dev-tools 6 min read

Kampala – Reverse Engineer Any Web App Into a Stable API

Kampala is a native MITM proxy for macOS that intercepts HTTP traffic from any app, traces auth chains, and lets you replay flows as automation scripts.

#reverse-engineering #automation #proxy #api #dev-tools
By
Share: X in
Kampala MITM proxy reverse engineering thumbnail

TL;DR

TL;DR: Kampala is a macOS MITM proxy that lets you reverse engineer web apps, trace authentication flows, and export captured sequences as reusable automation scripts.

Source and Accuracy Notes

What Is Kampala?

Kampala is a native macOS application from Zatanna (a YC W26 company) that acts as a local MITM (man-in-the-middle) proxy. You route traffic from any app — browsers, mobile apps, desktop apps — through Kampala’s proxy, and it captures every HTTP/S request in real time.

The core value proposition: instead of manually figuring out how a web app works by inspecting network tabs, you get a dedicated desktop tool that maps out the full request chain, authentication flows, and data payloads. From there, you can replay any sequence as a stable automation or export it for further analysis.

This is particularly useful for:

  • Reverse engineering undocumented APIs — when a service has no public API docs, Kampala lets you observe the real requests and reconstruct them.
  • Automating legacy web apps — apps locked behind UI with no automation hooks can be driven by replaying captured request sequences.
  • Auth chain analysis — understand how tokens, cookies, and session state flow through a multi-step login or API call sequence.
  • Building integrations — capture a workflow once, then replay it programmatically.

How It Works

Step 1: Install and Trust the Certificate

Kampala runs as a local proxy on your Mac. On first launch it generates a root CA certificate that you add to your system’s trust store. Since Kampala inspects HTTPS traffic, this certificate is necessary for decrypting encrypted requests.

# Kampala prompts you to install its CA certificate into Keychain Access.
# After trusting the certificate, toggle the proxy on.

Step 2: Route Traffic Through the Proxy

Configure your system proxy settings (or app-level proxy) to point to localhost:8080 (Kampala’s default port). Alternatively, use the built-in browser within Kampala to start capturing immediately.

Step 3: Use the App Normally

Browse, log in, or run whatever workflow you want to reverse engineer. Kampala records every request and response in the background.

Step 4: Inspect the Flow

The main Kampala UI shows a timeline of all intercepted requests. You can filter by host, content type, or custom regex, inspect request/response headers and bodies, and see the full auth chain — which requests set cookies, carry tokens, or trigger redirects.

Step 5: Replay or Export

Select any captured sequence and replay it directly from Kampala. You can also export sequences as portable automation definitions.

Features

Full Traffic Interception

Kampala intercepts every HTTP and HTTPS request from any application that routes through the system proxy — not just browsers. Mobile apps with proxy support, desktop clients, and CLI tools all flow through the same tap.

Auth Chain Tracing

One of the more sophisticated features. Kampala automatically maps out how authentication state propagates across a sequence of requests — which call sets a session cookie, which call refreshes a token, which call requires that token. Instead of manually tracing cookie headers across dozens of requests, the tool builds a visual auth chain for you.

Flow Replay and Export

Captured sequences can be replayed directly from the Kampala UI. For automation, sequences can be exported and fed into external scripts or pipelines. This is where Kampala transitions from analysis tool to workflow automation building block.

Fingerprint Preservation

When replaying captured requests, Kampala preserves the original HTTP/TLS fingerprint — the specific set of client hello parameters, cipher suites, and extension ordering that a real client would send. This matters because many backend services detect and block clients with unusual fingerprints. Preserving fingerprint means replayed traffic looks identical to the original client, reducing the chance of anti-bot detection.

Practical Evaluation Checklist

  • Proxy setup — Does it intercept HTTPS cleanly after installing the CA cert?
  • UI responsiveness — Does the traffic list stay smooth with hundreds of captured requests?
  • Auth chain visualization — Does it correctly identify token and cookie dependencies?
  • Replay accuracy — Do replayed requests produce the same responses as the originals?
  • Export format — Are exported sequences in a usable format (JSON, cURL, etc.)?
  • macOS-specific — Windows support is in progress (waitlist available). If you need Windows today, this is a blocker.
  • Certificate trust — Requires adding a custom CA to the system trust store. In enterprise environments with certificate inspection, this may conflict with existing policies.

Security Notes

Kampala is a security research and development tool. Installing a custom CA and routing traffic through a local MITM proxy means Kampala can read everything you send through it — including passwords, session tokens, and API keys. Do not route traffic through Kampala on networks you don’t trust, and never install the CA certificate on systems where you don’t have full administrative control.

The certificate is generated locally and never leaves your machine. Traffic inspection happens entirely on-device.

FAQ

Q: Is Kampala available for Windows?

A: Not yet. The team is working on Windows support and you can join the waitlist via a Google Form on the Kampala website. macOS is the current focus.

Q: How is this different from browser DevTools Network tab?

A: DevTools only captures browser traffic and doesn’t persist across sessions. Kampala is a dedicated desktop application that captures from any proxy-aware application, preserves full request histories across sessions, and provides features purpose-built for replay and automation — not just inspection.

Q: Does this work with mobile apps?

A: Any app that respects system proxy settings will route through Kampala. Mobile apps with hardcoded proxy settings or certificate pinning will not work without additional configuration.

Q: What happens when the target app updates and changes its API?

A: Kampala records the requests as they were at the time of capture. If the app changes its API, you need to recapture the flow. Unlike UI-automation approaches, the request-level approach means even a small UI change can break an automation if the underlying API call changed — but the benefit is you can see exactly what changed by comparing captured sequences.

Q: Is there a CLI or API for programmatic control?

A: The primary interface is the native macOS app. Exporting sequences for use in external scripts is the current automation path. Deeper API access may come in future releases.

Conclusion

Kampala is a polished, macOS-native MITM proxy that brings together traffic interception, auth chain analysis, and flow replay in a single tool. For developers building integrations with third-party services, automating legacy web apps, or researching how undocumented APIs work, Kampala makes the reverse engineering process more systematic and less ad-hoc. Windows users can join the waitlist, but the macOS release is production-ready.

Official site: https://www.zatanna.ai/kampala

Related Posts

Automotive Skills Suite for AI Engineering

5/28/2026

awesome-agentic-ai-zh Roadmap Guide

5/28/2026

Baguette iOS Simulator Automation Guide

5/28/2026
Share this post: Share on X Share on LinkedIn