Reaper is an innovative new, open-source proxy created by Ghost Labs that uses a drag-and-drop workflow system to easily create and share automated workflows. This blog will walk you through the installation process, how to complete common BurpSuite tasks within Reaper, and introduces some fuzzing techniques.
If you haven't already downloaded Reaper, get it now on GitHub:

Installing Reaper

  • Make sure that ~/go/bin is in PATH
  • git clone <>
  • cd reaper & run make wails
  • Install dependencies: apt-get install build-essential npm libgtk-3-dev libwebkit2gtk-4.0-dev or brew install npm
  • make install
  • Reaper will be in build/bin. Add it to path! Launch with reaper

👇Installer script👇

👆Installer script 👆

Migrating from BurpSuite

Below I want to outline how to do common tasks you’d often do in BurpSuite but in Reaper.

  • Setting up the project scope, accessing the certificate
  • Intercepting and modifying a request
  • Replaying a request via repeater
  • Fuzzing with intruder

Setting up the Project & Accessing the Certificate

BurpSuite uses project files, in Reaper we use workspaces. Conveniently they are displayed in the main window when first opening Reaper. To access an existing workspace we can click on it in the right pane, or we can create a new one. We’re going to click “Create a new workspace”

Reaper Blog 1

On the next screen, we can set scoping options for our connection. This way we can avoid noisy background browser requests like captive portal checks and requests to ad services appearing in our log. We can always adjust the scope later, but for now, let's enter the domain, and include subdomains and click “create”.

Reaper Blog 2

The advanced section lets us set more specific rules about what protocols, ports, and hosts we want to include or specifically exclude from our scope. The scope is stored in the workspace’s settings configuration, which is the briefcase icon in the bottom left. If we need access to proxy-specific options, click the gear in the bottom left. For example, if we want to change the port our proxy is listening on, we can do so in this menu. More importantly, if we need to export the proxy’s certificate to import into our system trust or Firefox, it can be done here.

Reaper Blog 3

Export this now and save the certificate.


sudo apt-get install -y ca-certificates
sudo cp ~/Downloads/ghost-ca.crt /usr/local/share/ca-certificates
sudo update-ca-certificates


Press command + spacebar and open Keychain Access

Right click on “System” and click Unlock Keychain "System"

Drag and drop the ghost-ca.crt file into the “System” store.

Reaper Blog 4

Right-click the certificate and click “Get Info” and then set the trust to “Always Trust”. Once the trust is set correctly, the red x icon will change to a blue +.

Reaper Blog 5


Firefox uses its own certificate store separate from the system trust store. To import the CA cert for Firefox, open the “Settings” page and search for “certificate” then click “View Certificates…” and then “Import…”

Reaper Blog 6

Import the ghost-ca.crt file and then select the checkboxes to trust the certificate and click OK.

Reaper Blog 7

Intercepting and Modifying a Request

By default Reaper will not intercept any requests, just log them in the “Log Stream” pane. To access our workspace settings, click the project’s name in the top right and select “Settings”

Reaper Blog 8

Here we can enable and define interception rules. Lets do that now for the domain.

Reaper Blog 9

Now we are ready to intercept our first request! I have made a launcher script that launches Google Chrome with the proxy options preconfigured, so you don’t have to interfere with system proxy settings which will proxy everything through Reaper. Make a request to and you will see the “Intercepted Requests” tab has a notice that 1 request has been intercepted. Click the tab now and we can view the intercepted request.

Reaper Blog 10

Now you can edit the request and click "Send" to forward the request with the modifications. Once the response is received, you can cycle through to the next request by clicking "Next".

Reaper Blog 11

Replaying a Request

To replay a request, simply highlight the request and in the top right, click “Resend”. Note: If you have an intercept rule in place, it will intercept this replayed request so it can be modified before being sent, like in Burp’s repeater tab.

Reaper Blog 12

Alternatively, sometimes you just want to grab a request and play with it using cURL. In this case we can click the drop-down arrow next to “Resend” and click “Copy as curl”.

Reaper Blog 13

Fuzzing with Reaper

Like BurpSuite’s intruder tool, Reaper contains a workflow node that can accomplish some similar tasks to a Sniper/Battering Ram, Pitchfork, and ClusterBomb attack. Click a request we want to import to our workflow and click the drop-down arrow next to “Resend” and click “Create workflow from request”.

