (display decoding) and intruder (grep decoding).
Package codec — body.go: HTTP response-body decompression helpers shared by control (display decoding) and intruder (grep decoding).
control
Package control serves the Interseptor UI and the REST + SSE control API on the fixed localhost control port.
Package control serves the Interseptor UI and the REST + SSE control API on the fixed localhost control port.
curlgen
Package curlgen renders a captured request as a runnable curl command, so a tester (or the AI) can reproduce and iterate on it in a terminal.
Package curlgen renders a captured request as a runnable curl command, so a tester (or the AI) can reproduce and iterate on it in a terminal.
harx
Package harx converts captured flows to and from the HAR 1.2 (HTTP Archive) format for interop with browsers, Postman, and other tooling.
Package harx converts captured flows to and from the HAR 1.2 (HTTP Archive) format for interop with browsers, Postman, and other tooling.
hostpattern
Package hostpattern matches host strings against simple scope-style patterns (exact, *.wildcard).
Package hostpattern matches host strings against simple scope-style patterns (exact, *.wildcard).
httplines
Package httplines normalizes HTTP header input from APIs and MCP tools.
Package httplines normalizes HTTP header input from APIs and MCP tools.
intercept
Package intercept implements the request hold queue (Burp-style intercept) and the request-side match-&-replace engine.
Package intercept implements the request hold queue (Burp-style intercept) and the request-side match-&-replace engine.
intruder
Package intruder runs payload-driven attacks (Sniper, Pitchfork) against a request template whose fuzz points are wrapped in §…§ markers.
Package intruder runs payload-driven attacks (Sniper, Pitchfork) against a request template whose fuzz points are wrapped in §…§ markers.
ios
Package ios configures iOS simulators and devices for HTTPS interception.
Package ios configures iOS simulators and devices for HTTPS interception.
launcher
Package launcher tracks running per-project Interseptor instances so a single dashboard process can start/stop/discover them: the registry is a small JSON file (~/.interseptor/instances.json) mapping project name to {controlAddr, proxyAddr, pid}, written by whichever process spawns an instance and pruned lazily via Reconcile.
Package launcher tracks running per-project Interseptor instances so a single dashboard process can start/stop/discover them: the registry is a small JSON file (~/.interseptor/instances.json) mapping project name to {controlAddr, proxyAddr, pid}, written by whichever process spawns an instance and pruned lazily via Reconcile.
mcp
Package mcp implements a Model Context Protocol server over stdio so an AI agent can operate Interseptor as a set of tools.
Package mcp implements a Model Context Protocol server over stdio so an AI agent can operate Interseptor as a set of tools.
netutil
Package netutil provides helpers for enumerating local network addresses.
Package netutil provides helpers for enumerating local network addresses.
oob
Package oob is an out-of-band interaction catcher for blind-vulnerability testing (blind SSRF / XXE / SQLi / RCE).
Package oob is an out-of-band interaction catcher for blind-vulnerability testing (blind SSRF / XXE / SQLi / RCE).
proc
Package proc discovers and stops running Interseptor processes by image name.
Package proc discovers and stops running Interseptor processes by image name.
proxy
Package proxy implements an intercepting HTTP/HTTPS forward proxy that captures every flow.
Package proxy implements an intercepting HTTP/HTTPS forward proxy that captures every flow.
report
Package report renders scanner findings as a human-readable Markdown report, ready to paste into a pentest writeup.
Package report renders scanner findings as a human-readable Markdown report, ready to paste into a pentest writeup.
scanner
Package scanner runs passive security checks over captured flows.
Package scanner runs passive security checks over captured flows.
scope
Package scope evaluates target-scope rules: which flows are "in scope" for an engagement.
Package scope evaluates target-scope rules: which flows are "in scope" for an engagement.
sender
Package sender issues one-off HTTP/HTTPS requests directly to a target (bypassing the proxy listener) and records each as a flow.
Package sender issues one-off HTTP/HTTPS requests directly to a target (bypassing the proxy listener) and records each as a flow.
store
Package store persists flow metadata in SQLite and bodies on disk.
Package store persists flow metadata in SQLite and bodies on disk.
sysproxy
Package sysproxy points the operating system's HTTP/HTTPS proxy at Interseptor (and turns it back off).
Package sysproxy points the operating system's HTTP/HTTPS proxy at Interseptor (and turns it back off).
tlsca
Package tlsca manages a local certificate authority for TLS interception: it loads or generates a CA, then mints and caches short-lived per-host leaf certificates signed by that CA so the proxy can terminate client TLS.
Package tlsca manages a local certificate authority for TLS interception: it loads or generates a CA, then mints and caches short-lived per-host leaf certificates signed by that CA so the proxy can terminate client TLS.
tunnel
Package tunnel manages a Cloudflare "quick tunnel" (cloudflared) as a child process, exposing the local control plane at a public https://*.trycloudflare.com URL with no account or public IP required.
Package tunnel manages a Cloudflare "quick tunnel" (cloudflared) as a child process, exposing the local control plane at a public https://*.trycloudflare.com URL with no account or public IP required.
verify
Package verify holds the deterministic, LLM-free primitives of the autonomous pentester's 4-gate verifier (see docs/AUTONOMOUS-PENTEST.md §5): Gate 1, differential reproduction, and the mechanism behind Gate 3, out-of-band (OOB) confirmation.
Package verify holds the deterministic, LLM-free primitives of the autonomous pentester's 4-gate verifier (see docs/AUTONOMOUS-PENTEST.md §5): Gate 1, differential reproduction, and the mechanism behind Gate 3, out-of-band (OOB) confirmation.
version
Package version is the single source of truth for the build version and a best-effort "is a newer release out?" check against the GitHub tags.
Package version is the single source of truth for the build version and a best-effort "is a newer release out?" check against the GitHub tags.
wsrepeater
Package wsrepeater opens a fresh WebSocket connection to a target, sends one message, and captures the frames the server returns — a "Repeater" for WebSockets.
Package wsrepeater opens a fresh WebSocket connection to a target, sends one message, and captures the frames the server returns — a "Repeater" for WebSockets.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL