Mantis

Open source HTTP security toolkit for bug bounty hunters and security researchers.
A modern alternative to Burp Suite and Caido — single binary, zero dependencies.

mantis.mp4

Features • Quick Start • Usage • REST API • Scripting • Plugins • Building

---

Why Mantis?

Most HTTP security tools are either closed-source, bloated with Java, or require complex setups. Mantis is different:

• Single binary — download and run. No JVM, no Node.js, no Docker.
• Built with Go — fast startup, low memory, native HTTP/2 support.
• Pure Go SQLite — zero CGO, works everywhere Go compiles.
• Extensible — Go scripts (real syntax, not DSLs) and Wasm plugins.
• Modern UI — dark-themed web interface, real-time updates via SSE.
• REST API — automate everything with 35+ API endpoints.

Features

MITM Proxy

Custom proxy engine built on Go's net/http + crypto/tls. Supports HTTP/1.1, HTTP/2 (via ALPN), HTTPS with dynamic per-host certificate generation, and WebSocket passthrough. Handles CONNECT to raw IPs without SNI.

Request History & Search

Every proxied request is logged to SQLite with full-text search (FTS5). Filter by method, status code, host, path, date range, duration, and content type. Export to HAR or copy as cURL.

Interceptor

Pause and inspect requests/responses before they reach the server or browser. Forward, drop, or modify on the fly.

Sender / Repeater

Replay and modify requests manually. Edit method, URL, headers, and body. Send any request from history to the repeater with one click.

Fuzzer

Parameter fuzzer with concurrent worker pool. Supports query params, headers, body fields, path segments, and cookies as insertion points. Includes built-in wordlists:

Wordlist	Payloads	Use Case
sqli-basic	68	SQL injection (UNION, time-based, boolean)
xss-basic	43	XSS (script tags, event handlers, encoding bypasses)
path-traversal	39	Directory traversal (../, URL encoding, OS variants)
common-params	136	Parameter discovery

Custom payload lists, number ranges, and encoding (Base64, URL, double-URL) also supported.

Decoder

Encode/decode utility supporting 8 formats with auto-detection:

Base64 • URL • HTML entities • Hex • JWT • JSON • Gzip • Unicode

Scope Management

Include/exclude rules with glob patterns for hosts and regex for paths. Only in-scope requests are logged and processed.

Match & Replace

Rewrite requests and responses on the fly with regex-based rules. Modify headers, body content, or status codes automatically.

Sitemap

Auto-generated tree view of all discovered hosts, paths, and endpoints aggregated from request history.

Go Scripting

Write request/response transformation scripts in real Go syntax — not a custom DSL. Scripts are interpreted at runtime via Yaegi:

package main

import "github.com/garagon/mantis/pkg/scriptapi"

func OnRequest(req *scriptapi.Request) *scriptapi.Request {
    scriptapi.SetHeader(req.Headers, "X-Custom", "value")
    return req
}

Wasm Plugins

Extend Mantis with WebAssembly plugins compiled from any language (Rust, C, Go via TinyGo). Plugins use a simple host function ABI with KV storage:

mantis_on_request()    → transform requests
mantis_on_response()   → transform responses
mantis_kv_get/set()    → persistent storage per plugin
mantis_log()           → structured logging

REST API

Full REST API (/api/v1/) with Bearer token authentication and JSON envelope responses. 35+ endpoints covering all features — requests, projects, scope, sender, fuzzer, interceptor, and export.

WebSocket Logging

WebSocket frames are captured and logged alongside HTTP traffic for complete visibility.

Quick Start

Install from source

# Requires Go 1.25+
git clone https://github.com/garagon/mantis.git
cd mantis
make build

Run

# Start proxy on :8080, web UI on :8899
./bin/mantis serve

# Custom ports
./bin/mantis serve -p :9090 -w :3000

Trust the CA certificate

# Export the CA cert (generated automatically on first run)
./bin/mantis cert export ~/Desktop

# Then add to your browser or system trust store

Launch Chrome with proxy

# Opens Chrome with proxy pre-configured (separate profile)
./bin/mantis chrome

Then visit http://localhost:8899 for the web UI.

Usage

CLI Commands

mantis serve          Start proxy + web UI
mantis cert export    Export CA certificate for browser trust
mantis cert generate  Generate a new CA certificate
mantis chrome         Launch Chrome with proxy settings
mantis version        Print version

Serve Flags

-p, --proxy-addr string   Proxy listen address (default ":8080")
-w, --web-addr string     Web UI listen address (default ":8899")
-d, --db string           SQLite database path (default "mantis.db")
    --ca-dir string       CA certificate directory (default "~/.mantis/certs")

Handler Pipeline

Every proxied request flows through this pipeline in order:

Scope → Intercept → Scripts → Plugins → Match/Replace → Logging

REST API

All API endpoints are under /api/v1/ and require Bearer token auth:

# 1. Create a token from the web UI (Settings page at http://localhost:8899/settings)
# 2. Use the token for all API calls
curl http://localhost:8899/api/v1/requests \
  -H "Authorization: Bearer <token>"

All endpoints

Method	Endpoint	Description
GET	/api/v1/requests	List/search requests
GET	/api/v1/requests/{id}	Get request detail
DELETE	/api/v1/requests/{id}	Delete request
GET	/api/v1/projects	List projects
POST	/api/v1/projects	Create project
PUT	/api/v1/projects/{id}	Update project
DELETE	/api/v1/projects/{id}	Delete project
POST	/api/v1/projects/{id}/active	Set active project
GET	/api/v1/scope	List scope rules
POST	/api/v1/scope	Create scope rule
PUT	/api/v1/scope/{id}	Update scope rule
DELETE	/api/v1/scope/{id}	Delete scope rule
POST	/api/v1/scope/{id}/toggle	Toggle scope rule
GET	/api/v1/sender	List sender requests
POST	/api/v1/sender	Create sender request
GET	/api/v1/sender/{id}	Get sender request
PUT	/api/v1/sender/{id}	Update sender request
DELETE	/api/v1/sender/{id}	Delete sender request
POST	/api/v1/sender/{id}/send	Send request
GET	/api/v1/fuzzer/configs	List fuzzer configs
POST	/api/v1/fuzzer/configs	Create fuzzer config
POST	/api/v1/fuzzer/configs/{id}/start	Start fuzzer
POST	/api/v1/fuzzer/configs/{id}/stop	Stop fuzzer
GET	/api/v1/fuzzer/configs/{id}/results	Get fuzzer results
GET	/api/v1/interceptor/status	Interceptor status
POST	/api/v1/interceptor/toggle	Toggle interceptor
GET	/api/v1/interceptor/queue	List intercepted items
POST	/api/v1/interceptor/items/{id}/forward	Forward item
POST	/api/v1/interceptor/items/{id}/drop	Drop item
POST	/api/v1/tokens	Create API token
GET	/api/v1/tokens	List API tokens
DELETE	/api/v1/tokens/{id}	Delete API token
GET	/api/v1/export/har	Export all as HAR
GET	/api/v1/export/curl/{id}	Export as cURL

Scripting

Scripts live in ~/.mantis/scripts/ and are managed through the web UI. Each script is a standalone Go file:

package main

import "github.com/garagon/mantis/pkg/scriptapi"

// OnRequest runs before the request reaches the target server.
func OnRequest(req *scriptapi.Request) *scriptapi.Request {
    // Add auth header to all requests
    scriptapi.SetHeader(req.Headers, "Authorization", "Bearer my-token")

    // Modify query parameters
    req.URL = scriptapi.SetQueryParam(req.URL, "debug", "true")

    return req
}

// OnResponse runs before the response reaches the browser.
func OnResponse(resp *scriptapi.Response) *scriptapi.Response {
    // Remove tracking headers
    scriptapi.RemoveHeader(resp.Headers, "X-Request-Id")

    // Replace content in response body
    resp.Body = scriptapi.ReplaceBody(resp.Body, "old-value", "new-value")

    return resp
}

Script API

Function	Description
scriptapi.GetHeader(headers, key)	Get header value (case-insensitive)
scriptapi.SetHeader(headers, key, value)	Set header value
scriptapi.RemoveHeader(headers, key)	Remove header
scriptapi.GetQueryParam(url, key)	Get query parameter
scriptapi.SetQueryParam(url, key, value)	Set query parameter, returns new URL
scriptapi.BodyContains(body, substr)	Check if body contains string
scriptapi.ReplaceBody(body, old, replacement)	Replace in body
scriptapi.Log(msg)	Log a message

Plugins

Wasm plugins are compiled to .wasm and placed in ~/.mantis/plugins/. Any language that targets Wasm/WASI works.

Plugin ABI

Your plugin must export mantis_alloc for memory management and optionally:

Export	Description
mantis_on_request() -> i32	Transform request (return 0=continue, 1=drop)
mantis_on_response()	Transform response

Host functions available to plugins:

Host Function	Description
mantis_get_request_method/url/header/body	Read request data
mantis_set_request_header/body	Modify request
mantis_get_response_status/header/body	Read response data
mantis_set_response_status/header/body	Modify response
mantis_kv_get/set	Persistent key-value storage
mantis_log	Log messages

Building

Prerequisites

• Go 1.25+
• templ — go install github.com/a-h/templ/cmd/templ@latest

Build

make build              # Build binary to bin/mantis
make test               # Run tests with race detector
make lint               # Run golangci-lint
make dev                # Hot reload development (requires air)
make install            # Install to $GOPATH/bin

Cross-compile

GOOS=linux GOARCH=amd64 make build
GOOS=darwin GOARCH=arm64 make build
GOOS=windows GOARCH=amd64 make build

Architecture

cmd/mantis/         CLI entry point (cobra)
internal/
  proxy/            Custom MITM proxy engine (net/http + crypto/tls)
  cert/             Dynamic per-host certificate generation with LRU cache
  reqlog/           Request logging + SQLite + FTS5 full-text search
  sender/           HTTP sender/repeater
  intercept/        Request/response interception engine
  scope/            Host glob + path regex scope rules
  matchreplace/     Regex-based request/response rewriting
  fuzzer/           Concurrent parameter fuzzer with worker pool
  decoder/          Multi-format encode/decode with auto-detection
  sitemap/          SQL-aggregated site tree builder
  script/           Go scripting via Yaegi interpreter
  plugin/           Wasm plugins via Wazero runtime
  api/              REST API v1 (Bearer auth, JSON envelope)
  wslog/            WebSocket frame logging
  project/          Multi-project support
  export/           HAR and cURL export
web/
  handler/          Web UI request handlers
  templates/        templ components (HTMX + Alpine.js + DaisyUI)
  static/           CSS, JS assets
pkg/
  scriptapi/        Public API for Go scripts

Tech Stack

Layer	Technology
Language	Go 1.25+
Database	SQLite via modernc.org/sqlite (pure Go, zero CGO)
Search	FTS5 full-text search
Frontend	templ + HTMX + Alpine.js + Tailwind CSS + DaisyUI
CLI	Cobra
Scripting	Yaegi (Go interpreter)
Plugins	Wazero (Wasm runtime, zero CGO)
CI	GitHub Actions

Contributing

Contributions are welcome. Please open an issue first to discuss what you'd like to change.

# Development workflow
git clone https://github.com/garagon/mantis.git
cd mantis
make deps               # Tidy and verify modules
make dev                # Start with hot reload
make check              # Run lint + tests

License

MIT

---

Built for the security community.