Reaper Blog 14

And it will import our request as a “Request” node object. Click that node and we can see our request has been successfully imported. We can modify any of the parameters here. For now, I will show a basic workflow, similar to Intruder’s “Sniper”. Click the + in the top right and add the “Fuzzer” from the menu.

Reaper Blog 15

To actually generate and send our request, we need to add a “Sender” node too. Lets add that and an Output node to capture and generate some output.

Reaper Blog 16

Let's wire it up and send the first request. A “Sender” node needs several inputs: A trigger event to trigger the request. This can come from the “replacements” or from the “start”. The “request” input is the formatted request to use. In this case, the one we imported. Then, move the mouse near the output section of “Start” and the circle will be highlighted. Once that has happened, click and hold the left mouse button and drag the wire over to attach it to the “start” of the “Sender” node. Repeat to wire everything up as shown. Then, click the “Output” node, and in the “Template” section type “Done!”

Reaper Blog 17

Now our basic workflow is ready to run! Click the play arrow in the bottom left and it will fire our request off. Now that we have the basics of wiring up a workflow, let's capture and display our IP address returned in the response. Add another node, this time adding an “Extractor” node. Disconnect our sender’s output from the Output node and instead connect the Sender to the “response” of the Extractor and the output of the Extractor to the Output node. Click the “Extractor” node and select “Entire Body” from the Type menu, and I set the variable I want this captured in to $RESP_BODY$ and then I changed my Output template to the following: My IP is: $RESP_BODY$

In Reaper, variables are named in between two $ characters and can be accessed in anything from output to request nodes, in the event we want to say, replace a header value.

Reaper Blog 18

Reaper Blog 19Then click the play button again, and we should see our IP displayed in the output window!

Reaper Blog 20

Next, let’s try adding a Fuzzer to show a basic fuzz similar to Burp’s Intruder sniper tool. Click on the Fuzzer to open its menu. Let’s change the placeholder variable’s name. We will set it to $PLACEHOLDER$ And change our numeric list to run from 0 to 5. The Fuzzer node will replace anything with that placeholder with the values in its list, during its loop phase. We will need to rewire our workflow to leverage the fuzzer. Anything connected to the right of the fuzzer is “downstream” of the Fuzzer and will be within its loop. Then we need to take advantage of the fuzzer, so I modified the URL in the request to include the $PLACEHOLDER$ variable. I also changed my output template to Request $PLACEHOLDER$, My IP is: $RESP_BODY$

We wire the fuzzer’s “output” to a sender's “replacements” option.

Reaper Blog 21Reaper Blog 22

After clicking play, we can see we fired off 5 requests to,, and so forth.

More advanced fuzzing: Pitch Fork

We can accomplish a similar task as intruder’s “Pitchfork” attack type. To do this, wire up two Fuzzers to the start node. This will loop through each payload set simeltaneously. Lets add another fuzzer node and a merger node. The merger node will merge two sets of variables together to input them into the “replacements” section of the sender.

I simply set mine to use the CSV: a,b,c,d,e and changed my output to Request $PLACEHOLDER$ (Other Stuff $FUZZ$), My IP is: $RESP_BODY$

Reaper Blog 23


You can import this workflow to play with yourself. Download the atk file and click the folder icon in your workflow pane, and select the file to import it.

Reaper Blog 24

More advanced fuzzing: Cluster Bomb

Another common Intruder attack type is the “Cluster Bomb”, which will -++ all possible combinations of the different payload sets. In Reaper, you can consider a Fuzzer node like a for loop. Daisy chaining multiple fuzzers together will create the conditions for a “Cluster Bomb” style attack. I set my Output to Payload Set 1: $FUZZ_A$, Payload Set 2: $FUZZ_B$, My IP is: $RESP_BODY$

And Fuzzer A to use a numeric list from 1-5, and Fuzzer B to use a CSV of a,b,c,d,e,fReaper Blog 25

You can see from the output that it loops over each combination of each fuzzer, like a nested for loop.

I have attached the workflow below so you can import it to your Reaper instance to play around with.



Keep an eye out for more Reaper how-to guides!