Launch HN: Kampala (YC W26) – Reverse-Engineer Apps into APIs
55 points - today at 3:19 PM
Hey! I am Alex and together with my co-founder Tarun built Kampala (https://www.zatanna.ai/kampala). It’s a man-in-the-middle (MITM) style proxy that allows you to agentically reverse engineer existing workflows without brittle browser automation or computer use agents. It works for websites, mobile apps, desktop apps.
Demo: https://www.youtube.com/watch?v=z_PeostC-b4. Many people spend hours per day in legacy dashboards and on-prem solutions reconciling data across platforms. Current attempts at automation use browser automations or computer use agents which are brittle, slow, and nondeterministic. I come from a web reverse engineering background and spent the last 7-8 years building integrations by hand for sneaker/ticket releases, sportsbooks logins, and everything in\ between. During that time I consulted for several companies and brought them off of browser based infrastructure into the requests layer.
When we started Zatanna (that’s our company name) we worked in dental tech, which meant we had to deal with tons of insurance payer dashboards and legacy dental-practice solutions. Our superpower (as a fairly undifferentiated voice agent/front desk assistant company) was that we could integrate with nearly any system requested. During this time we built extensive tooling (including what we’re now calling Kampala) to allow us to spin up these integrations quickly. Existing MITM proxies and tooling didn’t work for a few reasons: (1) They manipulated the TLS and HTTP2 fingerprint over the wire which was detected by strict anti-bots. (2) They had bad MCPs which did not adequately expose necessary features like scripts/replay. (3) They did not allow for building workflows or actions given a sample or sequence of requests.
As the tools we built got more powerful, we began to use them internally to scrape conference attendees, connect to external PMS systems, and interact with slack apps. I even sent it to my property manager mom, who (with a lot of help from me lol), automated 2-3 hours of billing information entry in Yardi. At that point we realized that this wasn’t really about dentistry :)
Because Kampala is a MITM, it is able to leverage existing session tokens/anti-bot cookies and automate things deterministically in seconds. You can either use our agent harness that directly creates scripts/apis by prompting you with what actions to make, or our MCP by manually doing a workflow once, and asking your preferred coding agent to use Kampala to make a script/API to replicate it. Once you have an API/script, you can export, run, or even have us host it for you.
We think the future of automation does not consist of sending screenshots of webpages to LLMs, but instead using the layer below that computers actually understand. Excited to hear your thoughts/questions/feedback!
Comments
We opened chrome, navigated the entire website, the downloaded the network tab as an har file. The asked claude to analyze and document the apis as an openapi json. Worked amazing.
Next step - we wrote a small python script. On one side, this script implements stdio mcp. On the other side, it calls the Internal apis exposed by the 3rd party app. Only thing missing is the auth headers..
This is the best part. When claude connects to the mcp, the mcp launches a playwright controlled browser and opens the target web apication. It detects if the user is logged in. Then it extracts the auth credentials using playwright, saves them to a local cache file and closes the browser. Then it accesses the apis directly - no browser needed thereafter.
In about an hour worth of tokens with claude, we get a mcp server that works locally with each users credentials in a fairly reliable manner. We have been able to get this working in otherwise locked down corporate environments.
side note, YC25/YC26 batches have multiple startups that blantly violate ToS and sitting on a timebomb just pending a lawsuite and Cease and Desist Letters.
Seems like a great product, potentially quite powerful for automated testing of SPAs.
How do you handle SSL pinning ? Most of the apps I interact with have some sort of SSL pinning, which is the hard part to circumvent. I tried Kampala but got stuck at the usual place; as soon as I enable it, chatGPT stops working. Most of my iPhone apps stop responding etc.
I would love to try using this tool to build an agent that can simply subscribe me to my gym lessons instead of me having to go on the horrible app. But even that relatively simple (iOS) app stopped working as soon as I enabled the proxy.
I've tested it against YouTube, Twitch, Ticketmaster, and Yahoo Finance. It will detect any transport like JSON, WebSocket, GraphQL, SSE, Protbuf, UDP, WebRTC, ect.. It after 3 hours and some coaching succeeded in reverse engineering ChatGPT + Cloudflare Turnstile but I didn't merge that into it yet.
It works by Claude using the Chrome DevTools Protocol (CDP) intercepting all traffic.
[0] https://github.com/adam-s/intercept?tab=readme-ov-file#how-i...
Totally unrelated, I am just curious about why you chose the name, as someone who is Ugandan and was born in raised in Kampala (which is the Capital City of Uganda BTW).
Congratulations again.
and if API is not published, and you MITM with self-compromised CAs, and then use it (commercially?) you ~100% breaking ToS.
this is just un-ethical. or YC does not have regard anymore for such things?
Also not clear on the page if it is apps from the local machine or on the network. Maybe some clearer examples and use cases would help?
Fingerprinting is also a hard thing to match perfectly, I would be curious to know what your strategy is on that. My experience has been that unless you bundle multiple TLS lib it is almost impossible to do at 100% because none of the lib cover all the TLS extensions.
Kampala (had to double check it wasn’t Harris)
Just mulling these names over, how’d you come up with them?
PS: clear value prop!
If a web property has implemented anti-bot mechanisms, what ethical reasons do you have for providing evasion as a service?
Think this is really interesting especially for creating datasets. Proxyman was always hard to use for me, so connecting it to a MCP was something I have been waiting for.
Quick question: How do you handle session re-auth mid-script?
Congrats on the launch.. I need that conference script!